Cookies – Meaning, legal regulations and Implications

Home     Uncategorized      Cookies – Meaning, legal regulations and Implications

Cookies – Meaning, legal regulations and Implications

January 9, 2024

Data collection and usage can be considered as pervasive for certain set of organisations based on their business model. These organisations are engaged in collecting and using information about individuals with respect to smooth functioning of their business. The data collected are capable enough to enable these organizations to compile comprehensive digital profile based on user behaviour and interests. Now, the primary conduct of data acquisition relating to user behaviour is conducted by way of or through cookies.

When a user visits a website, he/she assigned with an unique identity by the server and same is stored on their device. Subsequently when the same user makes multiple visits, the browser sends a cookie to the server, enabling the website to recall the user’s preferences.

Originating in 1994 with Netscape Communications, the concept of ‘cookie’ was first introduced by programmer Lou Montulli to enhance e-commerce applications by retaining information like shopping cart contents. Despite their benign origin, the widespread use of cookies raises concerns with respect to privacy and data security.

What are Cookies?

Cookies can be considered as small data files that a website stores on their visiting user’s device. While cookies are not inherently designed to pose any privacy risks, usage of the cookies can raise concerns depending on how they are implemented and for what purposes.

Adaptation of cookie policies

It is a common practice for website owners to develop and upload cookie policy on their website for user’s perusal. A cookie policy is somewhat similar to a privacy policy that is used to inform the users about the collection and use of their personal information.

Generally, the cookie policies content the following information: 

  1. Detailed information about what and how cookies are being used in the website. 
  2. Insights upon the options that the users possess with respect to application of cookies while his/her usage of the website. 

Categorization of cookies

Cookies are divided into various categories based on its duration, purpose, origin and other related factors. Each of these categorized cookies have different scope, purpose and risk. The details of these cookies are as follows:-

A. Based upon the duration

1. Session Cookies

Session cookies are temporary data files created during a user’s visit to a website, storing information such as the user’s preferences and his/her login status. It is crucial for the smooth functioning of websites, as they are deleted when the user closes the browser, ensuring privacy and security. For example, if not for session cookies, items placed in the e-commerce store’s cart would disappear every time a user refreshes the page or proceeds to checkout. This is because websites tend to treat opening of each new page request as coming from a new user. 

2. Persistent Cookies

Unlike session cookies, persistent cookies remain on a user’s device for a longer period, aiding in retaining information across browsing sessions. It is often used to remember user preferences, settings, or login details, enhancing the user experience over time. These cookies are sometimes called tracking cookies, since it tracks users’ behaviour on the website over an extended period of time. 

B. Based upon Origin

1. First-Party Cookies

First-party cookies originate from the website which a user is actively visiting. It stores user-specific information required for the website’s functionality, such as remembering login credentials or items in an online shopping cart, contributing to a personalized and efficient user experience.

2. Third-Party Cookies

Third-party cookies come from domains other than the one which the user is currently visiting. These types of cookies are commonly used for advertising and tracking purpose. It enables the collection of user data across different websites, facilitating the delivery of targeted ads based on browsing behaviour.

C. Other types of cookies

1. Secure Cookies

Secure cookies are transmitted over encrypted, secure connections (HTTPS), providing an additional layer of security. These types of cookies are crucial for protecting sensitive information, especially during activities like online banking, where secure transmissions are of paramount nature.

2. HttpOnly Cookies

HttpOnly cookies are designed to be inaccessible via JavaScript, reducing the risk of cross-site scripting attacks. By preventing malicious scripts from accessing cookie data, HttpOnly cookies enhance the security of user information.

3. Analytics Cookies  

Analytics cookies are tracking tools that collect and analyze user behavior on websites, providing insights to improve site performance. For example, Google Analytics uses cookies to track page views, click patterns, and user interactions for website optimization.

4. Marketing Cookies

Marketing cookies are data files placed on users’ devices to track their online behavior and preferences, enabling targeted advertising and personalized content delivery. For instance, a retail website may use marketing cookies to show users ads for products they previously viewed, enhancing the effectiveness of promotional campaigns.

5. SameSite Cookies

SameSite cookies control whether cookies are sent with cross-site requests, enhancing security and privacy by mitigating the risk of cross-site request forgery attacks. It dictates whether cookies should be restricted to the same site or shared with third-party sites.

6. Zombie Cookies (Evercookies)

Zombie cookies, also known as Evercookies, are persistent tracking mechanisms that recreate themselves after deletion. This controversial type of cookie raises privacy concerns due to its resilience and potential for continuous user tracking, even after attempts to clear browser cookies.

7. Supercookies

Supercookies employ multiple storage mechanisms to recreate cookies even after deletion. The extreme persistence of the cookie and the difficulty faced towards removal process raises significant privacy concerns, making it controversial in the context of responsible data practices.

Understanding the operation process and risk factors involved with respect to cookies

1. Identification and Tracking

Cookies are primarily used to track user activities on a website. It can store information such as user preferences, login status, and other session-related data. However, cookies alone typically don’t identify a natural person. They are often used for legitimate purposes, such as improving user experience and providing personalized content.

2. Data Storage

Cookies generally have limited storage capacity, and are subjected to the same-origin policy i.e., a cookie set by one website cannot be accessed by another website or domain. However, if a user provides personal information (such as credit card details on a website), such information might be stored in a cookie if the website is designed to do so.

3. Privacy Risks

Cookies can pose privacy risks, especially when they are used for tracking users across multiple websites. This can lead to the creation of user profiles that may be exploited for targeted advertising. Users concerned about their privacy often choose to disable or manage cookies in their browser settings.

4. Cookie Hijacking or Tossing

Cookie hijacking or tossing refers to unauthorized access of cookies, which can potentially lead to account compromises or unauthorized access to user data. This is a security concern, and websites should implement secured practices to protect against such threats, such as using secure connections.

5. User Control

Users have some control over cookies. Most web browsers allow users to manage and delete cookies, and some also provide options to block third-party cookies. Additionally, there are browser extensions and privacy-focused browsers that enhance user control over tracking and data collection.

Regulation of cookies under the laws of European Union

The laws pertaining to cookies are regulated by ePrivacy Directive[i] and the General Data Protection Regulation (GDPR)[ii] in the European Union. While the GDPR covers the identifiers, the ePrivacy Directive establishes specific rules for the electronic communication sector, taking precedence over general GDPR provisions in this context. ePrivacy Directive continues to apply concurrently, even though the general provisions of GDPR are not addressed therein. Notably, in Article 5(3) of ePrivacy Directive, it is mandated for organizations to obtain user consent for the use or retention of cookies thus, making other legal bases under GDPR inapplicable in this case.

Further, the EU guidelines on consent[iii] is crucial, in addition to the ePrivacy Directive. According to these guidelines, cookie consent must be voluntary, specific, well-informed, and unmistakable. Users visiting a website should genuinely choose to either agree or decline the use of cookies by the website operator. The presence of cookie walls, which force users to accept cookies to access the website or its services, should be avoided. Likewise, the cookie banner should offer clear options such as accept, reject, or manage cookie settings, allowing users to make informed choices. Organizations are obligated to inform users about the purposes of using each type of cookie and ensure explicit opt-in consent for their usage. In this regard, it is important to note that user’s consent cannot be assumed solely with respect to its previous behavioural aspect (e.g., scrolling the website without explicitly accepting or refusing cookies).

These laws, rules and guidelines issued in the European Union under the ePrivacy Directive is a precautionary measure to eradicate misuse of cookies which can be observed from the following two cases:-  

1. The Planet 49 case [iv] underscored that a pre-selected checkbox does not constitutes a valid consent. A user must take a clear and affirmative action to indicate consent for cookies to be considered as valid. Notably, essential cookies do not require consent, but information about their purposes should still be provided as per the guidelines from the Luxembourg supervisory authority on cookies.[v]

2. On December 7, 2020, the Commission Nationale de l’Informatique et des Libertés (CNIL)[vi] imposed a fine of 35 million euros on Amazon Europe Core. The fine was specifically for placing advertising cookies on the computers of users of the Amazon.fr sales site without obtaining prior consent or providing satisfactory information. The CNIL’s decision identified violations of Article 82 of the French Data Protection Act[vii], which transposes the e-Privacy Directive.

Cookies under the Indian Law.

As on this date, there exist no regulations in India that regulate cookies directly. However, the existing legislations have indirect effect towards regulating cookies and policies prepared thereto.

For certain companies, the terms and conditions of their website are drafted in such a way that exploration on a website by any user forms a legally binding contract, regulated by the website’s legal agreements. In India, cookies are exempted from privacy policies as non-personal information, yet websites can impose arbitrary cookie policies for consent. It is evident to note that privacy concerns arise as cookie consent might be void under applicable law if the contract is proven unconscionable.

The Consumer Protection Board suggests aligning India’s Consumer Protection Act (COPrA) with Australian law for data rights and unfair contract terms. Even though COPrA lacks possessing any specific data privacy provisions, however it allows lodging of complaints based on unfair trade practices. COPrA mentions few unfair trade practices that could become grounds for filing complaints. One of such includes disclosure being made of a consumer’s personal information. Since cookies are not considered as ‘personal information’ in India, it becomes difficult to include usage terms of cookie within the meaning of unfair trade practices, especially when there are no judicial precedents. Furthermore, the inclusion of the definition of ‘unfair contracts’ has made it possible for consumers to challenge unilateral and unreasonable contracts.

Section 2(46) of COPrA states that any imposition of an unreasonable condition on the consumers that puts them at a disadvantage would constitute an unfair contract. The imposition on the users to consent to an arbitrary cookie policy can be termed as an unreasonable condition under the section. However, the act is ambiguous regarding the standard of reasonability expected under the section.

Furtherly in the Indian laws we can also find legal derived defiance and implications related to cookie policy in the existing Information Technology Laws.

1. Relevant provisions under The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

Section 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred as ITR) instructs a body corporate, or any entity collecting information on their behalf under a valid contract, to furnish a privacy policy and details regarding the disclosure of information.

Section 5(3) of the ITR mandates that the body corporate informs the individual about the nature of the information being collected.

Section 7 of ITR stipulates that the transfer of data is permissible only when the person whose information is collected gives explicit consent. This transfer is allowed to an entity that adheres to comparable privacy policies under a legal contract.[viii]

2. Relevant provisions under The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Section 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[ix] addresses the obligation of intermediaries to exercise due diligence in safeguarding the privacy of their users. It explicitly prohibits the disclosure of user privacy information and mandates the implementation of privacy policies and user agreements. The section directs intermediaries to undertake all necessary and reasonable measures with due diligence, prioritizing privacy and transparency in their operations.

3. The Digital Personal Data Protection Act (DPDPA), 2023

The Digital Personal Data Protection Act (DPDPA), 2023 is set to come into force. Even though, DPDPA does not specifically deals with cookies but it specifically contain provisions related to personal data. It also includes that, to the extent which cookies contain any identifiable information about an individual, the organizations should obtain prior consent for the use of such cookies, as it implies processing of personal data. DPDPA requires that there shall be a consent mechanism which procures the consent in a manner to substantiate that it is free, specific, informed, unconditional, and unambiguous.It is quite evident to note that the approach aligns with the EU standards to ensure that the organizations tread on the safe path in terms of privacy compliance.

Section 2(t) of DPDPAdefines “personal data” as any data about an individual who is identifiable by or in relation to such data. DPDPA requires that there shall be a consent mechanism which procures the consent in a manner to substantiate that it is free, specific, informed, unconditional, and unambiguous.

Under section 4(1)(a) of the DPDPA, an individual or organisation is permitted to process the personal data of the data principal only if explicit consent is provided.

Section 9 of the DPDPA specifically addresses the processing of personal data concerning a child, requiring consent to be obtained from the child’s parents or a lawful guardian. Additionally, data fiduciaries are prohibited from engaging in behavioural monitoring or targeted advertising directed at children.

Section 5(2) of the DPDPA outlines that when a data principal has given consent, they are entitled to information detailing how their data is being used. The data fiduciary is obligated to utilize this data in accordance with the terms of consent, unless the data principal chooses to withdraw their consent.

Section 6(1) of the DPDPA emphasizes that consent must adhere to certain principles, namely being free, informed, and specific. This underscores the importance of individuals providing consent willingly, with a clear understanding of the implications, and for a specific purpose.[x]

Conclusion:

Navigating the complex landscape of cookies, consent, and privacy compliance requires a delicate balance between user experience and safeguarding personal data. In the EU, the ePrivacy Directive and GDPR sets stringent standards for obtaining user consent, emphasizing transparency and user choice. Recent enforcement actions, such as the Planet 49 case and CNIL’s fine on Amazon, underscore the importance of clear and affirmative user consent, highlighting the consequences for non-compliance.

In India, while the DPDPA aligns with EU standards by emphasizing explicit consent, its implementation raises questions as how DPDPA will address cookies specifically. Privacy concerns persist, with the potential for voiding consent if contracts are deemed unconscionable. The evolving legal landscape, including the Information Technology Rules, suggests a growing emphasis on intermediaries’ responsibility to safeguard user privacy and disclose data practices.

As the global community grapples with the intricacies of online privacy, organizations must stay vigilant in adapting their cookie policies to comply with evolving regulations. Emphasizing transparent communication, offering meaningful choices to users, and prioritizing the security of personal data remain paramount. In this dynamic environment, continued attention to legal developments and proactive adjustments to cookie practices will be crucial for organizations seeking to navigate the cookie conundrum effectively.

Author: Dippyaman Bhattacharya, Senior Associate and Madhav Krishna, Associate

Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at info@samistilegal.in


[i] https://edps.europa.eu/data-protection/our-work/subjects/eprivacy-directive_en

[ii] https://gdpr-info.eu/

[iii] https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

[iv] https://curia.europa.eu/juris/document/document.jsf?docid=218462&doclang=EN

[v] https://cnpd.public.lu/en/actualites/national/2021/11/lignes-drectrices-cookies.html

[vi] https://www.cnil.fr/fr

[vii] https://www.dataguidance.com/sites/default/files/france_data_protection_act.pdf

[viii] https://www.meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[ix] https://mib.gov.in/sites/default/files/IT%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20English.pdf

[x] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.