The article discusses the consequences of the lack of cookie law in India and highlights the need to formulate one in light of the legislative gaps to address the risk of anonymization that the lack of a cookie law poses. To this effect, India needs an ‘Indian’ cookie law instead of a ‘cookie-cutter’ set of provisions resembling the GDPR.
Introducing Cookies: Intrusive Yet Invisible Aspect of Information Technology
Cookies are data files that get stored in the user’s device once a user visits a website. Cookies are not inherently considered to entail a privacy risk since the website cannot identify the natural person. They can only track the user activities to understand the behavioural pattern of the user to deliver tailored advertisements. However, since they can track the user’s activity on the internet, any personal information provided by a user on any other website can be stored in a cookie unless the cookie feature is turned off in the browser. For example – the credit card details that are provided by the user on a website can be stored by them. Further, cookies can pose serious personal data privacy threats through cookie hijacking or cookie tossing.
Additionally, different types of cookies are active on the website such as necessary cookies, social media cookies, third-party cookies, session cookies, zombie cookies, etc. Some cookies are privacy intrusive while some are not. Third-party cookies pose a severe privacy risk. Third-party cookies are those which are placed by companies that do not own the website the user is visiting. For instance – A user may be visiting an educational website that contains advertisements of various other companies. All these companies who have placed advertisements on that educational website get to track the activities of the user by issuing relevant cookies.
Furthermore, according to Recital 30 of the General Data Protection Regulation (GDPR), the accumulation of cookies by websites and other non-specific data may lead to the identification of an anonymous user. Hence, to protect the privacy of individuals, it becomes quintessential to formulate a cookie law or a comprehensive personal data privacy legislation containing provisions governing the usage of cookies. This article would discuss the fundamental right violation pursuant to the non-enactment of the cookie law. Further, it seeks to analyse the recourse available under the existing legislations in case of violation of cookie policies and consent. Lastly, the piece would analyse the necessity for a cookie law in India by comparing the inter-jurisdictional cookie legislations and discussing the complications of adopting cookie law under GDPR in India.
Non- Existence of Cookie Law- Fundamental Right Violation
Inadequacy of the Existing Legislations
Information & Technology Act, 2000 (“IT ACT”)
Personal Data Protection Bill, 2019 (‘PDP Bill’)
The PDP Bill, 2019 defines ‘personal data’ as any data about a natural person that is directly or indirectly identifiable. The definition mentions that information should be related to a natural person. It can be argued that cookies inherently cannot identify a natural person and thus are outside the purview of the definition. However, a counter-argument can be made that cookies could be included under the definition of ‘personal information’ since they involve traceability of natural persons. The Supreme Court, in the Puttuswamy judgment, stated that the data controller must secure personal information from the de-anonymized data. The PDP bill, though not enacted, mentions anonymization as an irreversible process under section 3(2). Experts have proved that personal data can never be irreversibly anonymized. Anonymous data can be matched with publicly available information to trace the individual user. For instance, companies using browsing history to identify individual users run the risk of de-anonymization. Further, a study in the USA found that more than half of the population can be uniquely identified based on the place, date of birth, and gender details. Thus, the bill is inadequate in regulating the cookies since it does not convincingly address the standard & characterization of the process of anonymization.
Indian Contract Act, 1872 (ICA) and Consumer Protection Act, 2019 (COPrA)
Why India Needs an Indian Cookie Law
The personal data protection framework in the European Union (“EU”) was overhauled to introduce new sets of regulations such as the GDPR and the ePrivacy Regulation. The GDPR is a general legislation and the ePrivacy regulation, though not adopted, has rules governing specific areas. The GDPR focuses on the opt-in approach and requires companies to seek consent through affirmative action. Countries like the EU and Nigeria require companies to seek express consent before using cookies. Whereas countries such as Australia, the USA, China do not require cookie consent. Japan requires cookie consent for third-party cookies only. The cookie provisions mentioned in GDPR have to be followed by websites working in the EU or websites working outside the EU but hosts visitors from the EU. Thus, Indian websites working in the EU or hosting EU visitors must comply with GDPR for the transfer of data.
Though GDPR has extra-territorial application, the EU is not equipped to ensure, examine, and enforce compliance with its provisions. A study in the EU revealed that more than half of the websites do not comply with the cookie consent provisions. GDPR is a sweeping legislation that does not account for various practical realities and has frustrated the users, companies, and regulators. It would be a tedious task for the EU to ensure compliance with GDPR in India when it is unable to ensure compliance even in its countries. GDPR provides for the appointment of representatives from the non-EU countries that would ensure enforcement in such countries. However, the requirements to establish such a measure have not been clearly drafted under the GDPR. Furthermore, all these requirements would increase the costs of enforcement exponentially. Additionally, it may be noted that different interpretations of the law impeded the effective enforcement of GDPR. These interpretational differences arise due to the varying commercial and cultural interests of countries. Thus, formulating a jurisdiction-specific cookie law would resolve most of the interpretational problems and ensure robust enforcement & compliance with the regulations.
India need not imitate the cookie law enacted by the EU and should rather formulate a law that will commensurate with its regulatory landscape, cultural trajectories, and commercial interests. In such a formulation, India should commit the EU that the privacy measures adopted, though not GDPR-like, would not compromise the personal data protection of the EU citizens. An Indian cookie law would ensure that the obligations of the firms that deal with data not so intensively can be reduced to make them commensurate with the risk from their activities. This would minimize the compliance costs of the smaller firms ensuring that the costs of maintaining data privacy do not outweigh the benefits. Moreover, a jurisdiction-specific cookie law would provide tailor-made provisions relating to fines and penalties that should be imposed in case of non-compliance. Further, since the GDPR mentions that fines are to be administered on a factual basis, the Indian cookie legislation can formulate an effective penalising structure that would be proportionate to the size of businesses, nature of violations, and the nature of the data dealt with. Enacting an Indian cookie law would strike a balance between the economic interests of the companies and the elimination of personal data privacy concerns raised by the EU.
Sanjana is a fourth-year student at the Jindal Global Law School, O.P. Jindal Global University, Sonipat.