Preventing ‘Cookies’ from Crumbling under the DPDP Act Regime

Introduction

Cookies, a term which instantly resonates with businesses and online platforms in today’s digital era, refers to one of the most widely adopted tools to collect and store data of any individual visiting a website for inter alia advertising purposes. While the concept of cookies has been long embedded in the digital ecosystem across the globe and in India, the enactment of India’s first data protection law i.e., the Digital Personal Data Protection Act, 2023 (DPDP Act) along with the draft Digital Personal Data Protection Rules (Draft DPDP Rules) will introduce new challenges and complexities for businesses and websites, particularly in terms of seeking consent.

Recently, the Advertising Standards Council of India (ASCI) has released a whitepaper titled “Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA” (White Paper). As the relevant legal landscape evolves, the need to realign and rework cookie consent policies would become highly critical.

Key findings of the White Paper

The White Paper offers an in-depth understanding of cookies as well as of the different types of cookies adopted by businesses today. Importantly, the White Paper links the cookie consent requirements to the requirements stipulated under the DPDP Act and the Draft DPDP Rules while looking at requirements akin to those in other jurisdictions.

Noting the primary ingredients of a ‘consent’ under the DPDP Act (i.e., free, specific, informed, unconditional and unambiguous), the White Paper delves into the gaps prevalent in the cookie consent notices adopted by the digital industry, in terms of transparency and user-friendliness such as lack of specificity of purposes for which consent is being taken, difficulties faced by a user in ‘opting out’ of such cookies. Consequently, the data revealed that only 3% of the ‘50 most top visited websites in India’ (as of December 2024) implemented cookie consent notices. Even among the websites which offered a consent notice, the room for improvement remained in terms of enabling clear opt-out options and letting users offer more specific consent for different types of cookies. Accordingly, looking at the best practices worldwide, the White Paper emphasizes on the need to inculcate “granularity” in the overall consent mechanism depending on the kind of cookies being adopted (i.e., essential cookies, analytics cookies, advertising cookies etc.).

While the findings and recommendations, as suggested by the White Paper remain highly relevant for India’s digital businesses, the consent-seeking process warranted by the new data protection regime are characterized by various other challenges, some of which have been highlighted below.

Primary challenges and considerations

The DPDP Act, read with the Draft DPDP Rules, requires businesses to adopt transparent consent mechanisms. Consequently, separate consent has to be procured for every individual purpose of cookie usage including inter alia for advertising purposes. Accordingly, all such purposes will have to mandatorily feature in the consent notices which will be given to the data principals. This would include an itemised description of the purpose of each cookie (E.g., targeted advertising, tracking user behaviour, etc.) and the data being processed by such cookie while giving the users the flexibility of ‘opting out’ of any specific cookie, if deemed necessary.

Prima facie, such granular consent requirements can escalate the compliance costs for businesses as they will now have to channel a significant percentage of capital and efforts into realigning their cookie management policies as well as developing appropriate user interface (UI-UX). An investment will also have to be made towards for onboarding relevant experts / resource persons on the topic while adopting practices which ensure adequate record keeping of both consent and consent withdrawals. This may be even more important for businesses seeking to collect children’s data as they will have to apprise the parents of the purpose of data collection using such cookies, as part of the verifiable consent process.

However, at a deeper level, the challenge that surfaces for businesses in the consent seeking process lies in persuading a user to provide his consent for marketing or advertising purposes given they can be viewed as ‘unnecessary’ or ‘spam’. As such, if sufficient context about the purpose of such data collection is not given, businesses can altogether risk the chance of not getting consent at all. However, on the other hand, verbosity of information or frequent information pop-ups can end up draining the users, a term also referred to as ‘consent fatigue’.

It is also important to note that the way consent would be sought from users would also have to be assessed from a dark patterns’ standpoint. While the White Paper discusses the possibility of resorting to ‘aesthetic manipulation’ or interface interference (by way of using larger fonts or brighter colour for options which are favourable to the businesses) for the purpose of seeking consent, frequent / verbose cookie consent requests may also amount to ‘nagging’ (i.e., disrupting or annoying the consumer through requests or interruptions) or ‘forced action’ (i.e., requiring the consumer to share personal information in order to avail the services). Thus, curating the lawful and reasonable means for obtaining consent would call for attention and strategies from businesses.

Another significant hindrance stems from the application of ‘third-party cookies’, i.e., cookies placed on a website from a domain other than the website which is being visited by the user (unlike the general browser / web cookies). Also referred to as cross-site cookies, deployment of these cookies poses the highest risk to a user from a data privacy standpoint given there are occasions where users are not even aware of the fact that they are being tracked by such cookies.

Way forward / possible recommendations

The above risks underscore the need for business to remain transparent while using cookies and obtaining consent. As a first step, businesses can consider bucketing data sets which are collected by them into different categories (i.e., personal and non-personal data) particularly for tracking / advertising purposes so that suitable UI/ UX can be developed while keeping the considerations above in mind. It will have to be seen how the requirements under the Draft DPDP Rules are firmed up in the meantime, so that the final compliance strategy can be etched out.

• Harsh Walia (Partner); Shobhit Chandra (Counsel) and Akshita Singh (Associate)

For any queries please contact: editors@khaitanco.com