Balancing Cookies and User Privacy in the Digital Age

December 2, 2024
Balancing Cookies and User Privacy

By Anuradha Gandhi and Rachita Thakur

Introduction

In January 2023, France’s National Commission on Informatics and Liberty (CNIL), fined TikTok €5 million ($5.4 million) for not adequately informing users about the purpose of cookies, requiring multiple clicks to reject them while accepting required only one which was resolved by a “Refuse all” button[1]. This case reflects how big companies often fail to provide adequate opt-out options or consent mechanisms in respect of cookies.

Cookies are small text files stored on a user’s device by a website which collects information about a user. They help create a smooth and personalized shopping experience. The privacy concerns is that they collect and process significant personal information of users, sometimes without their consent or when third-party cookies comes into play as they track users across different websites. Therefore, striking a balance between functionality and privacy is now crucial in the digital age. To read more about this topic, kindly refer our previous article at:

https://ssrana.in/articles/crunching-cookies-achieving-sweet-spot-privacy-consent-policies/

Types of Cookies

There are various types of cookies used by an e-commerce website to make browsing experience seamless and efficient. These include:

Demo
Types of Cookies Purpose Kind of Data Stored Disable Option
Essential Cookies

 

(Below are its types)

Necessary for core website functionality – the website may not function properly without them
Session Cookies Tracks user’s activity during one single session. (Log-in status and shopping cart data). Once the browser is closed, the session ends and the cookies are deleted. Session ID – helps the server to recognize the user on each request.

Log-in status – to maintain the state of being logged in across the pages

Shopping cart data

Can be disabled by changing browser setting settings and using “Block All” option
First-Party Cookies Set by websites that the user is visiting for enhancing user experience. Collects information and analytics (usernames and passcodes), store preferences (language, currency, location, display etc.) User preferences

 

Log-in credentials

 

Analytical information like page views, time spent on pages, navigation patterns

 

Can be deleted manually by changing the browser settings
Persistent Cookies Used for longer term tracking, to remember user preferences, log-in information, browsing history, maintaining user settings across multiple sessions.

For instance: “Remember Me” on login page

Log-in information

 

User preferences

 

Remember choices and actions in a browsing sessions such as items added in a shopping cart

Can be deleted manually by changing the browser settings
User-centric cookies To detect authentication errors or abuses such as failed login attempts, session timeouts Authentication information, session information

 

Session Timeout information – if a session is inactive for a long time, the cookie expires and the user is logged out.

Can be deleted manually by changing the browser settings
Non-Essential Cookies

 

(Below are its types)

Not strictly necessary for core website functionality – used to analyze user experience, behavior and to display advertisements
Third-Party Cookies These cookies are set by third-party websites for the purpose of advertisements. Browsing history – pages viewed, time spent on each site, visit frequency

 

Ad-Interaction data – how users interacts with ads – click impressions

 

Unique ID – this unique id helps the advertisers to recognize user when he visits different sites.

Can be manually deleted by using “block third-party cookie” option in the privacy and security section
Secure Cookies These are used to secure sensitive information like payment details, passwords from being intercepted by external agencies and can be transmitted only over secure HTTPS connections. Payment details

 

Session identifiers – helps the server to retain your login information

Can be deleted manually by changing the browser settings

Privacy Concerns

While cookies have become a common feature of web browsing, most of the users remain largely unaware of the full extent of cookie tracking and how the data is used, shared, and retained over time. Very often prompts like “Accept All Cookies” are clicked by users without much thought, leading to widespread data collection. For instance, Amazon was fined by CNIL in 2020 for automatically placing numerous advertising cookies on users’ computers without their consent and not adequately informing users about their website[2].

As much as cookies provide essential functionalities that improve user experiences – their extensive tracking capabilities often raises serious privacy concerns. Some of them are as follows[3]:

  1. Identification and Tracking: Cookies are used to track user activities on a website. This activity is essentially profiling individuals.
  2. Privacy Risks and Profiling: Tracking users across platforms can led to the creation of user profiles which may be exploited for targeted advertising. For instance, searching for a particular product on Amazon and then the same or related products appearing on the person’s Instagram feed.
  3. Cookie Tossing: Illicit use of cookies can lead to account breaches or unauthorized exposure user data. This happens when a hacker for instance, steals session cookie, can gain unauthorized access to their accounts and resources without detection.

Legal Requirements

In a landmark case[4] wherein a promotional lottery required users to tick an unchecked box to receive third party advertising which was also necessary to enter the competition and relied on a pre-ticked box to set cookies tracking user behavior. CJEU ruled that, pre-ticked boxes do not constitute valid consent under the ePrivacy Directive, as consent must be active and informed. It also held that tying consent for third party advertising to lottery participation is unlawful, as consent must be specific for each purpose. Additionally, users must be informed about cookie duration and third party access.

This case highlights the need of legal compliances to be followed by companies while using cookies to safeguard user privacy. These are:

  1. GDPR:

    Recital 30[5] of GDPR states that cookies, when used to identify individuals, are considered personal data and must comply with GDPR[6] requirements.

    Companies do have a right to process their users’ data as long as they receive free consent (as contemplated under article 7 of GDPR) or if they have a legitimate interest.

    The law requires that the organization must inform individuals about the processing when collecting their personal data. It must be checked that by pursuing legitimate interests the rights and freedoms of those individuals are not seriously impacted, in order to take the plea of legitimate interest[7].

  2. ePrivacy Directive[8]:

    The ePrivacy Directive passed in the 2002 and amended in 2009, also known as the “Cookie Law,” is a European Union directive that complements the GDPR and specifically addresses the use of cookies and similar technologies. Recital 25[9] of the ePrivacy Directive outlines the key principles regarding the use of cookies. It requires for the following[10]:

    • Consent is mandatory for cookies except strictly necessary cookies.
    • Provide authentic information about cookie tracking and its purpose before obtaining user consent.
    • Document and store consent received from users.
    • Declining certain cookies will not make website inaccessible
    • Provide easy withdrawal of user consent from using cookies
  3. California Consumer Privacy Act:

    Cookies are considered as personal information under the California Consumer Privacy Act (CCPA)[11]. It requires obtaining opt-in consent for cookies that involve the sale and sharing of personal information belonging to minors, under the age of 16 and parental consent is mandatory for children below 13[12].

    However, consent of the website users (other than children) is not required for the use of cookies unless they are used for behavioral advertising, which could constitute sale under the CCPA. For essential cookies delivered by a third party, websites are not required to seek user consent or provide notification.[13]

  4. Digital Personal Data Protection Act:

    Though the act does not explicitly mentions the word “cookies”. However, the Act specifies two grounds of data processing i.e. legitimate uses and consent. Consent as specified under the act has to be informed, specific, free, unconditional, and unambiguous. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the “IT Rules)[14]:

    Rule 5 and 6 of the IT Rules provides that body corporate or any other person on its behalf shall obtain prior consent from the provider of sensitive information for collection, processing and disclosure of information.

The Role of Data Protection Officers (DPOs)

A Data Protection Officer can be defined as an independent data protection law expert who oversees an organization’s compliance with applicable data protection laws like GDPR and DPDP. When an organization collects and processes sensitive personal data such as health data or when it monitors the behavior of individuals via tools such as tracking cookies, it exposes its customers, website visitors, and/or its employees to high risks to their privacy due to the nature of the processing activities. A DPO here is designated to assist the organization to uphold the integrity of its employees or customers on one hand and comply with applicable laws on the other[15].

The Federal Trade Commission v. Toysmart[16] case outlines the role of a Data Protection Officer in maintaining privacy commitments, especially in the times of crisis like bankruptcy. In this case, Toysmart (data fiduciary), after its dissolution, attempted to sell its customer database, despite promises to never share customer information with third parties which led to opposition from consumer groups[17]. A settlement was agreed between the parties wherein Toysmart was allowed to sell its database to a “qualified buyer”, an entity engaged in the family commerce market that agrees to take over the database’s information and subsequently destroy it meaning that the buyer must operate in the same line of business as Toysmart[18]. This case highlights how a DPO must exercise due diligence when customer data is transferred.

With respect to cookie management, the DPO must ensure[19]:

  1. Websites must obtain informed consent from users upon each visit before using cookies or processing data, ensure transparency about data collection, processing and usage and categorize cookies by purpose.
  2. Handle queries or complaints on request by the institution, the controller or other person(s) with respect to cookies.
  3. Conduct cookie audits such as analyzing their lifespan, updating cookie policies as and when required.
  4. Monitoring third party cookie vendors with contractual obligations.
  5. Ensure that organization has clear policies for categorizing and explaining cookies, in alignment with GDPR and DPDP as applicable. India is in a phase of “data colonialism” where a large amount of data is transferred from India to the West and other countries, impacting citizen’s privacy and national security. For instance, e-Commerce companies with social media platforms based in various countries have the potential to facilitate data breaches or create deepfakes. [20] In this aspect Data Protection Officers can follow European Unions’ three distinct mechanisms i.e. Adequacy Decisions[21], Standard Contractual Clauses (SCCs)[22], and Binding Corporate Rules (BCRs)[23]” which oversees data flow across borders.
  6. Implement an explicit cookie consent banner to allow users to opt-in or out of specific cookies, particularly, Targeting or Marketing cookies and also check whether these cookies are disabled by default or not.
  7. To ensure that organization is adhered to Data Protection Policies which oversees technical measures such as encryption, backups, risk assessment, international data transfers etc. and PII protection policies which oversees procedural measures such as data minimization, consent mechanism, privacy notices etc.
  8. To ensure transparency by clearly communicating anonymized or pseudonymized data retention practices, including the purpose, duration and verifying compliance with legal and regulatory obligations.
  9. Develop limited functionality mode for users opting out of non-essential cookies as contemplated by EU guidelines.
  10. Data Minimization: businesses should collect data which is strictly necessary for operational purposes.
  11. Data Minimization in third party cookies: Google[24] has recently notified that chrome will let users to make an informed choice in light of third parties cookies which would apply across their web browsing with the option to adjust the choice any time. This ensures that only limited third party cookies are used and privacy is safeguarded.

Conclusion

Cookies are essential to modern e-commerce, enabling personalized shopping experiences and effective business strategies. However, their use must be balanced with responsible practices to protect user privacy. Data Protection Officers play a critical role by implementing transparent consent mechanisms, cookie categorization (essential v. non-essential) and ensuring compliance with privacy laws.  For any organization, customer data is one of its most valuable asset and big companies often leverage cookies to collect extensive user data to improve their services and gain a competitive edge. This can lead to a dominant market position, increased market share, disadvantaging smaller competitors who lack similar access to such data. Therefore, it is expected from a Data Protection Officer that data collected is not misused in a way that violate market competition laws.

Rishabh Gupta, Assessment Intern at S.S. Rana & Co. has assisted in the research of this article.

[1] https://www.cookieyes.com/blog/cookie-consent-fines/

[2] https://www.cookieyes.com/blog/cookie-consent-fines/

[3] https://www.mondaq.com/india/privacy-protection/1495410/crunching-cookies-achieving-the-sweet-spot-of-privacy-with-consent-policies

[4] Planet49 GmbH

[5] Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

[6] https://gdpr.eu/cookies/

[7] https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

[8] Directive 2009/136/EC

[9] https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058

[10] https://gdpr.eu/cookies/

[11] https://cookieinformation.com/regulations/ccpa/#:~:text=The%20CCPA%20and%20the%20Use,cookies%20and%20obtain%20their%20consent.

[12] Section 1798.120 CCPA

[13] https://www.barandbench.com/law-firms/view-point/cookies-and-consent-outline-on-position-in-eu-uk-us-canada-

[14] https://www.meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[15] https://www.privasee.io/post/data-protection-officer

[16] Civil Action No. 00-CV-11341-RGS (D. Mass. Aug. 21, 2000)

[17] https://www.opentextbooks.org.hk/ditatopic/3159

[18] Daniel Bronski, “FTC v. Toysmart” 2001 Duke L. & Tech. Rev. 0010 (2001)

[19] https://www.edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en

[20] https://nliulawreview.nliu.ac.in/blog/guarding-the-data-frontier-navigating-cross-border-data-transfer-under-digital-personal-data-protection-act/#:~:text=This%20might%20result%20in%20data,will%20work%20out%20this%20issue.

[21] Article 45 of GDPR: A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.

[22] Article 46 of GDPR: In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

[23] Article 47 of GDPR: The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63.

[24] https://techinformed.com/google-ditches-plan-to-phase-out-third-party-cookies/

For more information please contact us at : info@ssrana.com