This article is written by Muheeb. This article has been edited by Ojuswi (Associate, Lawsikho).
This article has been published by Sneha Mahawar.
Table of Contents
What are cookies
Cookies are like small pieces of data, normally stored in text files, so whenever you visit a website, you create a series of information, from your username and password to information that is very specific to you, that can be used to identify your device while you use the network.
The existence of cookies was due to the stateless nature of web pages—i.e., they cannot retain or store information and neither can they transfer information out to another page. Hence, there was a limitation on the use of web technology. Therefore, the creation of cookies was to rectify and overcome this limitation in web technology. Because, at its core, cookies are like memory for web pages; they store the data that is generated by the user either temporarily or permanently. The data stored in this cookie is created by the server upon your connection. After you connect, an ID that is unique to you and your device is added to the data.
They can be used to watch the pages you visit between sites, allowing advertisers to build a picture of your interests. Then when you land on a site that shows one of their ads, they can tailor it to those interests because when a cookie is exchanged between your computer and a network server, the server reads the ID and knows what information to specifically serve to you. This is generally known by the term “behavioural advertising” as it targets your behaviour
Types of cookies
There are two main types of cookies:
Temporary cookies
Session cookies are temporary cookies. They store information about your current session and then are erased when your browser is closed. So, when you click on Google Chrome or Firefox and start to type something, a session is created which essentially tracks and stores all the information that you were looking for, even the security information, temporarily, which indeed seems to be invasive of your privacy.
Permanent cookies
Permanent cookies, on the other hand, sometimes called persistent or stored cookies, are placed on your device’s hard drive and are not deleted when your browser is closed. The term “Deleted” is key in this regard, as in the previous case, what you’ve searched for was limited to that session, but in this case, the cookies are stored in a more permanent form.
Example: When you input a password and a pop-up comes by asking you “whether you want to save the information for later use” in order to ensure these cookies recognise you whenever you come back to resume your search. Permanent cookies are important as they continuously track your patterns and behaviour to improve the user experience and provide data for that particular site’s analytics program.
Browser-independent cookies
Browser-independent cookies, more commonly known as Flash or Silverlight cookies, act a lot like permanent cookies, except they aren’t stored by your browser. Instead, they have the respective programme files that store them and use them to devise their data. What makes it work is that these cookies are a lot more difficult to delete than the other two, as you may need another separate programme that helps in the removal of these cookies, e.g., Adobe Flash Cookie Remover.
Why was the use of cookies regulated
While these cookies are incredibly useful, a lot of corporations use them to manipulate your web experience. This is in the form of unwarranted advertisements and invasions of privacy as the information that you’ve used on a web page could be easily shared with a third party.
Therefore, the Cookie Law legislation made it mandatory for websites to get consent from their visitors to store or retrieve any information from any device that can be used to access the website, including a computer, smartphone, or tablet. This gave consumers like you the choice to permit these web pages to use your information.
The cookie law on a global scale was first started by way of EU legislation. The Privacy and Electronic Communications Directive 2002/58/EC (the “ePrivacy Directive“) or “ePD”) was the first EU legislation to regulate the use of cookies and trackers and process personal data for web users inside the European Union. Although the ePrivacy directive regulates cookie usage, email marketing, data minimization, and other aspects of data privacy, since the most common technology used today is cookies, this ePrivacy Directive came to be known as the Cookie Law.
A brief overview of the e-privacy directive and its requirements
The Directive introduced new requirements for websites to gain prior consent from visitors to store or retrieve information on their devices. Additionally, the law dictates that website owners must inform users of the cookies they use and the way they will be used. This applies to all websites, regardless of where they are hosted; however, strictly necessary cookies are exempt from this requirement. It agrees that cookies are a useful technology. However, they can also affect user privacy. Therefore, it mandates that an internet site must ensure compliance with:
- The requirement to provide clear and precise information about cookies (including strictly necessary ones) and their purpose when users visit a website
- The requirement of obtaining prior consent to store the cookies of users on their personal devices
- It is required to provide users with the option to refuse consent to use cookies.
- Ensuring a user-friendly approach to all aspects of cookies, such as requesting consent to access their cookie information, opt-out option, and accepting or rejecting consent as user-friendly as possible.
- Access to the specific website content may be conditional on the informed user’s consent if it is used for a legitimate purpose.
Now, for your understanding, the difference between the Cookie Law and the flagship EU General Data Protection Regulations (“GDPR”) is about the territorial scope of the laws. While on the one hand, the ePrivacy Directive applies only to organisations that process personal data within the European Union and provide services over electronic communication. The GDPR is far broader and it applies to all companies and organisations, regardless of their place of origin, that supply goods and services to consumers in the EU or collect and process personal data of website users located within the EU.
In 2017, the EU proposed a regulation referred to as the e-Privacy Regulation (ePR), which could repeal the ePD. Unlike the Directive, it’ll become a mandatory law across all member states once it comes into effect. The ultimate draught is expected to address some concerns regarding cookie consent. A few major differences from the Directive are that its websites can no longer use ‘legitimate interest’ because the basis for using cookies and the Regulation’s territorial scope is supposed to be similar to that of GDPR.
As per the recent developments, the ultimate effective date still remains unknown, and with the 24-month transition period, it’s unlikely to be before 2023.
“Cookie” laws around the world
The EU ePrivacy directive is not one size fits all and different countries within the EU could have different variations of the directive and compliance requirements. However, the core rules and compliance requirements must follow the directive’s provisions. The EU cookie law (ePrivacy Directive) is enforced by each EU member state’s data protection authority, consistent with national laws. Outside of the EU, the ePrivacy Directive may have formed the blueprint for the cookie law. However, a few other countries, aside from the European Union, also regulate cookies and play an important role in shaping the privacy landscape in the world. Outside of the EU, the ePrivacy Directive may have formed the blueprint for the cookie law. However, a few other countries, apart from the European Union, also regulate cookies and play an important role in shaping the privacy landscape in the world.
USA (United States of America)
There is no general cookie law in the US. However, some states have privacy laws that regulate website users’ personal data management and cookie usage as it relates to their residents. More importantly, as of 2022, the US privacy legislation shows that four US states have signed data privacy laws, whose locus standi is currently either active or is set to go into effect in 2023.
- California Consumer Privacy Act (CCPA)-In effect from January 1st, 2020.
- Virginia Consumer Data Protection Act (VCDPA)–In effect from January 1, 2023
- Colorado Privacy Act—In effect July 1st, 2023
- Utah Consumer Privacy Act, which goes into effect on December 31, 2023
The definition of personal information under the CCPA, which is currently the only US cookie law in force, also expands to digital identifiers, such as cookies. It requires websites to inform users about cookies set by the site, their source, their purposes, and with whom they share the information. The CCPA also has an explicit requirement for an “opt-out” option that needs to be provided by the website to its users. The opt-out choice enables the user to withdraw consent from the website to process their personal data. This option has to be clear and understandable from a layman’s perspective
UK (United Kingdom)
Before Brexit, the data privacy landscape within the UK included the flagship GDPR, a variation of the ePrivacy Directive, and the UK Data Protection Act 2018. However, post-Brexit, the UK is no longer conformed to the EU cookie law or GDPR unless any business there uses EU individuals’ personal data for offering goods and services or to monitor their behaviour.
Hence, the UK adopted its version of the GDPR. Now the UK GDPR is borrowed word-for-word from its EU version. So, the restrictions and requirements predominantly follow the text of the EU’s GDPR. Furthermore, the UK adopted the Privacy and Electronic Communications Regulations (PECR) derived from the EU ePrivacy Directive to protect personal data collected via electronic communication networks or services.
The privacy and electronic communications regulations also have some clauses for cookies. The core requirement of PECR is transparency by the websites. They have an obligation to inform, explain, and put up the objectives behind the use of cookies obtained from their users. Also, like its counterpart, the ePrivacy Directive, PECR talks about cookies and the validity of consent, with a focus on informed, explicit, specific, and revocable consent.
India
Neither does India have comprehensive personal data privacy legislation nor specific legislation regulating the usage of cookies. The landmark case on the right to privacy, K.S. Puttaswamy v. Union of India, is one of the landmark cases on the right to privacy. The apex court declared that the right to privacy is essentially a fundamental right that is guaranteed by the constitution of India. Furthermore, it laid down the foundation for data protection laws as it emphasised the mandatory requirement of obtaining a user’s consent before accessing or utilising the personal information of the user. The limitation to this observation, however, is that the definition of personal information does not include cookies within its ambit. This gives the leeway to the websites to wilfully ignore and be non-compliant with any data security standards like IS 174782 – which is a certification ensuring compliance with well-implemented privacy practises that are prescribed to the entity, resulting in issuing both necessary and unnecessary cookies without the user’s consent or fraudulently obtaining it.
Issues with cookie laws and the requirement to address these issues
While on paper, the cookie laws around the world are pretty straightforward in terms of handling cookies, a few issues do permeate the surface through legislation limitation and wilful disregard.
Regulatory bureaucracy or willful non-compliance
Most websites are simply ignoring the requirements of the cookie law. The opt-in feature required by the directives is either too simple (paving the way for accepting all cookies) or too complicated (finding the reject button for non-essential cookies).
As per an interview conducted by a team of TechCrunch with Max Scherms, who is a long-time privacy campaigner and also Noyb’s president, “A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking “okay” is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users’ expression of choice and design systems fairly. “Companies openly admit that only 3% of all users want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button,”
Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than 15 common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page, “
Moreover, the team of TechCrunch, while speaking to one of the spokespersons of Nyob, put up a question as to the prevalence of cookie abuse across the European Union based on the data collected by Nyob. The reply highlighted that just on their initial intake of 5,000 websites, which had to be reduced to 3,600 websites to give focus, they were able to determine approximately 3,300 websites that violated the norms of GDPR.
(Source: Natasha Lomas’ article on TechCrunch)
Legislative limitation: cookie pop-ups
In terms of legislative limitations, cookie pop-ups are a cause of concern, as some of these cookie banners are not user-friendly and do not give out enough information to completely educate people about what data will be collected and how they intend to use it. The whole aspect of omission of vital information, using complicated language, or creating barriers to denying consent is borderline fraud, and the consent that is acquired thereby is fraudulently taken, as they make it difficult for users to even understand what they are consenting to when they click that “accept cookies” button.
Factors contributing to the issue of Cookie Popups:
- Ignorance by visitors and incomprehension about what information is being saved
- Declining access to the website on the rejection of cookie pop-up
- Deception of cookie banners by false choices: A 2019 study by Célestin Matte, Nataliia Bielova, and Cristiana Santos examined the effects of cookie banners and found violations on 54% of the websites the researchers analysed. The nature of violations included no mechanism for refusal of consent and collection of data even after refusal of consent by the users.
Conclusion
Two decades of technological advancement have brought us today to the position where the internet could regulate and influence the decisions we make. The younger generation is even more susceptible as, without understanding the consequences and use of personal information, they fall prey to impulsive buying and invasion of privacy, among other things. While cookie laws condoning and regulating this behaviour and ensuring safe space online are being implemented both inside and outside of the European Union, the issue, however, might be categorised as wilful non-compliance of this regulation, rather than a lack of legislation. As tech giants are growing increasingly frantic over higher administration costs, the newer requirement of informed consent makes it even stricter, but the lack of enforcement of these regulations is something that needs to be addressed going forward. The penalties could be increased drastically, special enforcement courts/tribunals could be set up to address the grievances of consumers, and watchdog NGOs like Nyob could be partnered with regulatory bodies to oversee and rectify any and all violations.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.
