Cookie use in India: A legal vacuum

By Mathew Chacko, Aadya Misra and Shambhavi Mishra, Spice Route Legal
0
57

Cookies are small files of code downloaded to the devices of individuals by the websites those persons visit. Cookies track visitors’ activity and experience personalisation and fall into two categories, first-party and third-party. The former are accessible only by the domain that created them; the latter by any website that loads a third-party server’s code, enabling such third-party cookies to be traced by websites other than those an individual visits. This feature helps businesses track the activities of site visitors and collect and process their personal data. Most significantly, it enables advertisers to target advertisements at the right viewers.

Mathew Chacko
Mathew Chacko
Managing partner
Spice Route Legal

The drawback is the privacy risk inherent in the use of cookies, such as the unauthorised collection of sensitive personal data with the subsequent risk of breaches and hijacking. To meet such privacy concerns, regulators worldwide have begun to control cookies. In Europe, the 2002 Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector, provides that the “terminal equipment” of individuals using electronic communication networks constitutes their private sphere requiring protection. Tracking technology that downloads to users’ terminals without users’ knowledge to track their activities and collect their personal data infringes on the privacy of such individuals. The directive permits the use of cookies for legitimate purposes if individuals have been provided with clear and precise information about the purposes of the cookies and have had the opportunity to refuse them. This provision of information and the opportunity to consent or refuse cookies must be as user-friendly as possible. Separately, European data protection authorities have held, in a series of rulings, that cookies constitute personal data for the purposes of the General Data Protection Regulation (GDPR). Accordingly, the GDPR data processing principles apply to cookies.

Aadya Misra
Aadya Misra
Senior associate
Spice Route Legal

Unlike other jurisdictions, India has yet to expressly regulate cookies. However, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI rules) apply when cookies collect or process sensitive personal data or information (SPDI), a subcategory of personal data that includes passwords, financial information, data relating to physical, physiological and mental health conditions, sexual orientation, medical records and history and biometric information.

As cookies are not specifically regulated under any law, there are no prescribed grounds specifying how they may be used. However, under the SPDI rules, the processing of SPDI is subject to higher standards of compliance. For instance, the sole legal basis for the collection of SPDI is written consent, which may be sought through any electronicmeans such as email or check boxes. Similarly, SPDI may be disclosed to another only with the prior permission of the information provider or where disclosure is necessary for compliance with a legal obligation. Where cookies are used for the collection of SPDI, consent must be sought before their use in accordance with the standards in the SPDI Rules. There are no exceptions to this obligation; even strictly necessary cookies cannot be downloaded to users’ terminals without their express consent. However, the SPDI rules do allow the denial of services if consent is withheld for the collection of data. It is common for businesses to restrict access to their websites or platforms if users do not give consent for the use of necessary cookies.

Shambhavi Mishra
Shambhavi Mishra
Associate
Spice Route Legal

Cookies do not usually enable businesses to collect SPDI and, in theory, the SPDI rules should not apply to their use. However, in view of the changing privacy landscape and evolving privacy jurisprudence it is prudent to seek consent for the use of cookies. Businesses may rely on global best practices, such as the use of cookie banners or notices requiring users to opt-in to the use of cookies.

The setting-up of the Data Protection Board of India, the regulator that will implement the Digital Personal Data Protection Bill, 2022, will likely result in a framework for the use of cookies. Until then, businesses should obtain clear, unambiguous and explicit consent for the use of cookies.

Mathew Chacko is the managing partner, and Aadya Misra is a senior associate and Shambhavi Mishra is an associate at Spice Route Legal.

Spice Route Legal
14th floor, Skav 909,
Lavelle Road, Ashok Nagar
Bengaluru, Karnataka 560025
Contact details:
E: contact@spiceroutelegal.com