Foreign Affairs & International Law

Cookies Crumbling: India Needs a Cookie Law

Sanjana Patnaik

o2k7vfwwzzgok0pq4yun

The article discusses the consequences of the lack of cookie law in India and highlights the need to formulate one in light of the legislative gaps to address the risk of anonymization that the lack of a cookie law poses. To this effect, India needs an ‘Indian’ cookie law instead of a ‘cookie-cutter’ set of provisions resembling the GDPR.

Introducing Cookies: Intrusive Yet Invisible Aspect of Information Technology

Cookies are data files that get stored in the user’s device once a user visits a website. Cookies are not inherently considered to entail a privacy risk since the website cannot identify the natural person. They can only track the user activities to understand the behavioural pattern of the user to deliver tailored advertisements. However, since they can track the user’s activity on the internet, any personal information provided by a user on any other website can be stored in a cookie unless the cookie feature is turned off in the browser. For example – the credit card details that are provided by the user on a website can be stored by them. Further, cookies can pose serious personal data privacy threats through cookie hijacking or cookie tossing.      

Additionally, different types of cookies are active on the website such as necessary cookies, social media cookies, third-party cookies, session cookies, zombie cookies, etc. Some cookies are privacy intrusive while some are not. Third-party cookies pose a severe privacy risk. Third-party cookies are those which are placed by companies that do not own the website the user is visiting. For instance – A user may be visiting an educational website that contains advertisements of various other companies. All these companies who have placed advertisements on that educational website get to track the activities of the user by issuing relevant cookies.

Furthermore, according to Recital 30 of the General Data Protection Regulation (GDPR), the accumulation of cookies by websites and other non-specific data may lead to the identification of an anonymous user. Hence, to protect the privacy of individuals, it becomes quintessential to formulate a cookie law or a comprehensive personal data privacy legislation containing provisions governing the usage of cookies. This article would discuss the fundamental right violation pursuant to the non-enactment of the cookie law. Further, it seeks to analyse the recourse available under the existing legislations in case of violation of cookie policies and consent. Lastly, the piece would analyse the necessity for a cookie law in India by comparing the inter-jurisdictional cookie legislations and discussing the complications of adopting cookie law under GDPR in India.


Non- Existence of Cookie Law- Fundamental Right Violation

Neither does India have a comprehensive personal data privacy legislation nor a specific legislation regulating the usage of cookies. The Supreme Court (‘SC’) in the case of K.S. Puttuswamy v. Union of India declared that the right to privacy is a fundamental right guaranteed under Part III of the Constitution. Further, it posited that the personal information of the user cannot be utilized without the user’s consent. However, cookies are not defined as personal information in India. This provides freedom to the websites to issue various types of cookies including necessary and unnecessary cookies into the user’s device without their consent. Therefore, the Indian Companies need not mandatorily lay down a cookie policy as part of their privacy policy. This results in an arbitrary exposure towards de-anonymization of the user. Thus, the lack of consent would violate the fundamental right to privacy which needs to be addressed through legislation as the existing legislations are inadequate for this purpose.

Inadequacy of the Existing Legislations

Information & Technology Act, 2000 (“IT ACT”)

Since there is no cookie legislation, the Indian companies could utilize the personal data according to their whims and fancies to achieve business advantage. Many argue that the use of cookies without the user’s consent could be subsumed under the definition of ‘computer virus’ laid down in the IT Act and would thus be prohibited. However, in the absence of any explicit legislation or judicial precedents regarding cookies, companies could circumvent the law by finding technical defects within the definition. For instance, Websites could argue that cookies are not harmful and malicious. Thus, cookies cannot be conclusively included within the definition of ‘computer virus’.

Personal Data Protection Bill, 2019 (‘PDP Bill’)

The PDP Bill, 2019 defines ‘personal data’ as any data about a natural person that is directly or indirectly identifiable. The definition mentions that information should be related to a natural person. It can be argued that cookies inherently cannot identify a natural person and thus are outside the purview of the definition. However, a counter-argument can be made that cookies could be included under the definition of ‘personal information’ since they involve traceability of natural persons. The Supreme Court, in the Puttuswamy judgment, stated that the data controller must secure personal information from the de-anonymized data. The PDP bill, though not enacted, mentions anonymization as an irreversible process under section 3(2). Experts have proved that personal data can never be irreversibly anonymized. Anonymous data can be matched with publicly available information to trace the individual user. For instance, companies using browsing history to identify individual users run the risk of de-anonymization. Further, a study in the USA found that more than half of the population can be uniquely identified based on the place, date of birth, and gender details. Thus, the bill is inadequate in regulating the cookies since it does not convincingly address the standard & characterization of the process of anonymization.

Indian Contract Act, 1872 (ICA) and Consumer Protection Act, 2019 (COPrA)

When a user explores a website, such exploration of the website is a legally binding contract regulated by the legal agreements of the website. Thus, agreeing to the terms and conditions shown as soon as the user opens a website makes them legally enforceable. One of the contents mentioned in the terms and conditions is the privacy policy. This means that the consideration for a user to visit the website is agreeing to the terms and conditions of use and service. Indian companies are not bound to provide a cookie policy since cookies are not recognized as personal information and hence, need not be mentioned in the privacy policy. Thus, cookie collection does not result in a contract. However, the websites can extract user’s consent by inserting an arbitrary cookie policy. Such invalid consent can be vitiated by the user by proving the contract to be unconscionable. An unconscionable contract has traditionally been proven in cases where the contract was induced by undue influence, coercion, inequality of bargaining power, etc. It is difficult to prove that the arbitrary terms in the cookie policy are unreasonable in the absence of specific legal provisions and judicial precedents. However, India can resolve such complexity by adopting terms similar to Australian Consumer Law. Australia has recently added Part IV D to the Competition and Consumer Act, 2010 (ACC) that contains provisions relating to Consumer Data Rights. Further, their consumer law contains a national unfair contract term that safeguards consumers by removing the unreasonable terms in standard contracts. Thus, any stipulation in the standard contract that violates Part IV D of the ACC can be removed.

The Consumer Protection Act of India (hereinafter COPrA) does not contain provisions relating to consumers’ data privacy. However, COPrA, 2019 has few unfair trade practices that could become grounds for filing complaints. One of the unfair trade practices includes disclosing a consumer’s personal information. Since cookies are not considered as ‘personal information’ in India, it becomes difficult to include the arbitrary cookie usage terms within the meaning of unfair trade practices especially when there are no judicial precedents. Furthermore, the inclusion of the definition of ‘unfair contracts’ has made it possible for consumers to challenge unilateral and unreasonable contracts. Section 2(46) states that any imposition of an unreasonable condition on the consumers that puts them at a disadvantage would constitute an unfair contract. The imposition on the users to consent to an arbitrary cookie policy can be termed as an unreasonable condition under the section. However, the act is ambiguous regarding the standard of reasonability expected under the section. The courts might have to place reliance on the prevalent data protection law to adjudicate the non-viability of the terms of the contract. The present data protection law is inadequate to address the concerns arising out of violations in the cookie policy. Thus, it becomes imperative to formulate a cookie law in India.


Why India Needs an Indian Cookie Law

The personal data protection framework in the European Union (“EU”) was overhauled to introduce new sets of regulations such as the GDPR and the ePrivacy Regulation. The GDPR is a general legislation and the ePrivacy regulation, though not adopted, has rules governing specific areas. The GDPR focuses on the opt-in approach and requires companies to seek consent through affirmative action. Countries like the EU and Nigeria require companies to seek express consent before using cookies. Whereas countries such as Australia, the USA, China do not require cookie consent. Japan requires cookie consent for third-party cookies only. The cookie provisions mentioned in GDPR have to be followed by websites working in the EU or websites working outside the EU but hosts visitors from the EU. Thus, Indian websites working in the EU or hosting EU visitors must comply with GDPR for the transfer of data.

Though GDPR has extra-territorial application, the EU is not equipped to ensure, examine, and enforce compliance with its provisions. A study in the EU revealed that more than half of the websites do not comply with the cookie consent provisions. GDPR is a sweeping legislation that does not account for various practical realities and has frustrated the users, companies, and regulators. It would be a tedious task for the EU to ensure compliance with GDPR in India when it is unable to ensure compliance even in its countries. GDPR provides for the appointment of representatives from the non-EU countries that would ensure enforcement in such countries. However, the requirements to establish such a measure have not been clearly drafted under the GDPR. Furthermore, all these requirements would increase the costs of enforcement exponentially.  Additionally, it may be noted that different interpretations of the law impeded the effective enforcement of GDPR. These interpretational differences arise due to the varying commercial and cultural interests of countries. Thus, formulating a jurisdiction-specific cookie law would resolve most of the interpretational problems and ensure robust enforcement & compliance with the regulations.


Conclusion

India need not imitate the cookie law enacted by the EU and should rather formulate a law that will commensurate with its regulatory landscape, cultural trajectories, and commercial interests. In such a formulation, India should commit the EU that the privacy measures adopted, though not GDPR-like, would not compromise the personal data protection of the EU citizens. An Indian cookie law would ensure that the obligations of the firms that deal with data not so intensively can be reduced to make them commensurate with the risk from their activities. This would minimize the compliance costs of the smaller firms ensuring that the costs of maintaining data privacy do not outweigh the benefits. Moreover, a jurisdiction-specific cookie law would provide tailor-made provisions relating to fines and penalties that should be imposed in case of non-compliance. Further, since the GDPR mentions that fines are to be administered on a factual basis, the Indian cookie legislation can formulate an effective penalising structure that would be proportionate to the size of businesses, nature of violations, and the nature of the data dealt with. Enacting an Indian cookie law would strike a balance between the economic interests of the companies and the elimination of personal data privacy concerns raised by the EU. 


Sanjana is a fourth-year student at the Jindal Global Law School, O.P. Jindal Global University, Sonipat.