Legality of Online Tracking under the Data Privacy Act, 2023

By Vikrant Rana, Anuradha Gandhi, Rachita Thakur

Introduction

Whenever a person logs into a website, Anonymous cookies or similar technologies starts tracking their activity, following them across websites until the browser is closed and in some cases even beyond.

Google has agreed to pay $1.375 billion as a settlement with Attorney General of State of Texas for unlawfully tracking and collecting users’ private data for commercial purposes without the consent of users and continued to track them even after the feature was disabled by users. It included Location data which was collected even though the location services were being turned off by the user and kept indefinitely, unless manually deleted. Similar practices with Personal information (in incognito modes) Voiceprints and records of face geometry collected through its products and services like Google Photos, Google Assistant, and Nest Hub Max.[1]

What is Behavioral Tracking?

A processing activity is considered as monitoring the behavior of the user if individuals are tracked online, and their personal data is subsequently used for profiling, especially when this profiling is aimed at making decisions about them or analyzing or predicting their preferences, behaviors or attitudes.[2]

Purpose and methodology

The primary purpose of behavioral targeting is to track consumers over time and deliver more relevant and personalized advertising based on their past online behavior such as websites visited products viewed or purchased, search queries, buying habits etc. The main advantage of such advertising is its potential to boost return on investment for digital advertising campaigns by approximately 20%.[3] A 2025 report by Gentex shows that approximately 82% of digital ads utilize some form of behavioral targeting, with 80% of marketers employing behavioral data to segment audiences.[4]

Traditionally, Cookies have been used to track individual’s online behavior via desktop browsers. However, with the advent of a variety of devices, businesses have expanded their tracking methods including techniques such as logins, IP address, geolocation information, browser or device fingerprinting, tracking pixels and the analysis of general usage patterns which facilitates third-party profiling, particularly when the collected personal data is used to analyze or predict an individual’s preferences, behaviors or to make decisions about them.

Below is an indication of the prevalent methods used which also at the same time violates right to consent if not informed before processing and right to opt-out if adequate mechanism is not provided:

Cookies: Cookies are small files placed on any electronic device by a website, containing the details of browsing history of the user on that website or platform. They can track user behavior across sessions and sites, collecting data such as browsing history, preferences and log-in information. For instance, First-Party Cookies are used to analyze user preferences and experience and track their engagement within a website and third-party cookies which tracks user behavior across websites for targeted advertising.
Flash Cookies: Flash Cookies, also known as Local Shared Objects (LSOs) are used to store data about user preferences by using Adobe Flash Player. As these cookies are persistent, they survive attempts to clear cookies and are accessible by multiple browsers on the same computer. These cookies can restore deleted web tracking cookies by bypassing the user’s cookie preferences.
Pixel Tags: Pixel Tags, also known as tracking pixel or web beacons are transparent images embedded in the web pages or emails. When a user accesses content containing a pixel tag, it sends information back to the server about user interactions, such as page views, clicks and email opens. This data assists in measuring campaign effectiveness and refining marketing strategies.[5]
Web Beacons: These are links to external images on Web pages and email and are used by third parties to monitor user’s activities across visited websites. When such pages or email are opened by the user, the image associated with the beacon is downloaded and is sent to the host company’s server, where the image is stored. This request provides that server with identifying information about the device being used (e.g., its IP address) and its activity on the visited site.

Why is it Problematic?

No Consent taken of the User: Profiling for targeted advertising involves vast amounts of personal information processing, but failure to obtain free, specific, informed, unconditional and unambiguous consent for that from the users can lead to penal consequences. For instance, the Irish Data protection Commission (DPC) fined LinkedIn Ireland of €310 million for processing personal data (consisting first-party data collected directly from users and third-part data obtained through third-party members related to the users) for behavioral analysis and targeted advertising as consent obtained was not “freely given, sufficiently informed or specific, or unambiguous”.[6]
Reasonable Privacy Expectation: Most of the consumers are unaware they are being tracked online. When any user surfs the internet there is a reasonable expectation of privacy does not have the apprehension that they are under constant surveillance and their online behavior is being tracked for commercial purposes. The CJEU has also asserted that, “even if the services are being provided free of charge, the users cannot reasonably expect that their personal data would be processed, without consent, for the purposes of personalized advertising.[7]
Legitimate Interest of Organizations: Many companies justify their use of targeted advertising by claiming it is based on their legitimate interests. The CJEU was of the opinion that where processing is based on grounds other than consent, such as performance of contract or legitimate interest, the same is to be applied restrictively. If the processing is based on “performance of a contract” then the controller must demonstrate the fact that contract would not be completed if processing does not occur. The court in this case held that personalized services are not necessary to offer users the services of social media platform and thus the user must be provided with an alternative to which does not involve such a personalization and is still able to use the platform.[8]
Intention of user to make data public: Both the Digital Personal Data protection Act, 2023 (hereinafter referred to as “DPDP Act”) and the General Data protection Regulation (hereinafter referred to as “GDPR”) excludes processing of personal data that is made public.[9] However, the CJEU is of the opinion that mere visiting a website/app does not make the personal data of a user public and therefore cannot be used for targeted advertising without consent. Additionally, as far as the interaction of the user with a website/app (clicking or tapping buttons, login credentials, email address etc.) is concerned, such interaction would be deemed public if the user has explicitly consented based on individual settings to make such data public or to a selected number of people.[10]
Segregation of Data into Sensitive Data: Companies collect both personal and sensitive personal data for the purpose of targeted advertising such as location, history, sexual orientation, health, behavior, interests etc. The CJEU has held that even if the data collected through cookies contains one element of sensitive data, it would amount as processing of special categories personal data which is prohibited under Article 9(1) of GDPR[11]
Anonymized data Often companies collect anonymized data for targeted advertising which does not identifies a particular person. However, if anonymized data is combined with publicly available resources, it can lead to the identification of a person. This has been termed as “Linkability” For instance, in 2006 Netflix published a data set containing movie ratings of 500,000 subscribers which were considered anonymized. Researchers found that using the Internet Movie Database (IMDB), they were able to identify the users and thereby gaining to sensitive information. Linkability can be mitigated through techniques like masking and tokenization of key variables such as age, occupation etc.[12]

How can Data Principal exercise his rights?

The Data Principal has been granted following rights with respect to personal data processing (in this case, behavioral tracking) which he can exercise by making a request to the Data Fiduciary:

Right to Withdraw Consent: A Data Principal can withdraw his consent to the processing of personal data at any time and such withdrawal shall be as easy as giving of consent without affecting the legality of personal data processed before such withdrawal. [13]
Right to Access Information: The Data Principal has the right to access personal data along with associated processing activities and identities of other Data Fiduciaries or Data Processors processing such personal data from the Data Fiduciary.[14]
Right to Correction/Erasure of Personal Data: A Data Principal has a right to request correction, completion or erasure of personal data.[15]
Right to Grievance Redressal: The Data Principal has the right to adequate and readily available means of grievance redressal in case of any grievances or complaints.[16]

Applicable Indian Laws:

Digital Personal Data Protection Act, 2023

Consent
The DPDP Act requires ‘Consent’ as a legitimate grounds of processing personal data (in this case processing would mean behavioral tracking)[17]. Such consent must be free, specific, informed, unconditional and unambiguous and must be given in a clear affirmative action to signify processing of personal data. Such consent can be revoked at any time and the process of withdrawal shall be as easy as the process of giving consent

In align with the DPDP Act, certain sectoral laws also governs the mechanism of explicit consent. For instance, The Consumer Protection (E-Commerce) Rules, 2020 mandates an e-commerce entity can only record the consent of a consumer for purchase of goods or services, if it is expressed through an explicit and affirmative action and such action would not include pre-ticked boxes.[18]
Responsibility of Data Fiduciary
With respect to behavioral tracking, the DPDP Act puts in place the following responsibility on the Data Fiduciary:
- Ensuring completeness, accuracy and consistency of personal data, when the processing affects the Data Principal (for instance, targeted advertising) or the processing is disclosed to another Data Fiduciary (for instance, personal data collected by advertisers through third-party cookies)[19].
- Revealing the names of other Data Fiduciaries and Data Processors who handle the same personal data[20]
- To correct, update or delete personal data (unless retention under law is required), when requested by the Data Principal
Tracking amongst Children
Under the DPDP Act a child has been defined as an individual below 18 years of age and restricts tracking or behavioral monitoring of personal data of children or targeted advertising directed at such children unless processing is proved to be verifiably safe.[21]

Dark Patterns

Dark patterns are presented as offering consumers privacy choices but are deliberately designed to nudge users into sharing more personal data[22]. These are often found in various cookie banners tricking the consumers into accepting all cookies which may lead to tracking or profiling of users. For instance, no reject option in first layer, pre-ticked checkboxes or deceptive button colors and contrast[23]. Indian laws which regulates dark patterns:

Guidelines for Prevention and Regulation of Dark Patterns, 2023
Dark patterns which tricks consumers into sharing more personal information may attract penalties under section 21 and 89 of Consumer Protection Act, 2019 as they are deemed unfair trade practices.
Advertising Standards Council of India (ASCI) – White Paper on NAVIGATING COOKIES: Recalibrating your cookie strategy in light of the DPDPA

Advertisers are required to design granular cookie banners that clearly explain the purpose of data collection, offer options to reject non-essential cookies, and allow users to easily withdraw consent with each visit or interaction. Furthermore, organizations requires to have an effective cookie policy providing categorical details of different types of cookies used, technical specifications (including legal purpose, storage, expiration periods) consent management (including opt-in/opt-out mechanism, consent recording) and information transparency about specific data processing purposes or third-party data transfer.[24]

Reserve Bank of India (Digital Lending) Directions, 2025

These directions provides that the content displayed by the Lending Service Providers shall not include the use of dark patterns or deceptive patterns designed to mislead borrowers into choosing a particular loan offer.[25]

Conclusion

The DPDP Act, while imposing restrictions on behavioral tracking and targeted advertising, does not impose an outright ban. Instead, it permits such processing to a limited extent, subject to accountability and responsibilities of Data Fiduciary especially when such processing affects Data Principal or when their personal data is disclosed to other Data Fiduciary, as in the case of third-party cookies.

Moreover, the Act provides certain exceptions under Section 17, where behavioral tracking is allowed, such as when processing is necessary for the enforcement of legal right or claim, for the purposes of merger and acquisition approved by court, processing carried out by court or tribunal or necessary under cross-border contracts. These leeways underlines while individual privacy is central, the Act also recognizes legitimate and lawful interests that necessitate personal data processing.

Rishabh Gupta, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.

[1] https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-secures-historic-1375-billion-settlement-google-related-texans-data

[2] Recital 24 GDPR

[3] Behavioral Targeting Statistics, 2025, Gitnux, available at: https://gitnux.org/behavioral-targeting-statistics/

[4] Ibid

[5]https://cookie-script.com/blog/tracking-pixel

[6]https://www.dataprotection.ie/en/news-media/press-releases/irish-data-protection-commission-fines-linkedin-ireland-eu310-million

[7] Meta Platforms Inc. and others v. Bundeskartellamt, C-252/21

[8] Para 93, 98 and 102 of Meta Platforms Inc. and others v. Bundeskartellamt, C-252/21

[9] Section 3(c)(ii) of Digital Personal Data Protection Act, 2023 and Article 9(2)(e) of GDPR

[10] Para 85 of Meta Platforms Inc. and others v. Bundeskartellamt, C-252/21

[11] Para 89 of Meta Platforms Inc. and others v. Bundeskartellamt, C-252/21