Crunching cookies: Achieving the sweet spot of privacy with consent policies

By Vikrant Rana and Anuradha Gandhi

What are Cookies?

In the 1990s when websites were having difficulty in remembering who their users were or what they did in previous website visits, Lou Montulli, a network engineer, invented the HTTP cookie or what is widely known as internet cookies or simply as cookies.^[1]

Cookies are essentially small text files that are placed by websites on customers’ devices as they are browsing. These cookies are then processed and stored by the web browser. By themselves cookies are harmless and serve crucial functions, but they can also store a lot of data that can possibly identify an individual without having to obtain their consent.

The purpose of cookies can broadly be pointed out as:

1. uniquely identifying users,
2. managing their browsing sessions,
3. facilitating personalized user experiences,
4. targeted advertisement.^[2]

What information do cookies collect?

Websites collect a variety of data from its users, for a myriad of purposes. This includes data provided through forms on websites, like email addresses, credit card information, and other information provided by the user. Other types of information are gained from tracking technology, which include cookies. These data include:

1. IP addresses which determine a user’s location.
2. Information about how the user interacts with websites. For example, what they click on and how long they spend on a page.
3. Information about browsers and the device the user uses to access the site with, and,
4. Browsing activity across different sites. ^[3]

The combination of this information gives those who collect the information, an insight into the user’s online behavior.

Why is that a problem?

The function of cookies is to track the digital footprint of individuals in order to be able to target the customers with advertisements that are tailored to their taste and requirements.

There are certain critical privacy concerns when dealing with cookies:

1. Identification and Tracking: Cookies are used to track user activities on a website. It can store information such as user preferences, login status, and among other data. This activity is essentially profiling individuals.
2. Privacy Risks and profiling: Cookies can pose privacy risks, especially when they are used for tracking users across multiple websites, as this can lead to the creation of user profiles that may be exploited for targeted advertising.  This activity creates an identifiable profile of an individual, therefore fall under the purview of data protection legislations as an extension of personal data An example of the same would be searching for a particular product on Amazon and then the same or related products appearing on the person’s Instagram feed.
3. Cookie Hijacking: Cookie hijacking or tossing refers to unauthorized access of cookies, which can potentially lead to account compromises or unauthorized access to user data. This happens when a hacker can steal the user’s cookie and gain unauthorized access to their accounts. Hackers can gain limitless access to an individual’s resources. For example, an attacker may steal someone’s identity or confidential company data; purchase items; or steal from bank accounts.

Kinds of cookies

The two ways in which cookie information is collected are first-party and third-party web tracking.

1. First–partyanalytics is a tracking method in which trackers are issued by a website that a user views directly. Examples: passwords, language setting, session length and number of visits, previous searches and views.
2. Third-party tracking is the practice in which a tracker on a website is set by a different website than the one the visitor is currently on. They collect and send information about a user’s browsing history to other companies, for advertising purposes.^[4]

Are cookies necessary for websites to function?

1. Essential or necessary cookies are cookies that support functioning of the website, such as login information, or if it’s an ecommerce website, payment cookies or shopping cart information. All websites require strictly necessary cookies in order to operate properly.
2. Non-essential cookies are cookies which are not required for a website to function.^[5] However, they may improve a user’s experience with the website. Examples of non-essential cookies are advertising trackers and cookies left by third-party widgets or embedded content that can only be installed on a user’s device with their explicit consent.

Storage of cookies

1. Session or temporary cookies are deleted once the browser is closed. If the website doesn’t set the expiry date, the browser will delete the cookie once it’s closed.
2. Persistent cookies, encompasses all cookies that remain on the hard drive until the user erases them or the browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary.^[6]

Is seeking consent mandatory under the cookie law?

Under the GDPR

The GDPR or the General Data Protection Regulation, addresses cookies as being online identifiers of natural persons^[7] Companies do have a right to process the personal information, as long as they receive a granular, unambiguous consent via a clear affirmative action or if they can confirm that they have a legitimate interest.

A legitimate interest is a condition when the processing of personal information is required for carrying out specific business purposes for the company. For examples, address required for delivering goods to the customer. However, the company must specify the purpose of the collection of the data.^[8] Essential cookies can be collected under legitimate interest, however, non-essential cookies require explicit consent.

The basic requirements for a valid legal consent are defined in Article 7 of the GDPR. According to the same, consent must be freely given, specific, informed and unambiguous, and a clear affirmative action of the data subject. The word “free” implies that the action should be a real choice by the data subject.

The e-Privacy Directive or the “Cookie Directive”

In 2002, the Directive 2002/58/EC of the European Parliament nicknamed the “cookie directive” was adopted, ^[9]The Directive permits the use of cookies for legitimate purposes if individuals have been provided with clear and precise information about the purposes of the cookies and have had the opportunity to refuse them.^[10].The subsequent proposed e-Privacy Regulations of 2017 aims to centralize cookie consent, alleviating arbitrary cookie-consent mechanisms. It further proposes to make cookie control more user-centric.^[11]

The Bundeskartellamt ruling: Processing of special categories of personal data

In the Bundeskartellamt ruling the Court of Justice of the European Union (CJEU) held that cookies collected from user sites that when data of the users visits to websites and apps which is related to one or more special categories of data^[12], and these information points are being collected to link to the user then the use of the data must be regarded as processing of special categories of personal data.^[13]

Opportunity to exercise choice by the Data Subject?

Manner of collecting consent: Opt-in and Opt-out cookies

Opt-in is giving explicit consent from an individual before engaging in any activity such as sending marketing emails. Whereas opt-out is the process of allowing individuals to decline or withdraw from participating in a certain activity such as receiving marketing communications.^[14] Therefore, as per the understanding of the law, opt-in cookies follow the explicit action required for a valid consent. An example of opt-in cookies would be when the customer, themselves consent to receiving promotional emails, while opt-out is a process by which, the customer checks a box to decline receiving promotional emails. So the difference is between a positive action and a negative action.

Cookie walls and their legality

 

A cookie wall is a pop-up that restricts or blocks access to a website until the user accepts cookie usage. Using cookie walls is not compliant with data privacy laws like the GDPR and ePrivacy Directive unless strict conditions are met for the use of cookie walls, websites can only implement one if it satisfies the certain criteria under the law. Furthermore, cookie walls are obsolete under the California Consumer Privacy Act (CCPA).^[15]

In January 2023, France’s data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a “Refuse all” button to its site.^[16] . In August 2022, Sephora, a prominent beauty retailer, became the first company publicly fined for violating California’s Consumer Privacy Act (CCPA). California Attorney General announced a settlement with Sephora to address the alleged CCPA violations, which included using data tracking technologies such as cookies that sent consumers’ data to external ad tech and analytics companies without properly informing or offering an opt-out choice to consumers.^[17]

What happens when a Data Principal does not accept the cookies?

When the cookies collect personal sensitive information in India they may be subjected to  the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI rules), subjecting them to higher standards of compliance. The sole legal basis for the collection of SPDI is written consent, which may be sought through any electronic means such as email or check boxes.^[18] However, the SPDI rules also allow for denial of services if the consent is withheld, as per Section 5(7).^[19]

Right to be forgotten

Persistent cookies hold data unless the Data subject withdraws their consent, or the cookie expires as per the expiration date encrypted in the code. Under the Digital Personal Data Protection Act, 2023 (hereinafter known as the DPDP Act) consent can be withdrawn at any time, with the same ease as it was when given,^[20] and withdrawn the Data Processor will be barred from processing the data for which the consent was withdrawn.

Therefore, if the consent to track non-essential cookies is withdrawn then by law, non-essential cookies cannot be tracked. Further, DPDP Act also provides for the Right to Erasure under section 12, wherein the data principal has the right to correction, completion, updating and erasure of their personal data. ^[21]Erasure means that no further processing of that said data is permissible.

Further, as per a case in 2020, in the Delhi High Court, the right to be forgotten by the data principal was held to be sacrosanct under the right to privacy^[22].
In Article 17, the GDPR outlines the specific circumstances under which the right to be forgotten applies. Withdrawal of consent and the justification of legitimate interest does not exist anymore fall under other given circumstances. This right was first introduced in the 2014, Google Spain case^[23].

The Google decision: Phasing out of third-party cookies

On December 14, 2023, Anthony Chavez, of Google announced that Chrome is Testing Tracking Protection, a new feature that limits cross-site tracking. Google from January 4, 2024, began testing Tracking Protection, a feature that limits cross-site tracking by restricting website access to third-party cookies by default.

This is part of Google’s larger Privacy Sandbox initiative to eventually phase out third party cookies for everyone.^[24], to create technologies that protect individual’s privacy online and give companies and developers tools to build thriving digital businesses^[25].Google envisions proceeding with third-party cookie deprecation starting in early 2025.^[26]

^[27]

The end of third party cookies is purported to be the end of digital advertising as known by the modern world, and the impact of the same is going to be tremendous in Indian markets. According to a research by the Economic Times, it will likely impact Rupees 50,000 crore worth of digital ad inventory placement in India.^[28]

Conclusion: How will markets cope with the phasing out of third-party cookies?

In the wake of the Google decision to deprecate third-party cookies, regulatory bodies like the European Union and UK’s Competition and Markets Authority are furthering their investigation into Google’s new feature, fearing potential anti-competitive practices. The primary concern is that Tracking Protection will become a roadblock for other players in the 250 billion dollars advertising industry, as they will become more reliant on Google for their consumer insights and targeted marketing. ^[29]

The proposed alternatives to cookies generally fall into these categories:

1. Reliance on zero-party data: Zero-party data is information that consumers actively and willingly share to help brands shape their products and services. It’s different to third-party and first-party data collection, which both rely on gathering information behind the scenes as consumers go about their online business.
2. Contextual advertising: Contextual advertising refers to the practice of placing ads on web pages based on the content of those pages. For example, this could be ads for running shoes on a news article about running,
3. Identity resolution: Identity resolution is a data management process that links a customer’s online behavior to their unique identity by gathering different data sets and identifying non-obvious relationships, or,
4. Replacements like Google Topics: Topics will enable advertisers to serve ads based on user’s interests without using third-party cookies. Topics work by analyzing a user’s browsing behavior on Chrome i.e. the types of content and websites they visit and maintain a list of user interest categories (called Topics).

In a study by Adobe conducted in 2023, 82% of Indian brands still rely heavily on third-party cookies; 61% of the cookie using Indian leaders say they view cookies as a ‘necessary evil’, even though they realize continued overreliance is a losing strategy for the long-term.^[30]

However, despite the initial hesitance, global marketers are taking action to adapt their strategies regarding data, measurement and activation^[31].

Ahana bag , Former Junior Associate at S.S. Rana & Co. has assisted in the research of this article.

[1]https://www.cookieyes.com/blog/internet-cookies/

[2]https://gdpr.eu/cookies/

[3]https://www.cookiepro.com/blog/website-tracking/

[4]https://piwik.pro/glossary/third-party-tracking/

[5]https://www.dataguard.co.uk/glossary/non-essential-cookies

[6]https://securiti.ai/blog/persistent-cookie/

[7]Recital 30 says, “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

[8]https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en

[9]https://www.edps.europa.eu/sites/default/files/publication/dir_2002_58_en.pdf

[10]https://www.edps.europa.eu/sites/default/files/publication/dir_2002_58_en.pdf

[11]https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation

[12] Article 9(1) of the GDPR, Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

[13] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62021CJ0252

[14] https://securiti.ai/blog/opt-in-vs-opt-out/#:~:text=Opt%2Din%20is%20giving%20explicit,such%20as%20receiving%20marketing%20communications.

[15]https://termly.io/resources/articles/cookie-walls/#are-cookie-walls-legal-in-the-eu>

[16]https://www.politico.eu/article/tiktok-fined-e5m-in-french-privacy-case/

[17]https://www.forbes.com/sites/tomchavez/2022/10/27/on-privacy-regulators-are-awakening-the-consumerand-its-an-innovation-imperative/

[18]https://www.indiacode.nic.in/handle/123456789/1362/simple-search?query=The%20Information%20Technology%20(Reasonable%20Security%20Practices%20and%20Procedures%20and%20Sensitive%20Personal%20Data%20or%20Information)%20Rules,%202011.&searchradio=rules

[19]https://law.asia/cookie-use-india/

[20]DPDPA, Section 6(4)

[21]https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[22]Jorawar Singh Mundy vs. Union of India (W.P. (C) 3918/ 2020)

[23]https://archive.epic.org/privacy/right-to-be-forgotten/

[24]https://blog.google/products/chrome/privacy-sandbox-tracking-protection/

[25]https://developers.google.com/privacy-sandbox/overview

[26]https://developers.google.com/privacy-sandbox/3pcd

[27]https://developers.google.com/privacy-sandbox/3pcd/prepare/prepare-for-phaseout

[28]https://economictimes.indiatimes.com/tech/technology/when-the-third-party-cookie-crumbles-a-new-privacy-centric-internet-emerges/articleshow/107972727.cms?from=mdr

[29]https://www.gov.uk/cma-cases/investigation-into-suspected-anti-competitive-conduct-by-google-in-ad-tech

[30]https://www.adobe.com/content/dam/cc/in/about-adobe/newsroom/pdfs/2023/Cookieless%20Research%20India%20Media%20Alert.pdf

[31]https://www.forbes.com/sites/forrester/2024/01/16/google-commits-to-third-party-cookies-deprecation-in-2024/

Related Posts

Parental Consent to be stored in Digilockers

The concept of ‘Consent’ under the GDPR