Cookie Consent: Does the DPDP Act Apply to Cookies?

January 30, 2024

Summary

  • Cookies are small data pieces stored by websites to remember user information and enhance online experiences.
  • Third-party cookies raise privacy concerns due to their extensive data collection without clear user consent.
  • The Digital Personal Data Protection Act requires explicit consent for processing personal data, but it's uncertain if this includes cookies.
  • If the DPDP Act applies to cookies, businesses will need to align with its consent obligations causing a dramatic shift in the world of digital advertising.
  • The future of cookies is evolving with increasing privacy regulations and technological changes, prompting a shift towards first-party data and alternative tracking technologies.

What are Cookies?

Cookies are small pieces of data stored on a user's device by a website. They are a string of characters that allow the website to identify a user and their preferences when they log on to that website. Their primary role is to remember user information, making online experiences seamless and personalised. 

Ever closed your amazon browser tab and found that you are getting ads for the exact thing that you were looking for on a news website? That’s cookies. Cookies also let you log in straight to amazon every time you type amazon.in in your browser. Even if you do not sign in and drop some items in your cart, they remain there for the next time you open that browser window. That’s cookies too.

Types of Cookies

First-Party Cookies - These belong to the website that you are visiting. They are used to remember user settings and preferences, such as language selection, login details, and items in a shopping cart. They enhance user comfort and improve user experience.

Example: A user logs into an online store, adds items to their cart, and the site retains this information for their next visit using first-party cookies.

Third-Party Cookies - These do not belong to the website that you are visiting. They belong to third parties that you may not know and are placed in your browsers by the website owner. Until now, third party cookies have formed the basis of the 300+ billion digital marketing industry owned by behemoths like Google, Facebook and now Amazon.

How ads follow you everywhere - a typical flow third party cookie flow

Uses: Predominantly used for advertising and tracking purposes, they collect data such as user behaviour, age, and gender to create detailed user profiles for targeted advertising. 

Example: A user visiting a website might find ads tailored to their interests based on their previous online behaviour. This happens via third-party cookies.

Privacy concerns with Cookies

Cookies, particularly third-party cookies, have become a focal point of privacy debates. These cookies are known for collecting comprehensive personal information, including users' browsing habits. Such extensive personal data is used to create detailed user profiles, intensifying privacy dangers. 

Most users remain unaware of the extent to which third-party cookies track and gather their online activities. This leads to a lack of informed consent and control over their personal data. This situation is exacerbated by the often opaque nature of how websites and advertisers use these cookies.

Users are left in the dark about how their data is being handled and for what purposes.

As a result, data protection laws around the world such as Europe’s General Data Protection Regulation (GDPR) and USA’s Central Consumer Protection Authority (CCPA) regulate the use of cookies. GDPR requires collecting explicit consent of the user to place cookies on their browser. On the other hand, the CCPA does not mandate user consent, rather it emphasises the right to opt-out, particularly for cookies that sell personal information. This is typically achieved through a “Do Not Sell or Share My Personal Information” link.  

With the enactment of the Digital Personal Data Protection Act 2023 (DPDP Act) in India, it is a major question mark whether cookies will be covered under the Act.

What is the DPDP Act? 

The Digital Personal Data Protection Act is India's first comprehensive data protection law. As per the Act, in most cases personal data can be processed only based on the customer's Consent. This Consent must be clear, explicit and specific, with local language options. Personal data cannot be processed if Consent is absent or withdrawn.

To understand the DPDP Act in detail, refer to our article what is the DPDP Act. 

Does the DPDP Act apply to Cookies? 

We cannot say for certain yet. The law has not been enforced yet and there is no case law to guide us in interpreting the text of the DPDP Act. 

It is a major question mark whether Cookies will be covered under the DPDP Act

It all comes down to whether cookies are considered ‘personal data’ under the DPDP Act. Personal data means any data about an individual who is identifiable by or in relation to such data. Cookies are data that is stored on a user’s device that allows the website storing that cookie to identify and profile the user at a later time. 

Therefore, cookies may qualify as personal data under the DPDP Act. If cookies are indeed included, online businesses will have to revamp their websites to provide proper and compliant consent banners in order to continue making use of cookies. 

What if the DPDP Act applies to Cookies?

Let us assume that the DPDP Act will apply to Cookies as personal data. What does this mean for businesses and online marketers? They will need to align their websites and cookies with the Consent requirements of the DPDP Act. Here are some of the steps businesses can take to ensure compliant cookie practices:

Clear Cookie Notice: Display a prominent cookie notice explaining the use of cookies, their types, and purposes. Draft all privacy notices and consent requests in plain, easily understandable language, avoiding legal or technical jargon. Use a readable font size and organize information in a logical, user-friendly manner. The DPDP Act further requires the consent notice to be available in over 20 local languages.

Informed Consent: Ensure the consent request is accompanied by clear, easily understandable information about what the user is agreeing to, including data types, and purposes, processing reasons, and third parties involved.

Unambiguous, Explicit and Unconditional Consent: Consent should be given explicitly (e.g., through an “Accept Cookies” button) and not assumed from website browsing. Access to services or products should not be conditional on cookie acceptance.

Easy Opt-Out Option: Provide a straightforward option for users to reject or withdraw their consent for cookies at any time.

An ideal Cookie Consent notice

Use of Consent Managers: Consent Managers are registered intermediaries tasked with facilitating collection and transfer of consent for compliant data processing. Consent Managers may be able to solve all of the above challenges and even integrate with tools like Google Tag Manager for a seamless flow. Onboarding a Consent Manager may be crucial in efficiently navigating the new data protection law.

The Future of Cookies

Phase Out from Browsers

The landscape of digital privacy is undergoing a major transformation, primarily due to the increasing regulation and privacy concerns surrounding third-party cookies. Google's announcement to phase out support for these cookies in Chrome by the end of 2024 is a response to growing demands for enhanced user privacy, transparency, and data control. This move aligns with actions already taken by other major browsers like Apple's Safari and Mozilla Firefox, marking an industry-wide shift towards prioritizing user privacy.

Industry Response and Implications

The industry's reaction to Google's decision has been mixed. While the move is applauded as a step forward for user privacy, it also presents considerable challenges, especially for smaller players in the ad tech industry. With Google Chrome's dominant market share of approximately 66% as of October 2022, this phase-out could dramatically reshape the digital advertising landscape. However, Google's commitment to continue tracking users through alternate technologies reflects the complex balance between respecting user privacy and meeting the operational requirements of digital businesses. Read more about Google’s alternatives to cookies and their roll out plan here

Alternatives to Cookies

As the digital industry shifts away from third-party cookies, viable alternatives are emerging. First-party data offers direct insights from user interactions, enabling personalised marketing strategies. Contextual targeting aligns ads with webpage content, ensuring relevance without infringing on privacy. Additionally, device fingerprinting, gathering unique device characteristics, provides a secure method for user identification, presenting a diverse future for digital advertising in a more privacy-conscious world. 

The online advertising space is heavily reliant on personal data and involves the deployment of some of the most advanced technology for user profiling. It will be interesting to see how the DPDP Act deals with it. Until then you can refer to other articles on this blog to get up to speed with the provisions of the new law. We have covered the impact of DPDP on the BFSI and Telemarketing sectors. For a more generalised understanding of the Digital Personal Data Protection Act and its history refer to our DPDP Explainer and the History of DPDP articles.

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.