Blog

Cookies! What comes to mind when we hear this word? Most of all a yummy product of delicious confectionaries. The word itself stimulates a sense of joy and excitement and passes on a positive connotation. But does the case remain similar when the same is being used in the world of data and technology? This blog is an attempt to explore the meaning and use of cookies by the data fiduciaries, and  hereinafter it will contextually analyse whether India is in need of a cookie regulation act or not.  What are Cookies? Cookies are small text files that the websites and applications store in our devices for collecting data that could be used to provide the data principal with a more personalised user experience.1 These cookies do not contain any executable code which means that the cookie-storing devices cannot execute the cookie code itself. They are not viruses either, as they are incapable of making copies and getting transferred to other devices.2 However, to some extent, cookies do play an espionage role for the data fiduciaries as they primarily store data such as website visits, passwords, information on the browsing history of the users, etc. Through this mined data of the users, website functionaries create an accurate profile of the individuals and thus sequentially provide greater satisfaction of interest to the users by providing them with new and updates of their interest.3 Now, the relief is that the cookie to which we have waived our privacy to such an extent by accepting it through website notification becomes operative upon our visit to that particular website. The actual privacy concern that arises with the use of cookies is the significant usage of third-party cookies on visiting websites. The following are the three major type of cookies: Technical cookies These cookies are necessary for the proper operation of the website and are used to control login and access to the site’s restricted features. The primary goal is to conduct communication transmission across an electronic communication network. This cookie only lasts for the current working session. They are typically deployed by the website’s owner or operator and serve no other function. They are essential for the website to function properly and to give users the ability to browse data based on a variety of criteria, such as language, choosing products to buy to enhance the service, or handling the data precisely. Before these cookies are installed, the consent of the user is not essential. They are enabled by the website by default.   Profiling cookies These are targeted at generating user profiles and are used to send advertising messages in line with the preferences displayed by the same section. For these cookies to be enabled by the website, a consent-seeking notification is provided by order of law. Through this notification, the user is made aware of what sort of his personal data is being manoeuvred and transcribed to structure a personalised user profile.   Third-Party Cookie These cookies are used to anonymously collect and evaluate site traffic and usage. These are associated with external domains and can be installed by anyone, which makes them a potential threat. They enable external users to monitor and enhance system stability. Even though deactivation of these cookies is possible without affecting functionality, but most of the websites do not particularly notify of the third-party cookies, thus making users oblivious to the instalment of these foreign cookies.  The aforementioned cookies, are in general, not harmful and as such do not pose any threat and thus do not necessarily entail a privacy risk. The third-party cookies, nevertheless need to be made transparent to the user in order to build a more trusting environment. In this context, the EU purports to adopt a regulation of cookies with the view to curb the excessive intrusion and transmission of citizen’s objectionable data to which they have not given consent to. The European Union Parliament’s efforts in this regard are noteworthy. The European Parliament’s Directive 2009/136/EC is the most pertinent legislative act. It came into effect on May 25, 2011 and replaced an earlier directive on the same issue.4 The essence of the legislation, as summarised was to put a mandatory directive whereof the data fiduciary is not allowed to store or retrieve any information of the user without his express and informed consent. Now India, however, has left the quandary of limiting the misapplication of cookie usage in abeyance and the laws currently in observance are suggestively unequipped to deal with the cookie-related breaches. Are the Laws in India Equiped to Deal With Cookie Privacy Concern? As the data suggests, India stands only second to China when it comes to Internet users, with over 462 million of them in number.5 Ironically, India does not have a stand-alone data protection law in place, never mind the absence of a cookie regulatory framework. Constant penetration of smartphones has brought the internet to the fingertips of every user. India hosts a relatively large population of rural subjects, naturally in consideration of India’s economic prosperity insinuating a greater number of illiterate people who are unable to understand the nuances of technology and its practices, so it becomes all the more important for India to shape a robust enactment around the data concern of its citizen. As India is a welfare state, the onus is upon the government to take care of the public privacy, especially of the ones belonging to the rural areas. The foremost question that emerges in the context of this blog amidst the data conundrum is whether India should have a separate law on cookie regulation. The main legal framework governing data protection in India is the Information Technology (IT) Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011 (IT Rules).6 These regulations primarily aim to safeguard “personal information” and “sensitive personal data or information,” which includes various categories such as passwords, financial information, health conditions, sexual orientation, medical records, and biometric data. Notably, information