This article is written by Pankaj Rathi, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
In December 2020, France’s data protection agency, the CNIL slapped Amazon Europe with a 35 million Euros fine for dropping advertising/ tracking cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information. This reignited the debate surrounding Big Tech companies tracking their users’ online behaviour, in an unrestricted manner. While Europe with its strong laws like GDPR and ePrivacy Directive has been able to investigate and curb the unlawful activities of online players which violate privacy and data protection standards, to a certain extent; the situation in India remains still undebated and underrated due to lack of strong data protection laws coupled with regulatory oversight absenteeism. In this context, the article seeks to answer the question of whether Amazon India’s cookies policy is in compliance with the present framework of the law (Information Technology Act, 2000) as well as with the much anticipated new data protection Bill (Personal Data Protection “PDP” Bill, 2019).
What are cookies?
- First-party cookies are those managed directly by a website/app when users visit it.
- Third-party cookies are created by domains that are not the website (or domain) that you are visiting. Third-party cookies are generally used for cross-site tracking and online advertising purposes. It is also present when the site/app uses third-party services to incorporate for example images, social media plugins, or advertising.
Present framework of Indian law governing cookies
“We use “cookies” and other unique identifiers, and we obtain certain types of information when your web browser or device accesses Amazon Services and other content served by or on behalf of Amazon on other websites. Click here to see examples of what we collect.”
In the examples section, it mentions, amongst others, IP address, browser version, login, email address, and password, phone numbers, the location of your device, time zone content interaction information, device metrics, purchase and content use history, products and content you viewed or searched for, length of visits to certain pages, etc. as collected data.
Though not all cookies collect personal data (eg. which are essential for the functionality of websites), Many of the data collected (see above mentioned examples) are in the nature of personal information or data under Rule 2(i) of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (enacted under section 43A of the Information Technology Act, 2000 and hereinafter “SPDI Rules” 2011) and may also come under the definition of sensitive personal information or data (hereinafter “SPI”) under Rule 3. Not to forget, third-party cookies may also gather similar information about the users. Therefore, data collection through cookies by Amazon must comply with the SPDI rules, 2011.
The SPDI rules provide that while collecting information including personal information and SPI, the provider of information i.e. Users must be informed of information being collected, the purpose of collection, and intended recipients of the information. Further, any information that is collected shall be used only for the purpose for which it has been collected.
Amazon India’s compliance to SPDI Rules, 2011 : a reality check?
At the outset, it is to be highlighted that there is no proper classification, by Amazon India, of information collected through cookies into personal or sensitive personal information or non personal information. In the absence of this, it becomes difficult to identify Amazon India’s compliance with the SPDI rules which require different sets of obligations for different sets of information.
PDP Bill overview
The PDP Bill provides a wide definition of personal data or information which includes any data that can identify an individual, directly or indirectly, including inferences made about such individuals (Section 2(28)). Any information which allows an individual to be specifically targeted, whether online or offline will fall within this definition. Hence, IP addresses, web cookies and device IDs are also personal data if they can identify an individual. In addition, information such as location data, time zone or other information can similarly be combined to identify an individual, and such combinations would also fall under the scope of the PDP Bill. It also has a wider definition of sensitive personal data.
- The Bill casts duty on data fiduciaries like Amazon to take the consent of data principal i.e. users, before collection of personal data (Section 7).
- Such personal data can be processed only for the specific and clearly defined purposes for which data principal has consented or which is incidental to or connected with such purpose (Section 5).
- Data should be collected only to the extent necessary for such purpose (Section 6).
- Section 11(4) further provides that the provision of any goods or services cannot be made conditional on the consent where the processing of personal data is not necessary for that purpose.
- Consent must also be free, informed, specific, clear by meaningful affirmative action and capable of being withdrawn (Section 11(2)). Moreover, explicit consent is required in case of sensitive personal data collection.
Data fiduciary is required to give notice to data principal at the time of collection of personal data including the purpose of collection; nature and categories of personal data being collected; identity and contact details of the data fiduciary and data protection officer, if applicable; procedure for withdrawal of consent; basis for such processing and consequences of failure to provide personal data; persons with whom the personal data may be shared; information regarding any cross-border transfer of personal data; period for which the personal data will be retained and procedure for grievance redressal. Such notice shall be clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable (Section 7(2)).
Amazon India’s cookies policy : analysing the present through the lens of the future
Moreover, as per the PDP bill, Amazon India is required to give notice at the time of collection of personal data. However, Amazon fails to provide any cookie banner or similar notification to users before collection. Moreover, by mere opening of the website, Amazon stores cookies in the user’s system giving him no choice to refuse consent.
While through cookies notice, Amazon India seeks to give some information about the purposes of cookie deposition, however, it constitutes only a general and approximate description of the purposes of all cookies deposited and that there is also no mention of the means available to the user to object to the filing of cookies. Moreover, it does not mention the nature and categories of cookies that collect different sets of data like personal information, sensitive personal information, and non personal information or data.
It is also to be noted that regardless of the user’s journey, whether he or she goes to Amazon.in’s homepage or visits a product page on the site via an ad, around 49 cookies were deposited on the user’s terminal; out of which 45 cookies are related to advertising and targeting purposes. It clearly plays foul with the Section 6 of PDP bill which seeks to limit the collection of personal data to the extent it is necessary for the purpose of processing. It also goes against the spirit of privacy by design principles enshrined in Section 22 of the Bill. As a concept, privacy by design means privacy as a fundamental core value should be incorporated in the organization function, system and technology by default. It focuses on user centric design of business operations which respects the privacy of users as an uppermost priority. However, Amazon India’s cookies policy requires much amendment to be in consonance with privacy by design principles.
Third party cookies
The privacy of users is in further potential danger due to cookies set by third parties through Amazon.in. The cookies policy of Amazon India states:
Approved third parties may also set cookies when you interact with Amazon services. Third parties include search engines, providers of measurement and analytics services, social media networks, and advertising companies.
As per the PDP Bill, the intended recipients of personal data as well as persons with whom the personal data may be shared by the data fiduciaries must be disclosed clearly to the users. However, just mentioning third parties in a generic way without specified recipients goes against the spirit of the PDP Bill. It is to be noted that Amazon, in EU and UK, does mention third party entities that set cookies along with purposes of specified cookies. Moreover, Amazon also absolves itself of any liabilities related to the third-party cookies. This creates a somewhat ironic situation wherein Amazon takes the consent of its own users of the website to enable third parties to collect the data of them; and at the same time it absolves its responsibility as to how third parties process these personal data of users. It reflects a clear lack of any linkage between consent of users for collection of data and processing of the same.
The situation becomes more complex if third parties who set cookies are also considered data fiduciaries as they do determine means and purposes of collection of personal data of users. If that is so, then third party cookies installed through Amazon.in are in gross violation of data fiduciary obligation under the PDP Bill.
Further, Amazon cookies policy prescribes the browser setting as a means to manage cookies. However, these settings only allow users to opt out based on cookie domain classification (first-party and third-party cookies) without giving any other choice. It does not help the user in identifying the cookies set by a particular site are either as first party or third party, purpose or functionalities of such cookies and any other relevant information which can help the user to make informed choices. Nevertheless, in some cases in the different European countries, browser settings are considered to be an acceptable means of withdrawing consent.
At the same time, it also needs to be accepted that the present PDP Bill has no provision for regulating the third-party cookies. Several privacy risks are presented by third-party, persistent, targeting cookies. They contain a significant amount of information about the user’s online activity, preferences, and location. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse.
Therefore, similar to e-privacy directives (it covers the cookies and other related technologies used for storing and accessing information stored on a user’s equipment such as a computer or mobile device) of the European Union which supplements GDPR, India also needs to adopt the similar rules or regulation to supplement the PDP bill. As the users have a right to know about the number and types of cookies the owner site hosts so that they can give informed consent regarding their personal data.
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: