This article is written by Pankaj Rathi, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
In December 2020, France’s data protection agency, the CNIL slapped Amazon Europe with a 35 million Euros fine for dropping advertising/ tracking cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information. This reignited the debate surrounding Big Tech companies tracking their users’ online behaviour, in an unrestricted manner. While Europe with its strong laws like GDPR and ePrivacy Directive has been able to investigate and curb the unlawful activities of online players which violate privacy and data protection standards, to a certain extent; the situation in India remains still undebated and underrated due to lack of strong data protection laws coupled with regulatory oversight absenteeism. In this context, the article seeks to answer the question of whether Amazon India’s cookies policy is in compliance with the present framework of the law (Information Technology Act, 2000) as well as with the much anticipated new data protection Bill (Personal Data Protection “PDP” Bill, 2019).
What are cookies?
A cookie is a small piece of text file stored on a user’s computer browser (session cookies) or hardware (persistent cookies) by a web page or website which allows the website to identify the user and remember his/her preferences. It also allows the website to monitor how you use the site. In other words, the cookies provide information to the website which helps it in building the profile of its users for future marketing purposes, improve the site for better user experience, or detect and prevent site misuse. For example, Amazon uses cookies to save your account information for various activities on-site so that you don’t have to fill in information every time you visit it, to remember your shopping cart items, and also to deliver personalised ads and product suggestions. Generally, cookies are classified into two categories based on their source: First-party cookies, and third-party cookies.
- First-party cookies are those managed directly by a website/app when users visit it.
- Third-party cookies are created by domains that are not the website (or domain) that you are visiting. Third-party cookies are generally used for cross-site tracking and online advertising purposes. It is also present when the site/app uses third-party services to incorporate for example images, social media plugins, or advertising.
For example, when a user visits Amazon.in, that website is the “first party.” If Amazon.in partners with an advertising network, platform, or exchange to place ads on its website, the network, platform, or exchange is the “third party.” The advertising network uses cookies when the user visits Amazon.in to help it select and serve the best ads. These cookies are considered “third-party cookies.”
Third-party digital advertising companies having better technology and expertise enables more efficient ad placements and provides better insight for personalised and targeted ads. Displaying ads on its website also becomes a major source of revenue for companies and displaying more relevant ads as per users’ preferences further increases the market value of the website. However, the use of cookies to profile individuals also raises serious security and privacy concerns which need to be addressed to ensure sustainable growth of digital economy architecture.
Present framework of Indian law governing cookies
The Amazon Privacy Policy states:
“We use “cookies” and other unique identifiers, and we obtain certain types of information when your web browser or device accesses Amazon Services and other content served by or on behalf of Amazon on other websites. Click here to see examples of what we collect.”
In the examples section, it mentions, amongst others, IP address, browser version, login, email address, and password, phone numbers, the location of your device, time zone content interaction information, device metrics, purchase and content use history, products and content you viewed or searched for, length of visits to certain pages, etc. as collected data.
Though not all cookies collect personal data (eg. which are essential for the functionality of websites), Many of the data collected (see above mentioned examples) are in the nature of personal information or data under Rule 2(i) of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (enacted under section 43A of the Information Technology Act, 2000 and hereinafter “SPDI Rules” 2011) and may also come under the definition of sensitive personal information or data (hereinafter “SPI”) under Rule 3. Not to forget, third-party cookies may also gather similar information about the users. Therefore, data collection through cookies by Amazon must comply with the SPDI rules, 2011.
The SPDI rules provide that while collecting information including personal information and SPI, the provider of information i.e. Users must be informed of information being collected, the purpose of collection, and intended recipients of the information. Further, any information that is collected shall be used only for the purpose for which it has been collected.
Additionally, while collecting SPI, the users’ prior consent needs to be taken. Users must also have the option to refuse or withdraw the consent if already given. Such collection must be necessary and for lawful purposes. Moreover, the Body corporate holding such information must not retain it longer than required for the purposes mentioned. Body corporate is also obliged to provide information about grievance officers to address any complaint of the user relating to the processing of such personal information. A body corporate must provide a comprehensive privacy policy to data subjects while handling SPDI.
Amazon India’s compliance to SPDI Rules, 2011 : a reality check?
At the outset, it is to be highlighted that there is no proper classification, by Amazon India, of information collected through cookies into personal or sensitive personal information or non personal information. In the absence of this, it becomes difficult to identify Amazon India’s compliance with the SPDI rules which require different sets of obligations for different sets of information.
Further, Amazon India in its privacy policy states that by using the website, users give consent to practices of Amazon India mentioned in its policy. The privacy policy includes cookie policy as an integral part of it. Hence, by merely using the website, the user consents to provide personal information or data through cookies. The consent procedure envisaged by SPDI Rules seems to be more in the direction of explicit and clear consent, not just in implied form; and hence, the manner of obtaining consent by Amazon.in is doubtful to be compliant with SPDI rules.
Personal data or information of users collected through third party cookies is another grey area of concern. While SPDI rules clearly require that users must be informed of intended recipients of their personal information, the vague and generic mention of third parties in the cookie policy, without any specific identification of recipients, undermines the intended objective of provisions.
Moreover, the mechanism of withdrawing consent under the cookie policy and privacy policy is also complex making it difficult to give effect to provisions of the Rules in their spirit. There is also no mention of the time period for retaining the collected information as required by the Rules. All these limitations reflect that Amazon hasn’t been in full compliance with the requirements of SPDI Rules, 2011.
Amazon India’s cookie policy in the context of new Data Protection Bill
Soon to be enacted, the New Data Protection Bill (PDP Bill, 2019) is being considered as one of the most important legislation for India’s aspiration of achieving digital economy status. It will require businesses to revamp their data-related processes and embed privacy within their systems and operations. Therefore, it is necessary to analyse Amazon India’s cookie policy in the context of the new Bill so as to understand the willingness of big tech companies to respect and protect the digital privacy of citizens as well as pro-activeness in adopting data security, data protection and data integrity measures.
PDP Bill overview
The PDP Bill provides a wide definition of personal data or information which includes any data that can identify an individual, directly or indirectly, including inferences made about such individuals (Section 2(28)). Any information which allows an individual to be specifically targeted, whether online or offline will fall within this definition. Hence, IP addresses, web cookies and device IDs are also personal data if they can identify an individual. In addition, information such as location data, time zone or other information can similarly be combined to identify an individual, and such combinations would also fall under the scope of the PDP Bill. It also has a wider definition of sensitive personal data.
- The Bill casts duty on data fiduciaries like Amazon to take the consent of data principal i.e. users, before collection of personal data (Section 7).
- Such personal data can be processed only for the specific and clearly defined purposes for which data principal has consented or which is incidental to or connected with such purpose (Section 5).
- Data should be collected only to the extent necessary for such purpose (Section 6).
- Section 11(4) further provides that the provision of any goods or services cannot be made conditional on the consent where the processing of personal data is not necessary for that purpose.
- Consent must also be free, informed, specific, clear by meaningful affirmative action and capable of being withdrawn (Section 11(2)). Moreover, explicit consent is required in case of sensitive personal data collection.
Data fiduciary is required to give notice to data principal at the time of collection of personal data including the purpose of collection; nature and categories of personal data being collected; identity and contact details of the data fiduciary and data protection officer, if applicable; procedure for withdrawal of consent; basis for such processing and consequences of failure to provide personal data; persons with whom the personal data may be shared; information regarding any cross-border transfer of personal data; period for which the personal data will be retained and procedure for grievance redressal. Such notice shall be clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable (Section 7(2)).
Amazon India’s cookies policy : analysing the present through the lens of the future
As stated earlier, the consent mechanism mentioned by Amazon.in in its privacy notice for personal information collection through cookies is highly deficient with the requirements of the PDP Bill. Amazon India does not state explicitly that it sets cookies on a user’s computer making it impossible for such a user to know; resulting in a possible exposure to privacy concerns arising from the use of cookies for tracking such individual’s online activities.
Moreover, as per the PDP bill, Amazon India is required to give notice at the time of collection of personal data. However, Amazon fails to provide any cookie banner or similar notification to users before collection. Moreover, by mere opening of the website, Amazon stores cookies in the user’s system giving him no choice to refuse consent.
While through cookies notice, Amazon India seeks to give some information about the purposes of cookie deposition, however, it constitutes only a general and approximate description of the purposes of all cookies deposited and that there is also no mention of the means available to the user to object to the filing of cookies. Moreover, it does not mention the nature and categories of cookies that collect different sets of data like personal information, sensitive personal information, and non personal information or data.
It is also to be noted that regardless of the user’s journey, whether he or she goes to Amazon.in’s homepage or visits a product page on the site via an ad, around 49 cookies were deposited on the user’s terminal; out of which 45 cookies are related to advertising and targeting purposes. It clearly plays foul with the Section 6 of PDP bill which seeks to limit the collection of personal data to the extent it is necessary for the purpose of processing. It also goes against the spirit of privacy by design principles enshrined in Section 22 of the Bill. As a concept, privacy by design means privacy as a fundamental core value should be incorporated in the organization function, system and technology by default. It focuses on user centric design of business operations which respects the privacy of users as an uppermost priority. However, Amazon India’s cookies policy requires much amendment to be in consonance with privacy by design principles.
Third party cookies
The privacy of users is in further potential danger due to cookies set by third parties through Amazon.in. The cookies policy of Amazon India states:
Approved third parties may also set cookies when you interact with Amazon services. Third parties include search engines, providers of measurement and analytics services, social media networks, and advertising companies.
As per the PDP Bill, the intended recipients of personal data as well as persons with whom the personal data may be shared by the data fiduciaries must be disclosed clearly to the users. However, just mentioning third parties in a generic way without specified recipients goes against the spirit of the PDP Bill. It is to be noted that Amazon, in EU and UK, does mention third party entities that set cookies along with purposes of specified cookies. Moreover, Amazon also absolves itself of any liabilities related to the third-party cookies. This creates a somewhat ironic situation wherein Amazon takes the consent of its own users of the website to enable third parties to collect the data of them; and at the same time it absolves its responsibility as to how third parties process these personal data of users. It reflects a clear lack of any linkage between consent of users for collection of data and processing of the same.
The situation becomes more complex if third parties who set cookies are also considered data fiduciaries as they do determine means and purposes of collection of personal data of users. If that is so, then third party cookies installed through Amazon.in are in gross violation of data fiduciary obligation under the PDP Bill.
Further, Amazon cookies policy prescribes the browser setting as a means to manage cookies. However, these settings only allow users to opt out based on cookie domain classification (first-party and third-party cookies) without giving any other choice. It does not help the user in identifying the cookies set by a particular site are either as first party or third party, purpose or functionalities of such cookies and any other relevant information which can help the user to make informed choices. Nevertheless, in some cases in the different European countries, browser settings are considered to be an acceptable means of withdrawing consent.
Conclusion
The Amazon cookies policy requires significant amends to be in consonance with the present data protection law of the country as well as new data protection law which is expected, very soon, to be law of the land. The 7 aspects of privacy by design policy mentioned in Section 22 reflects the spirit of the new data protection bill and these aspects must be embedded by every organization including Amazon in its data related policies, mechanism and organisational structure. Moreover, general principles of processing personal data such as lawfulness, fairness, transparency, data minimisation, purpose limitation, storage limitation, accountability, and, integrity and confidentiality etc. required to be considered by Amazon India in its cookies policy. The recent decision of France data protection authority against the Amazon cookies policy for being violative of data protection laws as well as Google’s announcement to ban all third party cookies on its chrome browser from 2023 reflect the increasing understanding about the misuse of cookies mechanism by tech companies. India needs to ensure that it enacts the new data protection bill at the earliest; and implements it efficiently.
At the same time, it also needs to be accepted that the present PDP Bill has no provision for regulating the third-party cookies. Several privacy risks are presented by third-party, persistent, targeting cookies. They contain a significant amount of information about the user’s online activity, preferences, and location. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse.
Therefore, similar to e-privacy directives (it covers the cookies and other related technologies used for storing and accessing information stored on a user’s equipment such as a computer or mobile device) of the European Union which supplements GDPR, India also needs to adopt the similar rules or regulation to supplement the PDP bill. As the users have a right to know about the number and types of cookies the owner site hosts so that they can give informed consent regarding their personal data.
Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.
