This article is written by Shreya Patil, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from LawSikho.
“Every move you make, I will be watching you.” Doesn’t this sound like stalking? Probably, yes! Have you ever wondered how you sometimes see personalised ads which are highly specific to you, especially after you just searched for it on the internet? There might be several reasons for it. But accepting “All cookies” on a cookie disclaimer is one of the prominent reasons behind the same. In case you operate a website or your mobile app or your computer, it is obvious for you to have come across the “Cookies” disclaimer at some point of time, where the site primarily notifies the user there will be using of “cookies” to track our activity in order to enhance our “experience”. It then invites us to read their policy if we refuse to accept such tracking. Not just the users of any website, even business owners who own such websites must understand what a cookie actually is and how they are placed in order to prepare your website’s compliance with privacy legislations such as the EU Cookie Directive.
- Provide detailed information about what cookies are being used by the website.
- The detailed use of these cookies.
- Provide an insight into the options that the users possess over these cookies.
Understanding Cookies and its types
Cookies are basically small text files that websites incorporate on our devices to further process and store on our web browser. Despite storing a lot of data to potentially identify us even without our consent, these are proven harmless as they can be easily viewed as well as deleted. Since the cookies can contain a lot of data, they have the potential to store personal data which are subject to GDPR.
There are three different ways of classifying cookies based on how long they serve, what purpose they serve and their provenance.
- Duration of the Cookies:
- Session cookies- These types of cookies are generally temporary and expire as soon as they close the browser.
- Persistent cookies- This category of cookies hover until we erase them or our browser does until the expiration. The duration generally lasts 12 months or in accordance with any action.
- First party cookies- These cookies are put directly on our devices through the website we are visiting.
- Third party cookies- These cookies are placed by a third party like an advertiser or even as an analytic system.
- Necessary cookies– The cookies essential for the smooth functioning of websites and features according to the viewers recommendations and preferences are strictly necessary. We must be aware of shop apps such as “Amazon” and “Flipkart”. These types of apps use first party session cookies where consent of the cookies may not be necessary but why they are necessary are generally explained.
- Preference cookies- Also known as ‘Functionality cookies” these cookies allow a website to collect data of the choices we have made in the past on the website such as language, region, name and passwords.
- Statistics cookies- These cookies collect information about how we use a website and the pages we have visited and also the links we have clicked on but none of this information is used to identify you. These cookies are solely used for the improvisation of the website functions.
- Marketing cookies– Tracking our online activity to help the advertisers deliver more relevant advertising, these cookies share the information with third party provenance.
The EU’s law on personal data i.e, the General Data Protection Regulation (GDPR), gives website visitors the right to receive specific, up-to-date information on what data is registered about, for what purpose, and where in the world it is being sent (along with the possibility to prevent it from happening).
The EU Cookie Directive is a legislation that came into effect due to Europe’s endeavour to provide protection for online privacy for the Europeans. The adoption of this directive in May 2011 not only applies to business websites or apps located in the EU, they are also subject to enforcement when residents of the European Union visit the website of businesses who are not European Union citizens. In accordance with the Directive, in the event of a European resident visiting your site, the usage of cookies must be informed to that person and moreover the option to refuse shall also exist. The only con of this is the less personalised browsing experience, however, the law requires the option to be strictly available.
Consequently, the combination of these two laws, i.e., General Data Protection Regulation and e-privacy directive administered many websites to implement cookie banners to legally resume the engaging of business and their practices with respect to personalised advertising, retargeting and analytics.
GDPR provides the users statutory rights with regards to their data. The controller is obligated to honour those rights. Such rights include:
- The right to access personal data and information on the procedure of how their data is being used.
- The right to rectify the personal data if it is inaccurate or incomplete.
- The Right to object to any activities in relation to their personal data.
- The Right of the users to obtain their personal data for their own purposes.
- The right to erase the users’ personal data where it no longer serves the original purpose.
- The right to restrict processing of the personal data in specific cases.
This is how the protection of data takes place in the European Union. But what countries outside of the EU have such laws? Every country, without a doubt, has privacy laws, but what are the rules on cookies around some major markets around the world?
However, in the event of you deciding to write the policy by yourself, there are some typical sections that should be used. They can be broken down as follows:
Where can a banner be incorporated? There is no law that states a method of incorporation but the fact remains that it should ideally be visible.
Website, in most manners, introduce their policies in 4 different ways:
- Fixed Footer Notification – Adding cookie consent notice in the footer for your website is a smart move universally since most of the legal links are included in the footer which individuals are aware of the fact of looking for important things.
- Top-header Notification – This notification gets displayed in front and centre at the top of the website which makes it impossible for the visitors to miss.
- Inline Top-Header Notification – The notice uses a slightly lighter colour blue from the site background that fits well with the logo Section line and the “Welcome to GOV.UK” Section. Another example of a more inline notification can be seen here from Barclays. This notification bar is located between the top Section of the website and the start of their website content, which makes it pretty much impossible to miss.
- Box Notification – Some names need no introduction, right? This box notification works best with mobile phones since it can display largely on the screen. The small box is placed on a fixed position regardless of how you scroll.
- Persistent Pop-Up- Few websites do not allow the users to interact with them unless they have given a consent. This is executed through consistent pop-up.
What are Cookies?
Despite being generated for smooth user experience, cookies have generated a lot of controversy with growing concerns of virtual privacy. Since cookies have an ability to track, store and share the activities of an individual, it’s a legal requirement for websites to get clear consent from website users. This information is extremely important to notify the users that your website is using cookies, and more specifically, what cookies are.
Kind of cookies that shall be used (either by website owner or by a Third party)
Third party cookies on our site, if there are any
A user must be informed if there shall be any third-party cookies usages in the website with necessary cookies. This helps the user to make a decision if they are willing to proceed with a valid consent. Third party cookies might be stored, this may enable it to collect data and show relevant ads on the device of the user.
Tip for website users: Disabling third party cookies on your device can immediately refrain the advertisers from tracking any third-party entities.
Opt-out possibilities and consequences
Some users are extremely conscious and protective about their data privacy, as they should be! Hence offering an opt out option is reasonably considerate.
- The users should be informed that they have the right to refuse the “storing of the data” pertaining to any information.
- Lastly, a contact address should be provided for in case of questions and complaints.
- A valid consent from end-users to have their personal data processed by cookies and trackers on a website has to be an informed, clear and affirmative and unambiguous indication of their wishes. This means that websites are not allowed to activate non-necessary cookies that process personal data until after users have given their explicit consent.
Explicit or Implicit cookie consent mode and its validity geographically
There are two main modes of cookie script of consent depending on how strict you want it to be and it is called consent mode. The cookies which are set at the visitors’ computer where they are just informed about the storage of cookies are known as Implied consent cookies. However, under the GDPR the option of implied consent doesn’t comply with the law and hence no cookies can be stored without an informed consent of the visitor of the website when dealing with Europeans.
It is pertinent to note that some EU Data Protection Authorities in alignment with the GDPR now also require records for the consent instead of proofs to be kept to maintain valid records of consent. Generally, website owners default use the explicit consent considering their website’s reach over the globe. It cannot be denied that Europe is way ahead in terms of its data privacy but understanding how the cookie consent works around the globe where data privacy may be developed or may not be is extremely important not only for website owners but visitors as well for self-awareness of their privacy.
Cookie Consent in North America
- United States
When it comes to Canada, it definitely proves to be stricter than the USA. The two main privacy laws followed by the Canadian legislation are:
This law mentions two types of consent:
> Express consent- where the consent is explicit, through a specific action.
> Implied consent- it’s an inferred consent where the user has been given an option to opt but does not do so.
This law requires the website and app operators to get “express consent” for installation of certain “computer programs” and it deems the cookies as a type of computer program.
The combination of these two legislations provides a requirement for cookie consents but not necessarily cookie banners. So, it definitely depends on the opt out choices of people and have express consent to set cookies under Canadian law. Concludingly, Canadian law does not require (express) consent for cookies unless proper information and opt-out process are provided.
Cookie Consent in South & Central America
Argentina’s Personal Data Protection Act requires that the websites only allow for the personal information to be collected with express consent given in writing or other similar means. But the personal information can be only collected in terms of information such as Name, National Identity Number, Occupation, Address and Phone number. So, coming to the question, are cookies considered as personal information? Though the law is unclear about this, cookies are world-wide considered as personal information.
The two privacy laws in Brazil are:
- The Civil Rights Framework for the Internet
- The Brazilian General Data Protection Law which came into force in 2020
These laws don’t provide any specific reference to the cookies; however, they do suggest that containing personal information requires express consent. Hence, Brazil may require consent for cookies.
The two prominent legislations in privacy laws amongst many are:
- The Federal Law on the Protection of Personal Data held by Private Parties
- The Privacy Notice Guidelines
Under these legislations, the consent for cookies is mandatorily required besides the cookies for technical purposes. The express notice as to how cookies collect the personal information shall be legally required.
Cookie Consent in Africa
Nigeria’s privacy laws are:
- The National Information Technology Development Agency Act 2007
- The Nigerian Data Protection Regulation 2019
While there is no express reference to the Cookies in 2007 legislation, the 2019 regulation circles around consent which is quite similar to that of the EU’s GDPR suggesting a strong opt-in or express model of consent which is one of the six legal reasons for processing personal information. Therefore, Nigeria does require consent for cookies.
- South Africa:
The privacy laws in South Africa are:
Cookie Consent in Asia
There are a myriad of regulations, statutes and court opinions covering privacy law in China. However, Internet censorship, cybersecurity laws and the “Great Firewall of China” present additional challenges to enter the online market. The online markets include:
- The Internet Email Services Regulations
- The law of tortious Liability
Interestingly, no Chinese law appears to have made reference to cookies. Hence it can be partially considered as China does not require consent for cookies.
- Hong Kong:
The main privacy laws in Hong Kong are:
These both laws don’t require consent for cookies and hence it can be concluded that Hong Kong does not require consent for cookies.
As far as India is concerned, there is definitely a lack of comprehensive personal data privacy legislation with respect to regulating the usage of cookies. We all are aware of how right to privacy is a fundamental right as declared in the case of K.S. Puttuswamy v. Union of India. It was also stated that without the consent of the user, no information of the user shall be utilized by websites. However, it is pertinent to note that cookies, regardless of their type, are not considered as personal information in India which benefits the websites as they are allowed to apply various types of cookies in the device of the user.
So how are websites regulated if not through any cookie law legislation?
However, the arbitrariness and ambiguity under these legislations concerning privacy is prevalent in the inclusion of the definition of the privacy protection and hence there is no hard and fast rule as compared to other countries.
What does India need to work on?
- Revised Personal Data Protection Bill, 2019: The new Personal Data Protection Bill, 2019 although has not been enacted yet but should be modified. This bill defines personal data as any data about a natural person that is directly or indirectly identifiable. This certainly pertains to identification of information related to a natural person. However, cookies generally do not have a function of identification of a natural person and thus this is outside its purview. In accordance with the views of the experts, personal data cannot be irreversibly anonymized and hence the companies which use browsing history as a way to identify individual users run the risk of de-anonymization.
A study also finds that half of the population is uniquely identified based on place, date of birth and gender details. This bill proves to be inadequate in the regulation of the cookies as it does not address the standards of characterisation of the process of anonymisation and hence should be revised considering the gravity of the issue of privacy in the future.
2. Need of a Cookie Law:
The main privacy laws in Japan are:
- The Act on the Protection of Personal Information.
- The Act on Regulation of the Transmission of Specified Electronic Mail.
Cookie Consent in Australia
- New Zealand:
The main privacy laws in New Zealand are:
Neither of these laws make reference to cookies and hence New Zealand does not require consent for cookies.
Determining the Law of Reference
Many users and service providers wonder which privacy laws they must honour. Here’s a simple rule of thumb-
Generally, the laws of a particular region apply if:
- You base your operations there; or
- You use processing services or servers based in the region; or
- Your service targets users from that region.
This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.
Subject to the above, there can be questions as to how we consciously make ourselves aware of which country’s privacy laws. In terms of Data Privacy and Protection, the European Union is way ahead than any of the jurisdictions in the world. If you are a website owner from the EU or you are dealing with EU citizens, your website should comply with the EU’s General Data Protection Regulation.
- Notify that the website is using cookies.
- Inform about the type of cookies being used.
- Inform the options available to them if they want to opt out of having the website’s cookies stored on their devices.
Situational Legal Requirements
If your website is in operation of an e-commerce industry, there are applicable commercial laws and industry rules.
Business to Business commerce
Commercial transactions that are subject to the applicable contracts, industry and national guidelines, falling within the scope of such governing law shall be applied in such cases.
Business to Consumers commerce
Under most countries, the consumers need to be informed about the following-
- Returns/Refund details.
- Warranty/Guarantee information where applicable.
- Safety Information such as legal address and business name.
- Rights of consumers (such as withdrawal rights), where applicable.
- Seller contact details (e.g., email address).
Other Legal Requirements
While different businesses have different contexts of terms and conditions, they should at least include the following:
- Identification of the business
- Description the service that your site/app provides
- Information on risk allocation, liability, and disclaimers
- Warranty/Guarantee information (where applicable)
- The existence of a withdrawal right (if applicable)
- Safety information, including instructions for proper use (where applicable)
- Terms of delivery of product/service
- Rights of use (if applicable)
- Conditions of use/ purchase (e.g., age requirements, location-based restrictions)
- Refund policy/exchange/termination of service and related info
- Info related to methods of payment
- Any additional applicable terms
Third Party Legal Requirements and Obligations
Consequences of non-compliance, undoubtedly initiate legal ramifications which may include the following:
- Fines: Government officials bring suits seeking civil penalties which can go beyond US$ 120000 for any violations whereas GDPR fines were raised to EUR 20 million.
- Disciplinary measures: Measures such as official reprimands and periodic data protection are included in the event of any violations. The GDPR grants the users exclusive right to file a complaint with a supervisory authority if they suspect any processing of their personal data.
- Liability Damages: To compensate for any unjust damage is a general principle of Civil law. Both GDPR and CalOPPA grants individual users the right to claim compensations.
- Criminal Law: It is possible to be held criminally liable if the conditions are met and if the sovereignty of a nation is at stake.
As mandated by the GDPR compliance regulations, the language needs to be plain and intelligible which shall include the following information:
- The type of cookies the website is using.
- The data the website is tracking.
- How long cookies shall stay on a user’s browser.
- Why the website is using cookies (for marketing purposes for example).
- Where the data is sent and with whom it’s shared from your website.
- How to reject cookies and how to change cookie settings.
Consequences of rejection of cookies by the user
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: