Cookies are small files of code downloaded to the devices of individuals by the websites those persons visit. Cookies track visitors’ activity and experience personalisation and fall into two categories, first-party and third-party. The former are accessible only by the domain that created them; the latter by any website that loads a third-party server’s code, enabling such third-party cookies to be traced by websites other than those an individual visits. This feature helps businesses track the activities of site visitors and collect and process their personal data. Most significantly, it enables advertisers to target advertisements at the right viewers.
Unlike other jurisdictions, India has yet to expressly regulate cookies. However, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI rules) apply when cookies collect or process sensitive personal data or information (SPDI), a subcategory of personal data that includes passwords, financial information, data relating to physical, physiological and mental health conditions, sexual orientation, medical records and history and biometric information.
As cookies are not specifically regulated under any law, there are no prescribed grounds specifying how they may be used. However, under the SPDI rules, the processing of SPDI is subject to higher standards of compliance. For instance, the sole legal basis for the collection of SPDI is written consent, which may be sought through any electronicmeans such as email or check boxes. Similarly, SPDI may be disclosed to another only with the prior permission of the information provider or where disclosure is necessary for compliance with a legal obligation. Where cookies are used for the collection of SPDI, consent must be sought before their use in accordance with the standards in the SPDI Rules. There are no exceptions to this obligation; even strictly necessary cookies cannot be downloaded to users’ terminals without their express consent. However, the SPDI rules do allow the denial of services if consent is withheld for the collection of data. It is common for businesses to restrict access to their websites or platforms if users do not give consent for the use of necessary cookies.
Mathew Chacko is the managing partner, and Aadya Misra is a senior associate and Shambhavi Mishra is an associate at Spice Route Legal.
Spice Route Legal
14th floor, Skav 909,
Lavelle Road, Ashok Nagar
Bengaluru, Karnataka 560025