Soumyabrata Chakraborty  is a student of Gujarat National Law University, Gandhinagar

Cookies are small textual data files launched onto a user’s device while browsing a website. They are stored in the user’s web browser and contain large chunks of data from their interaction with websites. These data files are then processed by the websites visited or third parties, like advertisers, to provide a personalised and convenient user experience. In terms of their utility, cookies are useful and often considered harmless- however, they pose serious privacy concerns.

This article seeks to analyse the data privacy concerns posed by internet cookies and how they are sought to be regulated in the European Union. From that moment forward, the article aims to analyse how an Indian cookie law can be read into the provisions of the Digital Personal Data Protection Act, 2023 (“DPDPA”) and how it compares to the EU approach. Additionally, the article analyses how the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (“the Guidelines”), can be extended to dark patterns in cookie consent notices.

I.               Cookies: Invasive, Yet Useful

A. What information do cookies collect?

Cookies can store a wealth of data- enough to identify the user and create an online profile, thus the privacy concerns. Privacy Notice of Amazon.in lists “Automatic Information” collected by way of cookies and includes location of device or computer, IP address, login, email address, password, etc. This information can be used to identify user preferences, personalise user experience, and display interest-based ads, etc.

B. Classification of cookies

Cookies can be classified based on duration, source or provenance, and purpose. Depending on source or provenance, “first-party cookies” are launched by websites the user visits, while “third-party cookies” are placed by entities such as an advertiser or the browser. Based on purpose, “strictly necessary cookies” are essential for website functionality and are generally first-party cookies, while “marketing cookies” are used to track user activity to enable advertisers to serve targeted and behavioural advertisements.

II.            Regulating Cookies In EU And India

A.     European Union: GDPR and ePrivacy Directive

Regulatory oversight of cookies depends on whether cookies or information stored by them falls within the definition of personal data prescribed in the specific data protection law. In the European Union, Article 4(1) of the General Data Protection Regulation (“GDPR”) defines “personal data” as any information relating to an identified or identifiable person (“data subject”). Identifiers, as listed in Article 4(1), include an “online identifier”. Recital 30 of the GDPR includes “cookie identifiers” within the ambit of online identifiers. Thus, the GDPR explicitly mentions cookies as personal data, thus extending its regulatory oversight over them.

Besides the GDPR, the Directive on Privacy and Electronic Communications of 2002, amended in 2009 (“ePrivacy Directive” or “EPD”), has specific provisions concerning the processing of personal data in the electronic communications sector. Recital 25 and Article 5(3) of the EPD provide that the storing of information, including cookies, into the “terminal equipment” or device of a user can only be allowed based on consent. Additionally, Recital 25 requires the method of giving information, requesting consent, and offering a right to refuse to be “as user-friendly as possible.” However, Recital 25 also provides that access can be made conditional on well-informed acceptance of a cookie, provided it is for a legitimate purpose. Recital 66 of Directive 2009/136/EC, amending the EPD in 2009, further highlights this exception, wherein obligation to provide information and right to refuse can be exempted when cookies are “strictly necessary” for the legitimate purpose of functionality.

Article 7 of the GDPR outlines the “conditions for consent” and includes the data subject’s right to withdraw consent at any time. Additionally, Recital 32 of the GDPR and Article 4(11) provide that consent should be given by a clear affirmative action and must be free, specific, informed and unambiguous. Recital 32 further states that pre-ticked boxes should not be considered valid consent, which has been reiterated in the Planet49 GmbH case.

B.     India

a)  DPDPA, 2023

Unlike the GDPR, India’s long-awaited data protection and privacy legislation, the Digital Personal Data Protection Act of 2023 (“DPDPA”) has failed to acknowledge cookies as a legislative concern. Cookies find no explicit mention in the DPDPA. Section 2(t) of DPDPA defines ‘personal data’ as “any data about an individual who is identifiable by or in relation to such data”. Reading along the lines of the GDPR, cookies and the information collected in them can be considered personal data to the extent that cookies contain information that can be attributed to specific individuals. While it remains to be seen if the highly anticipated rules and regulations under the DPDPA clarify the issue of cookies and whether they amount to personal data, it is safe to presume they are, based on learnings from the GDPR.

Collecting information such as location of the device, IP address, email IDs, passwords, etc., by way of cookies; storing cookies in the user’s device; and sharing them with third parties would amount to ‘processing’ of digital personal data under Section 2(x) of the DPDPA. Under Section 3 of the DPDPA, processing of cookie data collected from data principals situated within the territory of India by third-party ‘data processors’ outside India would also be regulated by the Act.

Like the GDPR, DPDPA envisages “consent” to be the basis for the processing of personal data. Section 4 provides that processing must be for a lawful purpose, which the Data Principal has consented to. Section 5 requires the data fiduciaries (here, websites) to give notice of personal data collected and the purpose for the same. It remains to be seen whether such notice would need to provide details of each type of cookies that a website stores on a user’s device and the ‘specific purpose’ for which they are sought to be used. Section 6 of the DPDPA states that a clear affirmative action must give consent, and it must be free, specific, informed, unconditional and unambiguous. Section 6(1) further alludes that consent is given for some specified purpose and is limited to such data as is necessary for such purpose. In the absence of clear rules and regulations as to what cookies are necessary for a specific purpose and what isn’t, users would be left to educate themselves on their own, and this would ultimately lead to consent fatigue. What stands out in Section 6(1) is the use of the word “unconditional”. While EPD has carved out an exception for “strictly necessary” cookies from a functional standpoint and allowed websites to take an exception to the right to refuse obligation, Section 6(1) of the DPDPA restricts the use of ‘cookie walls’ or denial of service for want of consent.

Section 9(3) states- “a data fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children”. This is significant, considering tracking user activity, behavioural monitoring, and serving targeted advertisements are some of the most prominent use cases of internet cookies. A complete crackdown on targeted advertisements directed at children (individuals below 18 years of age) may look good on paper; however, its operational viability is a big concern. Section 9(1) puts the onus on the Data Fiduciary to obtain “verifiable consent” of the parent or lawful guardian. What constitutes ‘verifiable consent’ is not specified, leaving room for interpretation.

b) Guidelines for Prevention and Regulation of Dark Patterns, 2023

The Central Consumer Protection Authority issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (“the Guidelines”). Though these guidelines cater to consumer protection, not consumer data protection per se, it is a noteworthy development for cookie consent banners. Studies have found that using dark patterns in cookie disclaimers or consent banners is rampant. Annexure 1 of the Guidelines lists several ‘specified dark patterns’. ‘Forced action’ has been defined to include forcing a user into taking an action requiring the user to share personal information to buy or subscribe to a product or service. Depending on whether cookies can be read into the definition of “personal information” as used in the Consumer Protection Act, 2019, and the Guidelines made thereunder, these guidelines can be extended to dark patterns in cookie notices. Constant requests to turn on or accept cookies with no right to refuse have been illustrated as an example of “nagging”.

III.         Conclusion

The article briefly analysed the privacy risks of cookies and how the GDPR and the EPD have attempted to regulate them. Even though the DPDPA has left much to be desired, and the rules and regulations under the Act are anticipated to shed some light on several concerns, the article has tried to read a cookie law into the provisions of DPDPA, considering cookies to be personal data in line with GDPR. Regulating the use of cookies will go a long way in ensuring the anonymity of netizens. GDPR has already brought about a 22% drop in the use of third-party cookies on Europe’s news sites. Along similar lines, Google Chrome has started testing “Tracking Protection” feature as part of its Privacy Sandbox initiative to phase out third-party cookies in second half of 2024. With legislative interest and growing awareness, the use of cookies needs to be reigned in, and all stakeholders have a role to play.

Share this post