Cookies and Consent - An outline on the position in the EU, UK, US, Canada, and India.

This article was First Published on Bar and Bench on 28th November 2023.

Cookie is a small text filed stored by the website on your personal computer or any other device when you visit the website. Cookies are of two major types – First Party Cookies and Third-Party Cookies. First Party cookies are those set by the website itself; however, third party cookies are those embedded on the website by entities unaffiliated to the first party (i.e., the website) for different purposes. For example, a website may have embedded its own cookies (First Party Cookies) on its website to provide a personalized browsing experience to the users or monitor the users’ online behaviour., If the website shows any advertisements or pop-ups which are unrelated to the website, such advertisements or pop-ups are shown because of the third-party cookies embedded on the website (e.g., Google Ads or Amazon Ads). Cookies can be classified further into various types:

·         Session Cookies: These help in remembering the users’ activities on a website so long as the user continues the browsing session, and terminate once the user closes the browser. (E.g., adding items in a shopping cart on a website as a guest).

·         Persistent Cookies: As opposed to session cookies, these cookies continue to remain on users’ device even after the termination of multiple browsing sessions. These cookies help in remembering the users’ specific configuration of browser settings, preferences, login credentials etc.

·         Essential Cookies – As the label suggests, these are necessary for a website to remain in a functional state or otherwise necessary to fulfil the users’ online requests.

·         Statistical Cookies – These analyse the users’ online behaviour on a website and generate statistical information for website operator’s own purposes. (e.g., analysing how many times a user has visited the website)’

·         Flash Cookies[1] – These are Adobe Flash Player’s cookies enabled by websites for video playback, animations, and other functionalities (e.g., these cookies help in video playback along with details on how long the video is watched and at which timestamp the user stopped watching the video).

·         Zombie Cookies – These cookies respawn and continue to remain on users’ devices even if they clean-up the cookies on their browser. These cookies are usually used by web-analytics companies to track unique individuals’ browsing histories.[2].

Why do websites obtain consent for the use of Cookies? Do cookies contain personal data?

In the European Union, organizations must comply with both the ePrivacy Directive and the EU General Data Protection Regulation (GDPR) because the term “online identifiers” under Recital 30 of the GDPR covers cookies, since cookies are  part of the personal data definition under the GDPR. However, ePrivacy Directive contains certain special rules that organizations are required to comply with in relation to the use of cookies. These special rules take precedence over the general provisions of the GDPR since ePrivacy Directive “particularises” the processing of personal data in the electronic communication sector.[3] However, the general provisions of the GDPR which are not touched upon by the special provisions of the ePrivacy Directive continue to operate in parallel. Article 5(3) of ePrivacy Directive requires organizations to obtain consent for the use or retention of cookies on the users’ browsers. Thus, in this case, other legal bases of processing under the GDPR cannot be relied upon.[4]

Principles for obtaining Consent for Cookies: In addition to the ePrivacy Directive, taking the EU guidelines on consent into account is essential. As per these guidelines, the consent for the cookie should be free, specific, informed, and unambiguous. The user of a website should have a real choice to exercise i.e., to consent  or refuse,  to the use of cookies by the website operator. There should be no cookie walls, which require users to compulsorily accept the use of cookies to be able to access the website or avail the service from the website operator. Similarly, the cookie banner should contain sufficient options such as accept, reject, manage the cookie settings to enable the users to exercise their choice. Further, organizations must inform the users about the purposes of the use of every type of cookies, and ensure that specific opt-in consent is obtained for the use of cookies. In other words, organizations cannot infer users’ consent from their conduct (e.g., scrolling the website without accepting or refusing the use of cookies). In the Planet 49 case[5], the CJEU highlighted that a pre-ticked check box does not constitute a valid consent, rather a clear and affirmative action is necessary from a user to indicate her consent to the storing of cookies by website operators to be valid. Consent is, however, not required for essential cookies. As per the guidelines issued by Luxembourg supervisory authority on cookies, it is still necessary to provide information about the purposes for which essential cookies are used.[6]

Position in UK and Canada: Akin to the EU, the position is largely similar in the United Kingdom wherein organizations must comply with both the Privacy and Electronic Communications Regulations (PECR) and the UK General Data Protection Regulation. Canada has taken a different position in this context. Under Canada Anti-Spam Legislation (CASL), cookies are computer programs for which a user’s consent is inferred from her conduct. There is no requirement for express consent as in the case of EU. For example, if a user disables the cookies on her browser, we can draw an inference that the user indicated her denial to the use of cookies by any website that she visits.[7]

Cookies and Personal Information: Cookies are considered as personal information under the California Consumer Privacy Act (CCPA).[8] CCPA mandates opt-in consent for the use of cookies that involves sale and sharing of personal information of minors, who are below 16 years of age.[9] In case of children less than 13 years of age, the parent or lawful guardian should consent to such sale or sharing of children’s personal information.  However, consent of the website users (other than children) is not required for the use of cookies unless they are used for behavioural advertising, which could constitute sale under the CCPA.[10]  In the case of essential cookies provided by a third-party, the website need not obtain consent or notify the users.

Use of third-party analytics cookies may not be interpreted as sale of personal information under CCPA in case the organisations use analytics cookies of third-parties (i) who qualify as service providers and the cookies are essential for the performance of a website; or (ii) by obtaining opt-in consent of the users. Otherwise, organizations should disclose in their privacy policies that it is selling the information to these third-parties.

India context: Digital Personal Data Protection Act (DPDPA), yet to come into force,  does not specifically call out cookies. Personal Data, as defined under the DPDPA, means any data about an individual who is identifiable by or in relation to such data (Section 2(t) of DPDPA, 2023). To the extent cookies contain any identifiable information about an individual, the organizations should obtain consent for the use of such cookies, because it implies processing of personal data. The consent mechanism provided in DPDPA states that the consent should free, specific, informed, unconditional, and unambiguous. Hence, the approach seems like aligning with the EU standards rather than the US or Canada standards. Thus, for organizations to tread on the safe path in terms of privacy compliance, they can, in addition to the privacy notice, display a separate cookie banner mentioning the types of the cookies with a choice to accept or reject their use. Further, organizations can publish a cookie policy containing an explanation about cookies, the purposes of their use, retention timeframe, and the way users can configure their preferences/settings regarding the cookies. If the cookies do not contain personal information, it appears that there is no requirement to obtain consent or even notify the individuals. Having said that the detailed rules and regulations of the DPDPA is yet to come.

Authors: Mr. Sandeep G, Associate at NovoJuris Legal, with inputs from Ms. Sharda Balaji, Partner.