What are Cookies?

Cookies are small text files that the websites and applications store in our devices for collecting data that could be used to provide the data principal with a more personalised user experience.¹ These cookies do not contain any executable code which means that the cookie-storing devices cannot execute the cookie code itself. They are not viruses either, as they are incapable of making copies and getting transferred to other devices.² However, to some extent, cookies do play an espionage role for the data fiduciaries as they primarily store data such as website visits, passwords, information on the browsing history of the users, etc. Through this mined data of the users, website functionaries create an accurate profile of the individuals and thus sequentially provide greater satisfaction of interest to the users by providing them with new and updates of their interest.³ Now, the relief is that the cookie to which we have waived our privacy to such an extent by accepting it through website notification becomes operative upon our visit to that particular website. The actual privacy concern that arises with the use of cookies is the significant usage of third-party cookies on visiting websites.

The following are the three major type of cookies:

• Technical cookies

These cookies are necessary for the proper operation of the website and are used to control login and access to the site’s restricted features. The primary goal is to conduct communication transmission across an electronic communication network. This cookie only lasts for the current working session. They are typically deployed by the website’s owner or operator and serve no other function. They are essential for the website to function properly and to give users the ability to browse data based on a variety of criteria, such as language, choosing products to buy to enhance the service, or handling the data precisely. Before these cookies are installed, the consent of the user is not essential. They are enabled by the website by default.  

• Profiling cookies

These are targeted at generating user profiles and are used to send advertising messages in line with the preferences displayed by the same section. For these cookies to be enabled by the website, a consent-seeking notification is provided by order of law. Through this notification, the user is made aware of what sort of his personal data is being manoeuvred and transcribed to structure a personalised user profile.  

• Third-Party Cookie

These cookies are used to anonymously collect and evaluate site traffic and usage. These are associated with external domains and can be installed by anyone, which makes them a potential threat. They enable external users to monitor and enhance system stability. Even though deactivation of these cookies is possible without affecting functionality, but most of the websites do not particularly notify of the third-party cookies, thus making users oblivious to the instalment of these foreign cookies. 

The aforementioned cookies, are in general, not harmful and as such do not pose any threat and thus do not necessarily entail a privacy risk. The third-party cookies, nevertheless need to be made transparent to the user in order to build a more trusting environment. In this context, the EU purports to adopt a regulation of cookies with the view to curb the excessive intrusion and transmission of citizen’s objectionable data to which they have not given consent to. The European Union Parliament’s efforts in this regard are noteworthy. The European Parliament’s Directive 2009/136/EC is the most pertinent legislative act. It came into effect on May 25, 2011 and replaced an earlier directive on the same issue.⁴ The essence of the legislation, as summarised was to put a mandatory directive whereof the data fiduciary is not allowed to store or retrieve any information of the user without his express and informed consent. Now India, however, has left the quandary of limiting the misapplication of cookie usage in abeyance and the laws currently in observance are suggestively unequipped to deal with the cookie-related breaches.

Are the Laws in India Equiped to Deal With Cookie Privacy Concern?

As the data suggests, India stands only second to China when it comes to Internet users, with over 462 million of them in number.⁵ Ironically, India does not have a stand-alone data protection law in place, never mind the absence of a cookie regulatory framework. Constant penetration of smartphones has brought the internet to the fingertips of every user. India hosts a relatively large population of rural subjects, naturally in consideration of India’s economic prosperity insinuating a greater number of illiterate people who are unable to understand the nuances of technology and its practices, so it becomes all the more important for India to shape a robust enactment around the data concern of its citizen. As India is a welfare state, the onus is upon the government to take care of the public privacy, especially of the ones belonging to the rural areas. The foremost question that emerges in the context of this blog amidst the data conundrum is whether India should have a separate law on cookie regulation. The main legal framework governing data protection in India is the Information Technology (IT) Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011 (IT Rules).⁶ These regulations primarily aim to safeguard “personal information” and “sensitive personal data or information,” which includes various categories such as passwords, financial information, health conditions, sexual orientation, medical records, and biometric data. Notably, information publicly available in the public domain is not considered sensitive personal data.⁷ Furthermore, it is also germane to our discussion that we analyse the recent Digital Personal Data Protection Act, 2023 with respect to data tracking and online advertisement, which affects the privacy of individuals. 

Information and Technology Act, 2000

In the absence of specific legislation governing cookies in India, there is concern that companies may exploit personal data for their own advantage without obtaining user consent. Some argue that such unconsented cookie usage could potentially fall under the IT Act’s definition of a ‘computer virus,’ rendering it illegal.⁸ However, due to the lack of clear legal guidelines or past court rulings on cookies, companies might exploit technical loopholes in the definition. For instance, websites could claim that cookies are benign and non-malicious, making it difficult to definitively categorize them as ‘computer viruses.’ 

The IT Act, amended in 2008, includes several provisions related to data protection, mandatory privacy policies, and penalties for privacy policy breaches. Key provisions include:

1. Section 43 (a), (b), and (i): This section addresses unauthorized access to computer systems, data extraction, and alteration of computer source code with the intent to cause damage. It allows for damages by way of compensation, with a maximum limit of INR 1,00,00,000 (Rupees One Crore) for affected parties.⁹
2. Section 43A: This section is fundamental to data protection and holds corporate entities responsible for negligence in implementing and maintaining reasonable security practices and procedures for sensitive personal data. The liable entity can be required to pay compensation, with a maximum limit of INR 5,00,00,000 (Rupees Five Crores).¹⁰
3. Section 66E: This section deals with privacy violations involving the capture, publication, or transmission of private images without consent. Penalties include imprisonment for up to three years or a fine not exceeding INR 200,000 (Indian Rupees Two Lakh), or both.The Information Technology Act, 2000 (Act 21 of 2000), s. 66E.))
4. Section 72A: This section applies to individuals or intermediaries who disclose personal information intending to cause wrongful loss or gain without consent or in breach of a lawful contract. Penalties include imprisonment for up to three years, a fine of up to INR 5,00,000 (Rupees Five Lakh), or both.¹¹

In the context of the lack of specific cookie regulation, these provisions provide a legal framework for addressing data protection and privacy concerns in India. However, it’s important to note that while the IT Act and IT Rules offer some protection for personal data, they may not fully address the specific challenges posed by cookies and online tracking. Therefore, there is a need for comprehensive legislation or regulations specifically targeting cookies and online privacy to provide users with greater control over their data and to address emerging privacy issues in the digital era.

Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act of 2023, that has recently been passed by the Parliament does not establish a clear and comprehensive regulatory framework for overseeing data usage in advertising. While the Act aims to prohibit behavioural tracking targeted at children, it does not adequately address the broader issue of companies collecting and utilizing data for unfair trade practices through general advertising.

Analysis in the context of cookie regulation:

This statement highlights a gap in the proposed Data Personal Data Protection Act of 2023, specifically concerning its approach to regulating data usage for advertising purposes. Behavioural tracking, often facilitated by cookies, is a common method used by companies to collect user data for targeted advertising.¹² While the Act addresses the protection of children’s data, it does not provide a well-defined framework for regulating the broader use of data in advertising practices.¹³

This gap is significant because cookies play a central role in tracking user behaviour across websites and platforms, which is then used for personalized advertising. Without clear guidelines or regulations, users may continue to be subject to extensive data collection and profiling for advertising purposes without their consent. It raises concerns about user privacy and the potential for unfair trade practices, as users may not have control over how their data is collected and used. To address these concerns effectively, comprehensive cookie regulations are needed. Such regulations could specify requirements for obtaining user consent for tracking and data collection, transparency in data practices, and mechanisms for users to opt-out or manage their data preferences. Additionally, regulations should consider the distinction between data collection for general advertising and more sensitive data related to children, as mentioned in the Act.

In summary, the absence of specific provisions in the Data Protection Act of 2023 regarding the regulation of data for advertising, particularly through cookies, underscores the need for dedicated cookie regulations to protect user privacy, ensure transparency, and prevent unfair data practices in the digital advertising ecosystem.

Conclusion

In conclusion, it is clear that India stands at a unique juncture when it comes to cookie regulation. While it may be tempting to simply adopt the cookie law enacted by the EU since the laws enacted by the EU are relevant and formative for their social and economic climate. Hence, it is imperative that India takes a more thoughtful and tailored approach. By formulating a law that aligns with its regulatory landscape, cultural dynamics, and commercial interests, India can strike a balance that benefits both businesses and individuals. One of the key advantages of such an approach is the ability to design fines and penalties that are proportionate to the size of businesses, the nature of violations, and the type of data involved. It ensures that punitive measures are fair and equitable, promoting compliance without unduly burdening companies.

In essence, enacting an Indian cookie law represents a balanced and pragmatic response to the evolving challenges of the digital age. It not only safeguards personal data but also supports the economic interests of businesses and individuals who are capable enough to understand the complexities of their online data and sensitive information. By taking this path, India can navigate the complex terrain of cookie regulation with wisdom and foresight, setting an example for responsible data governance on a global scale.