Learn how cookies balance user experience with compliance in the era of data privacy. Understand cookie policies, consent, and global regulations.
When a user visits a website, data files known as cookies are stored on their device. Small text files of code known as cookies are downloaded into user’s computers and mobile devices when they access certain websites and apps. For instance, a website may store the user’s credit card information that is entered by them.
Based on their origin, use, and duration, cookies can be categorised into two i.e., first party and third-party. Both of these, track visitor activities and personalise their experiences.
First party cookies are accessible only by the domain that created them. Cookies that are placed by organisations other than the owners of the current website are referred to as third-party cookies. A third party, such as an advertiser or even an analytics system, may place third party cookies on a user’s device. Third party cookies are installed mostly by marketing companies to collect personal information about the user, such as their preferences, demographics, purchasing pattern, and overall behaviour. A user might, for instance, be browsing a shopping website that features advertisements for various other businesses. All of these businesses that have placed advertisements on that shopping website can monitor the user’s activities by setting pertinent cookies.
Cookie Policy vs Cookie Consent
A Cookies policy is a public statement that outlines how a website or app collects, stores, and uses data collected from cookies. It typically includes information such as the types of cookies used, their purpose, and how long they are retained. It’s important to note that many companies create a section of Cookies policy within their Privacy Policies. However, it’s a best practice to create a stand-alone Cookies Policy that separates from the Privacy Policy and is posted prominently on the business’s website.
On the other hand, Cookies consent refers to the act of obtaining explicit consent from users before setting cookies on their devices. This is typically done through a pop-up or banner that informs users of the website’s use of cookies and asks for their consent. While a cookies policy is a legal requirement for websites that use cookies, cookies consent is necessary to ensure compliance with global data protection regulations and to respect users’ privacy rights.
Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules)
The drawback is the privacy risk that is inherent in the use of cookies, such as the unauthorised collection of sensitive personal data with the risk of hijacking and breach. In order to meet such privacy concerns, regulators worldwide have begun to control cookies. European data protection authorities have held, in a series of rulings, that cookies constitute personal data for the purposes of the General Data Protection Regulations (GDPR). Accordingly, the GDPR data processing principles apply to cookies.
Unlike other countries, India is yet to specifically regulate cookies. In India, cookies are not considered to be personal data. However, Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) apply when cookies collect or process sensitive or personal data which includes passwords, financial information, data pertaining to physical, physiological and mental health conditions, sexual orientation, medical records and history and biometric information.
There are no stated grounds as to how cookies may be used as they are not expressly regulated under any law. Where cookies are used for the collection of SPDI, prior permission must be sought before their use in accordance with the SPDI standards laid down in the SPDI rules. It is common for businesses to restrict access to their platforms or websites, if users do not give consent for the use of cookies.
Conclusion:
Given the changing privacy landscape and constantly evolving privacy laws, it is wise to obtain consent for the use of cookies and include a cookies policy on the company’s website. Businesses must follow global best practices, like using cookies consent notice like banners, pop-ups or screen and inclusion of cookies policy in full compliance with global pieces of legislation.
The set up of Data Protection Board under the Digital Personal Data Protection Bill, 2022 will likely provide a framework for the cookies use in India.
*****
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
The article has been jointly authored by Ms. Ruchika Agarwal and Ms. Swati Sitani of Mind Sync Business Solutions. For more details, visit www.mindsync.co.in or contact Contact: customer.care@mindsync.co.in.
Author Bio
