This week, for the first time in the eighteen years I have been pushing the point, a national police force has opened a criminal investigation into the deployment of advertising and analytics software onto a person's device without their consent. The case has been classified, under Maltese law, as "Computer Misuse - Unauthorised Access" and assigned a reference on the national police system. The accused is my own health insurer.
I am not going to name them in this piece for two reasons. The investigation has only just begun and I have no interest in compromising it. And the conduct I reported is the conduct of essentially every adtech-instrumented website operating in the European Union today. If I make this about the brand the legal point gets buried, and the legal point is the only reason I am writing.
I want to be blunt about the legal point before I get to the facts because it is the load-bearing piece. Causing software to be installed on a person's terminal equipment without their authorisation, and then executing that software on their equipment without their authorisation, are criminal offences under the law of every European jurisdiction that has properly implemented the Council of Europe Convention on Cybercrime. Both of those acts have been criminal offences the entire time the adtech industry has been doing them. The reason they have not been prosecuted is not that the law does not reach them. The reason is that no police force has, until this week, been willing to open a file.
What I reported
When I visited my insurer's website without interacting with their cookie banner - I clicked nothing, accepted nothing, refused nothing - their consent management platform nonetheless caused its own scripts to be loaded onto my device and executed by my browser, and recorded, in plain text within its own stored state, that no service-level consent had been given. At the very same moment, third-party analytics and advertising scripts loaded through the insurer's tag manager were also deployed onto my device and executed there. Each of those scripts used my computing resources to read information from my device, write identifiers to it and transmit data about me to remote servers. My insurer's own software was therefore documenting the absence of consent at the exact moment other software, deployed by the same insurer, was being installed, executed and operated on my device without it. Their own infrastructure was the witness against them.
The marketing emails are worse. My insurer sent me a series of marketing emails over six months in defiance of an instruction I had given them, in person and in writing, that I did not want marketing. Each of those emails carried remote tracking pixels and remote content that, the moment the email opened, caused my email client to fetch and execute resources from the insurer's servers, accessed information from my device and transmitted it back to the insurer's processor. The links in those emails routed to web pages operated by the insurer's parent company, which deployed and executed further tracking scripts on my device without consent, including a persistent visitor identifier set to live for approximately six months.
I served the insurer with a letter before action on 28 May 2026 which expressly identified the conduct as a criminal breach of Article 337C of the Criminal Code of Malta. They replied on 19 June 2026, rejecting the complaint in its entirety and denying any wrongdoing. They did not stop the conduct. The downstream tracking they route their customers into was recorded still operational on 20 June 2026, after their reply. I lodged the criminal complaint with the Cyber Crime Unit of the Malta Police that week. This week the police came back with the case opened.
Why this is squarely a computer-misuse offence
Article 337C of the Maltese Criminal Code criminalises, in summary, the doing of any of the following on a computer or other equipment without authorisation: gaining access to data or software stored on it; copying, modifying, deleting or destroying data or software stored on it; or installing, configuring or causing to be installed software on it. That provision is the Maltese implementation of Articles 2 to 5 of the Council of Europe Convention on Cybercrime - the Budapest Convention. Every European Union Member State, and dozens of states beyond it, has an equivalent provision on its own books.
The conduct I described engages Article 337C in not one but several distinct ways, on every page load and every email open.
The deployment of the script is one offence. Causing JavaScript to be loaded onto a user's terminal equipment is installation of software on that equipment - the user did not author it, did not request it, did not knowingly receive it and is, in most cases, not even aware that it is there. Where the visitor has not consented, that installation is unauthorised within the meaning of the statute.
The execution of the script is a further offence. Running code on someone else's computer, using their processor cycles, their memory and their network connection, is access to and use of that equipment. Where the user has not consented to that use, it is unauthorised access in the criminal sense and unauthorised use of their computing resources besides. This second point is rarely surfaced in the policy debate but it is squarely within the statute. The user's device is not free infrastructure for the controller to consume. It is the user's equipment. Using it without permission is the offence.
The reads, the writes and the data exfiltration that the executing script then performs are further offences on top of that. The script reading the device's network address, software characteristics, screen size and browser fingerprint, and transmitting them to the controller's processor, is the gaining of access to information stored in terminal equipment - an act the Court of Justice and the legislature have separately confirmed requires consent under Article 5(3) of Directive 2002/58/EC (Planet49, Case C-673/17). The cookies and identifiers the script then writes to the device are unauthorised storage of data on equipment that the user owns.
Each of these is a freestanding act under Article 337C. Each happens, on a typical adtech-instrumented website, dozens of times per page load.
The defence that the writes are "merely cookies" or "merely configuration" is therefore beside the point even before we look at the cookies, and the controller's own consent platform makes it impossible to mount in any event. A "consent" obtained where non-essential software is deployed and executed before any consent is given, and where the controller's own record shows no consent, is no consent in law. Deployment, execution and storage in reliance on that fiction are all unauthorised.
The wilfulness needed to take this beyond inadvertence is, on these facts, established. The insurer received a written notice on 28 May 2026 that expressly characterised the conduct as a criminal breach of Article 337C. They rejected it. They did not stop. Continuation of the conduct after a written notice characterising it as criminal is beyond any reasonable construction of accident or oversight.
Why it has taken eighteen years
I have been making this point since 2008. In that year the Crown Prosecution Service of England and Wales declined to prosecute a deep packet inspection company that had intercepted the communications of millions of British Telecom customers for the purpose of advertising. The CPS told me at the time that the prosecution was not in the public interest. It was not, as far as I am aware, ever in dispute that what had happened was an offence. The same pattern repeated with Google's WiFi sniffing two years later. The position of the United Kingdom authorities then was, in plain terms, that global corporations are free to break the surveillance laws and that the law would not be enforced against them in any meaningful way.
The European regulatory record since has been substantial. The Court of Justice has been clear about consent. Data protection authorities have issued fines, in some cases very significant fines. None of it, on its own, has been enough to stop the practice. The reason is structural. An administrative fine is a tax on a business model that the business has already decided is worth the tax. A criminal investigation, with the potential for personal liability for the officers who authorised or maintained the design, is a category of risk that the adtech ecosystem has been entirely insulated from until this week.
That insulation has now been pierced in one jurisdiction. If the matter is progressed to prosecution it will be, to the best of my knowledge, the first criminal prosecution anywhere in the world of an adtech-driven business for the unauthorised deployment of tracking software to consumer devices. That is the second "first" in this story, and it is in many ways the more important of the two.
What comes next
The criminal complaint asks the Cyber Crime Unit to investigate the corporate defendant and, in addition, to consider the personal liability of any officer or employee who authorised or maintained the design after the letter before action of 28 May put the criminal characterisation of the conduct on the record. It asks the police to coordinate with the Information and Data Protection Commissioner so the criminal and administrative tracks proceed without duplication. It raises an environmental-crime dimension under the recast Environmental Crimes Directive, which deserves its own piece because the calculation deserves to be set out properly.
I will write again when the investigation has moved. In the meantime, the message to every controller still deploying tracking software before the visitor has consented is short and it is direct. Article 337C is on the books. Equivalents are on the books in every jurisdiction that has implemented the Budapest Convention. The reason you have not been prosecuted is not that you have not committed the offence. It is that, until this week, nobody had made the formal request and seen it accepted.
That has now changed and all of my future complaints combine criminal and civil statutes spanning unauthorised access and use of a computer, environmental impact as a result of unlawful activity, trespass, data protection and privacy (and in this case as a regulated entity under Financial regulations, also the financial ombudsman for deception and misleading information).
