Have you ever contemplated the kind of radical impact of cookies-not the edible kind but the small text files that websites place on an individual’s device- which may collect and store data related to one’s preferences, personal details and even the browsing history have on our lives? As individuals, we often look past the data protection and privacy related issues surrounding them. While Section 6 of the Digital Personal Data Protection (DPDP) Act of 2023, clearly mandates data fiduciaries such as advertisers to seek specific consent that is free and unambiguous in nature, the Act has never implemented in our country for lack of structural implementation guidelines. To address the same, the DPDP Rules were published this January and are awaiting public feedback until February 18, 2025.
To align the current cookie consent strategies with the new DPDP Act, the Advertising Standard Council of India (ASCI) has collaborated with PSA Legal and Tsaaro Consulting and released an extensive white paper. The paper highlighted that, on analyzing, only 6%, i.e. 3 companies out of the top 50 companies, have implemented a cookie consent banner on their websites as of December 2024. This lack of transparency has jeopardized user experience and risked compliance with data protection guidelines. To meet the DPDP standards, the paper urges companies to implement cookie banners that are transparent and user-friendly and to provide for an opt-out option for non-essential cookies. It also suggests implementing granular consent options that allow users to individually select each category of cookie, be it essential, analytical or marketing based . By such implementation, individuals shall have a more enhanced user-experience that protects their privacy and is in line with the General Data Protection Regulation (GDPR) formulated by the European Union (EU). Non-compliance with the duties and reasonable safeguards under Section 8 and 15 of the DPDP Act may lead to a fine ranging from Rs. 10,000 to 250 crores as provided under the Schedule of the Act.
While cookies can be of several types, right from a social media cookie to a targeting cookie, the consent management of the same becomes essential. Though the Indian Act is silent altogether on the concept of cookies, several other jurisdictions have their own regulations in place:
1. EU: The concept of cookies is covered under Recital 30 of the GDPR and ePrivacy Directive (EPD, also known as cookie law), which is to be replaced by the ePrivacy Regulation. The GDPR stipulates separate consent along with withdrawal options and the directive prohibits implied consent and regulates browser fingerprinting, which is a technique to collect data from a user’s device and browser.
2. France: In May 2022, the French Data Protection Authority (CNIL) published guidelines on how the legality of a cookie wall, which forces users to agree to the cookies to use a website, could be assessed. However, they recommend the use of a cookie consent banner as an alternative.
3. Spain: Article 6 of Spanish Data Protection Law (LOPGDD), which is in accordance with Article 4.11 EU Regulation, provides for lawfulness and transparency while processing personal data. The authorities also mandate that the validity of the consent by a user must not exceed 24 months, unlike Luxembourg, which stipulates a 12-month validity.
The paper also highlighted several case laws where companies were fined for cookie consent violations. For example, in the case of the Federation of German Consumer Organizations vs Planet 49 (2019), the court ruled pre-ticked consent checkboxes as invalid. Also in the Amazon Logistique Case (2023), Amazon was fined 35 million Euros for not providing an opt-out option on their website.
Right from e-commerce platforms to tech and software as service companies, cookies are everywhere in India. Though there is no specific cookie law in India, unlike other jurisdictions, the paper suggests India adopt a granular consent approach that aligns with Section 5(1)(i), Section 6(1) and Section 6(4) of the DPDP Act . The Consumer Protection Act, 2019, does not regulate cookies but advocates the principles of transparency and fairness in advertising and marketing, where non-compliance could expose companies to allegations of unfair trade practices and misleading ads. Apart from consent based issues, India must look at tackling dark patterns and the consent vs pay conundrum. Dark patterns refer to the manipulative UI/UX designs that mislead the consumers to make choices that they might not have made otherwise. On the other hand, the consent vs pay model puts an individual in a fix wherein it requires them to accept all cookies or pay a fee to avoid any kind of data tracking. The paper also suggests the implementation of a cookie policy in place that delves into issues such as categories of cookies, technical specifications, consent management etc. This would lead to effective compliance while ensuring that the policy reflects regular tech updates. Indian companies must also consider employing automation tools that would decrease manual effort and streamline the compliance process.
While the paper provides for a cookie consent management system and regulations revolving around them, it fails to tap into other emerging tech alternatives that are replacing the cookies, such as device fingerprinting, server side-tracing and privacy preserving ads such as Google’s Sandbox and Apple’s ATT . It also fails to explain the core reason as to why the top companies are falling short in terms of compliance. Additionally, the paper only focuses on EU and US based jurisdictions and completely ignores Asian jurisdictions such as China or Singapore, that are tech giants. To bring the recommendations of the paper to life, there is an urgent need for practical guidance on this matter that strikes a balance between consent management and technical solutions. While the implementation of the DPDP Act is still pending, an ethics driven approach alongside clear control mechanisms will help shift the landscape of Indian websites that will in turn prioritize privacy and data protection over mere business tactics.
Authors: Vyoma Patel, Vishal Menon & Simran Jayarao