This article is written by Arushi Agarwal, pursuing a Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho). 

Introduction

We are often directed to the bottom of our web page where we see a tagline “we use cookies for our websites” which we must either accept or not accept. But do we know what cookies are? Cookies are small texts which are used and developed by the creator of the website so that our valuable information is stored in the program’s data. 

• Cookies generally keep a track record of the information we have access to, by remembering our registered sign up or login credentials. 
• Cookies are often indispensable for websites that have huge databases, need logins, have customizable themes, and other advanced features.

That is why you must have noticed that after signing into a website and closing it when you come back, the website seems to remember your id and most probably your password. The cookies present on the website would have saved this data before you closed the window in your previous visit to the website.

What are the different types of cookies?

Cookies are usually used as a fast-track method of storing information and a website operator may use different types of cookies to recognize the online pattern of remembering our actions. 

Session cookies 

These types of cookies are used by commercial platforms where online shopping is done. These types of cookies expire once you go back to the web homepage, and you are no longer using that page. They are temporary and they memorize your online activities. In fact, with every click you  make, the website treats you as a completely new visitor. 

Persistent cookie 

Also known as first-party cookies, these cookies work by tracking your online preferences. When you visit a website for the first time, it is at its default setting. But if you personalize the site to fit your preferences, persistent cookies will remember and implement those preferences the next time you visit the site. This is how computers remember and store your login information, language selections, menu preferences, internal bookmarks and more.  These cookies are stored in your hard disks for preferably a longer period. 

Third-party cookies 

These types of cookies are set by the website which constantly monitors the activity of each user; for example, say a LIKE button on Facebook. Each user who likes the post on a social media platform is tracked by the help of third-party cookies and according to that, preferences are set. When we like a post on Facebook, similar posts are updated due to our previous likes and preferences set and saved by the cookies. 

One can enable/ disable third-party cookies in the setting menu. Third-party cookies are identifiable in the forms of marketers and advertisers. We receive so many SPAM texts and emails because of the use of third-party cookies as third party cookies keep a regular check on all tabs that are functional within a window. If we fill our login id and credentials on the login web page, it saves the information to create spam emails and ads. 

What is a cookie policy?

A cookie policy is adopted by the website operators according to their convenience which is identifiable once we start using a website. This is a policy solely dedicated to tracking the behaviour of their online customers. It involves a set of customization practices where a person can customize his/her cookies according to his/her needs and development: for instance, when you visit a webpage of the United Nations there is a preference given to choose and select a language that you are comfortable with which lets you access that information in that language.

Requirement of a cookie policy

Millions of websites use the cookies banner to make the overall experience of a visitor of a page wholesome and fruitful. It is advisable these days to have a cookies banner which allows them to track and contact the users about data-related concerns. Each website has its well drafted cookie policy these days to ensure a smooth functioning of the website.

There is a well designated ‘Cookie Law’ of the European Union also known as the ePrivacy directive that directs all countries that are a part of the EU to set up laws requiring websites to obtain informed consent before they can store or retrieve information on a visitor’s computer or web-enabled device. It ensures transparency and shows that the website operator sensitises the user regarding the usage of cookies and that there is due respect for the privacy of the user.

If a website adopts a cookie policy, it enhances the credibility of a business owner in the market and maintains that trust with the global community by respecting its privacy concerns and in turn safeguarding the future by adopting comprehensive data protection and privacy laws and regulations. Other reasons as to why having a cookie policy is essential are:

• Transparency: There is clear communication of knowledge regarding cookies and how they are deployed by the website. It brings in more visitors and maintains trust between the operator and the visitor.
• Consent is implied: One must be aware that when you sign-up for a website while filing your credentials, you accept the privacy policy and in turn, there is an implied consent to accept the cookies too. It helps the operators in the future.
  If certain users complain that they were not aware of the cookies storing their information, website owners can take this defence. This information should be disclosed by the operators in their policy to avoid future disputes. 
• Limited liability: There are many policies hidden in the content of the website that are not visible to the user of the website. So, if we accept all the cookies at once, our relevant data is shared and passed on from one entity to another entity. The creator in this situation plays an important role, and he must disclose on the webpage to disable these cookie policies as well as list these cookies too on the page that share our data. 

The advantages and disadvantages of having a cookie policy

Advantages of cookies

• Online experience- The one major pro of cookies is that almost all e-commerce websites use cookies due to which as a user if you save something in your Wishlist, it remains intact even when you leave that website.
• Submitting forms- Cookies are very useful when we fill a google form. It stores valuable data like our names and phone numbers which often saves a great amount of time rather than filing all the data again and again.
• Personalisation- Cookies are useful when we want to customize our preferences according to our tastes, whether it is to visit a web page that stores our language preference or visiting a web page of a reading column.
• Content suggestion- We often visit our favourite e-commerce site which saves our preferences by keeping in mind our previously selected items and segregating them into the option of ‘related searches’. 

Disadvantages of cookies

• A threat to our privacy- Some websites have cookies by default where our valuable data is stored into their networks for a longer period which in turn saves into the browsing history and IP address. 
• Local storage- These ‘little’ website cookies are actual files stored on your hard disks. The more you visit the websites, the more they get stored. As they build over time, they can take up quite a bit of storage space on your computer/mobile device thereby even slowing down these devices. 
• Unauthorisation- Some operators have fraudulent intentions where they design cookies in such a way to hack and steal your personal online information which is stored and later often sold   to  third party entities. 

How to draft a cookie policy for your website and are the essential clauses?

The website operators need to have both a privacy and a cookie policy while deploying a website. However, if you are disclosing and indicating a privacy policy and cookie policy, both should be mentioned separately in the main privacy policy of the website.

The most integral parts while drafting a cookie policy:

• A detailed explanation of the cookies used by the operators as discussed above i.e., the technologies used, and the list of specific cookies used. 
• Describing the first-party cookie, if any.
• Describe the third-party cookies, if any and explain in brief how they work. 
• While drafting, an important point that should be kept in mind is that the average person must understand the policy and therefore language has to be simple enough for a layman to be able to grasp it.
• While drafting the main policy for the cookies, one must keep a note that all the essential clauses covered are in sync with the local and international privacy laws. If a website developer is developing a website in India that will involve European users, then due regard must be given to the privacy laws of India as well as the GDPR. 

Cookie policy in relation to GDPR

Generally, cookie policy in the language of EU law is known as the ‘Cookie Law’ in compliance with the regulations of the GDPR where browsing activities of cookies is mentioned in Recital 30 with support with Recital 26. 

Recital 30 states that if a cookie can identify any individual via a device, it is known as personal data. It also states that any verified type of data can identify an individual either directly or indirectly. The GDPR mostly lays down the rules of how an individual is identified through cookies and mentions the policy regarding the same.

To use cookies, these regulations are to be followed according to the GDPR: 

• Consent: It should be free, informed, specific, and not vague which is the topmost priority of the GDPR which says that communication of information relating to the use of cookies is essential and must be done most transparently.
• Consent is affirmative: To ensure this, the operators need to give options between opt-in-boxes and accept buttons for cookies from the pop-up bar instead of pre-ticked boxes which can attract the scrutiny of the GDPR and strict penalties. However, there is a grey area here. Many websites inform you regarding the usage of cookies but do not give you the option of browsing the website without the use of cookies. This is not completely in compliance with data privacy laws and should not be followed by website developers. 
• The choice for data subjects: The data subjects must also have the choice to choose and accept certain cookies according to their preferences and have the full authority to accept and decline all the cookies or select some preferential ones. As mentioned above, it is not completely followed in spirit by many websites. 
• Full access to the websites: If the data subjects reject all the cookies and do not select preferential cookies, they still should have full access to use the website without any hindrance and not just specifically be accessed to a part of the information on the website. 

Conclusion

A cookie policy is a legal document that provides information about the various types of cookies that are being used by your website or app, what those cookies do, and how users of the website can control their cookie preferences. The user should be given access to a website’s cookie policy by providing links to the policy on the homepage or places where the user can have easy access to the link or it can also be advertised via a cookie consent banner. While in the US there are no laws mandating that a cookie policy and a privacy policy are to be dealt with separately, in the UK there is a need to have dedicated cookie policies. The primary goal while drafting a cookie policy is not just ensuring that all essential elements are included but also ensuring that the language is easy enough for a layman to comprehend. In addition to the cookie policy, a website can also inform its users about any other tracking technologies employed by the site like web beacons or pixel tags. 

References

1. https://www.cookiebot.com/en/cookie-policy/#:~:text=A%20cookie%20policy%20is%20a,world%20this%20data%20is%20sent.text=Whereas%20most%20of%20the%20remaining,dynamic%20and%20 might%20change%20often. 
2. https://www.nttdata.com/global/en/cookie-policy. 
3. https://termly.io/resources/templates/cookie-policy-template/. 
4. https://www.freeprivacypolicy.com/blog/sample-cookies-policy-template/. 

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.