Adapting cookie strategies: ensuring compliance and building trust in a privacy driven world

By Vikrant Rana, Anuradha Gandhi and Rachita Thakur

Introduction

Recently, Advertising Standard Council of India (ASCI), an independent, voluntary self-regulatory organization released a whitepaper on “Navigating Cookie: Recalibrating your cookie strategy in the light of the DPDPA”. The paper highlighted that only 6% of India’s most visited websites comply with specific cookie consent mandates under Digital Personal Data Protection Act, 2023 (hereinafter referred to as DPDPA) and a limited number of websites primarily from the news media and banking sectors, featured cookie consent banners. Further, these banners lacked the clear opt-out options and functionality for users to provide granular consent.

As per Web Technology Survey, 41.9% of all the websites use cookies[1] but a vast majority of businesses and website owners remain unprepared for changes mandated by the DPDPA. To help businesses and website owners navigate the evolving cookie landscape, it is crucial to recalibrate their cookie strategies in order to prioritize user trust and transparency. The paper highlights the aspects like granular consent mandates, lessons from global standards, industry impact and opportunities for Advertisers.

What are cookies?

Cookies are small text files that websites place on one’s device as they are browsing. These may collect and store information that can identify the user, including personal details, preferences, and browsing history. This stored information is used to help improve their browsing experience and generate targeted advertisements. The stored information can consequently be used for personalization to tailor advertisements and to track a user’s analytics of how much time was spent on a website, how many times the website was visited, and what, if anything, was purchased.

Types of cookies?

Cookies can be categorized into six different kinds based on their purpose.

1. Essential/strictly necessary cookies- these cookies are fundamental for websites to function properly as they enable the basic features like navigation and access to secure areas.
2. Performance/Analytics cookies- these cookies collect
3. Functionality cookies
4. Targeting/ advertising cookies
5. Social media cookies
6. Security cookies

The Principle of Granularity in Cookie Consent

Principle of granularity is concerned with formation of a meaningful information granule based on available experimental evidence.[2] GDPR provides for granule cookie consent, it mandates user’s freedom to consent separately to distinct processing purposes. Separate consent must be obtained for each cookie purpose individually along with ability to withdraw consent shall be provided to the users. A detailed cookie banners with clear breakdowns of cookie types, purposes and data collected shall be displayed on the websites along with granular opt-in option.

Though India do not have specific cookie law but the Digital Personal Data Protection Act, 2023 (DPDPA) enshrines the requirement of granular consent, i.e. consent to be free, specific, informed, unconditional and unambiguous.

Industry wise use of cookie

E-Commerce- cookie is used to enhance user experience and provide personalized recommendations. Cookie consent mechanism will allow transparent purpose specific consent for each cookie being used.

Social Media- social media platforms and video-based applications use cookies to enhance user experience by tailoring content feeds, providing personalized recommendations and suggesting connections.

Tech and Software-as-a-Service(SAAS) companies– these companies use cookies for user authentication of their software products licensed out to companies and to optimize performance and user interaction on their websites.

Digital Advertising and Marketing– these industry rely on cookies to deliver targeted advertisements tailored to users’ browsing and purchasing histories.

Healthcare- cookies are used to access critical health related information and medical histories enabling seamless functionality for patients such as retrieving prescriptions, viewing diagnostic reports, managing appointments and accessing health records.

Finance- in order to ease access to sensitive user data, such as account details, transaction histories and payment information.

Core principles for compliance

1. 1. Clear cookie consent banner

The cookie banner shall provide comprehensible information about cookies to the website visitors so that they can take an informed decision. The important aspects of cookie banner are[3]–

1. 1. The visitors shall be informed about the purpose of each cookie being used by the website. There shall also be no vagueness in stating the purpose.
   2. Website visitor shall be provided with choice to give explicit consent and there shall be no pre-ticked.
   3. The choice to accept or reject the cookie shall be in plain text i.e. the language of button to accept or refuse shall be easy.
   4. The refusal of cookie shall be as easy as acceptance of cookies, i.e. acceptance and refusal consent option shall be placed in same layer and the option for refusal shall be clearly visible.
   5. Further refusing cookies should not require more clicks than accepting them. For example, do not make website visitor to additionally confirm that certain person wants to refuse cookies.
   6. Consent shall not be confused with legitimate interest. Legitimate interest as a legal basis for processing personal data is only possible for functional and limited analytical cookies. Therefore in particular situation legal basis of consent does not apply.
2. Categorize cookies: Cookies shall be categorized clearly based on the use, function, target, performance, etc.
3. Regular audits: it is a good practice to maintain privacy and ensure compliance of laws which will help in avoiding unwanted tracking and further remove outdated cookies.
4. Track and store content: there shall be audit demonstration i.e. organization shall provide clear documentation and reports showing how cookies are being used, including details like their purpose, duration and consent records. This is necessary for demonstrating compliance with privacy laws.
5. Consent withdrawal options: consent withdrawal shall be provided to website visitors either to withdraw or modify consent as per their preference.
6. Detailed privacy policy: organization shall have detailed privacy policy showcasing the kind of data collected, purpose and user rights.
7. Further an effective cookie policy shall also be in place in order to manage consent, explain user rights and be transparent and fair.

Conclusion

Recalibrating cookie strategies is becoming increasingly important to stay compliant with evolving data protection regulations. With increasing scrutiny around user privacy, businesses must adopt transparent practices, obtain informed consent and provide users with clear control over their data. By refining cookie management strategies, companies can not only meet legal requirement but also build trust with users, fostering a more privacy-conscious digital environment. Ultimately, a well-structured and ethical approach to cookie usage is essential to enhance user experience and safeguard brand reputation.

To know more on cookies refer our article https://ssrana.in/articles/balancing-cookies-and-user-privacy-in-the-digital-age/

Abhishekta Sharma, Junior Associate Advocate at S.S. Rana & Co. has assisted in the research of this article.

[1]https://w3techs.com/technologies/details/ce-cookies

[2]https://scispace.com/pdf/the-principle-of-justifiable-granularity-and-an-optimization-y84vawonap.pdf

[3]https://www.autoriteitpersoonsgegevens.nl/en/themes/internet-and-smart-devices/cookies/clear-and-misleading-cookie-banners