Ritwik Tyagi is a fifth year law student at MNLU, Nagpur.
Regulatory Regimes
There is a substantial lack of legislation, national or international, which governs the use of cookies in cyberspace. The most extensive authority on this subject is the General Data Protection Regulation (GDPR), enacted and adopted by the European Union in 2016, while it came into force in 2018. Essentially, the GDPR prohibits processing of any sort of data which could be used to identify a person, such as their name, nationality, sexual orientation, etc., without their explicit consent. This consent must be given freely and must be clear, specific, and based on information.
The GDPR gives users legal rights over their personal information, which include the right to be made aware of a website’s privacy policy before they browse that website, the right to access information about how their data is utilised, the right to object to any activities involving their personal information or even to have such information deleted if it is no longer needed for the intended purpose, the right to limit processing of personal data in certain circumstances, and several others. Under the GDPR, website owners and operators are legally responsible for ensuring that personal data is gathered and treated legitimately. If a website outside of the EU collects data from EU residents, it must also comply with these norms. It is mandated that a website can only gather personal data from users after they have provided their explicit agreement to the precise purposes of its usage. There are certain conditions which must be met according to the GDPR for using cookies: (1) before any cookie activation, prior and express consent must be sought (except for white listed, necessary cookies), (2) users must be able to activate some cookies but not others, and they must not be compelled to consent to all cookies or none at all, (3) Consent must be freely given, (4) consent must be as simple to withdraw as it is to provide, and (5) consent must be safely stored and renewed once a year.
The ePrivacy Directive, 2002, which is also known as the cookie law, is another authoritative document that lays down guidelines for tracking, confidentiality, and monitoring users’ activities online. The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone, or tablet. If any website has users visiting it from inside the European Union, then it will be subject to the rules of the ePrivacy Directive, which require the website controller to: withhold all cookies until users have given explicit consent to their activation, give end-users clear and comprehensive information about all cookies embedded on the website in simple language, ask end-users for consent to all cookies in as user-friendly a way as possible, and enable end-users to refuse or withdraw consent as easily as they can provide it.
Let us now examine the effectiveness and functionality of data privacy rules such as the GDPR on the rampant use of cookies. In late 2021, Alphabet and Meta, the respective parent companies of Google and Facebook, were collectively penalised by more than 200 million Euros in France by the Commission Nationale de l’Informatique et des Libertés for not facilitating free consent for the use of cookies as required by the GDPR. Users only had to click one button to accept all cookies, but to turn them down; they had to do more complicated and time-consuming things, which they were more likely to avoid because it took more clicks.
In a study conducted in 2020 of users residing in the European Union, it was found that a whopping 93% of them accepted the use of all cookies even though websites were providing an option to open another window for going through and managing their cookies. This means that by making it harder for users to refuse the use of cookies, a website is not actually allowing users to make free and informed choices over the deployment of cookies since refusal is actively being discouraged. Websites are trying to find ways to surpass the GDPR requirements for free consent by employing various methods to get users to press the accept button. For instance, in an analysis of fifty popular websites, it came to light that 64% of them did not comply with these laws. This number includes big companies like Google, Facebook, and Twitter, whose services are used by millions and millions of people every day. As a result, they are illegally collecting the data of a lot of people who don’t even know it.
Therefore, it can be seen that even though a liability has been cast upon websites falling under the jurisdiction of the European Union to comply with the GDPR in formulating appropriate cookie policies and collecting informed consent from users before making use of various cookies, it is hardly followed by any website. From the smallest entity to the largest technology conglomerate, none of these websites has thought it fit to comply with the norms as the monetary benefits obtained from collecting and processing users’ personal data are too high to forego. Another reason for such blatant non-compliance is the toothless nature of the GDPR, which does not have any proper enforcement or penalising mechanism. A French group recently handed out fines to Google and Facebook, which gave people hope that independent regulators will step up to the plate and make sure websites follow the rules.
Conclusion & Way Ahead
In India, there is neither any comprehensive personal data privacy regulation nor any explicit legislation governing the use of cookies. The Supreme Court ruled in K.S. Puttuswamy v. Union of India [2017 10 SCC 1] that the right to privacy is a fundamental right guaranteed by Part III of the Indian Constitution. It also says that the user’s personal information cannot be used without his or her consent. Cookies, however, are not considered to fall under the ambit of personal information in India. As a result, Indian companies are not required to include a cookie policy in their privacy policies, and this allows websites to place many types of cookies on users’ devices without their consent, including both necessary and superfluous cookies. Thus, the fact that the user was exposed to other people without their consent is a violation of their right to privacy.
It is imperative in such a scenario that the void in the Indian legislative sphere be filled up by an effective and privacy-oriented law at the earliest. In essence, this law should clearly stipulate the indispensable condition of obtaining free consent from users before a cookie can be placed on their device. Additionally, an attempt should be made to delineate certain broad categories of cookies, classified on the basis of threat levels to privacy and availability of safeguards, which are and aren’t permitted for use, so that the onus is put on websites at the implementation stage itself to keep tabs, on the legality of their cookie usage. To avoid the lack of compliance and enforcement that have been found to be at fault with the GDPR, this statute must put in place a strict framework for dealing with contraventions of norms. A system of strikes, in combination with an accessible complaint mechanism, can be established whereby each successive strike on a website will attract a range of penalties. Upon crossing a threshold of strikes, the website can be blocked and provided with a time window by the regulator to cure all defects. Ultimately, it is the state’s role to step into the shoes of a regulator and prevent the curse of these omnipresent cookies from disturbing cyberspace.