top of page

Framing Cookie Policy: A Data Protection Perspective

Rohit Gupta & Shravya Devaraj

I. Introduction

The advertising technology (‘AdTech’) structure is built upon data gathering through ‘internet cookies’ (small textual data files). Advertisers, through the website, launch third-party cookies onto a webpage to collect user data which establishes a digital footprint for marketers and enterprises. This provides a detailed profile of a user’s likes, buying patterns, and other inclinations. Thereafter, ad banners are deployed, for example, with Google’s Ads and AdSense, to target and retarget consumers.

As to the exact nature of the information collected, an illustration may be considered. Amazon’s Privacy Policy, for example, states that, inter alia, their cookies collect information such as IP address, purchase and content use history, login, email address, password, phone numbers, device metrics, duration of visitation of the webpage, etc. However, it must be noted that not all cookies collect the above-mentioned information. Some, such as strictly necessary first-party cookies, merely collect information essential for the functionality of the website. For instance, Amazon’s strictly necessary cookies are restricted to “privacy preferences, signing in, or filling in forms”. Due to their nature, such cookies are exempt from the requirement of consent, provided these are explicitly designated and differentiated as such before the user.

In this comment, I shall deep dive into the law on internet cookies in India, contrasting the dearth with best practices developed in the Global North. While the legal developments of the draft Data Protection Bill, 2021 (‘DPB, 2021’) are alluded to, the query of specific and granular guidance for cookie consent management is raised.

II. India’s Cookie Policy: The IT Act and the SPDI Rules

Debates have arisen as to whether ‘cookies’ can be classified as a ‘computer virus’ under Section 43 of the Information Technology Act, 2000 (‘IT Act’) in that it “attaches itself to another computer resource and operates when a programme, data or instruction is executed”. However, the definition of a computer virus necessarily attracts a malicious alignment absent in the traditional and ubiquitous use of cookies. Outlawing the use of cookies and penalizing any service provider for the use of the same under Section 43 of the IT Act would also be wholly disproportionate, and indeed, a one-of-a-kind disenfranchisement of the entire AdTech industry.

Regulation-wise, owing to the nature of the information collected, non-essential third-party cookies may fall under the ambit of personal or sensitive personal data (‘SPD’) under Section 2(i) and Section 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’). However, due to the lack of a definitive holding in this regard, and an absence of applicable rules regarding the collection of mere personal data, service providers are not required to enact a separate cookie policy. If applicable, the SPDI Rules cast upon only those providers which collect SPD the broad obligations of (1) obtaining prior consent, (2) disclosing the nature of the information collected, the purpose of collection, and intended recipients of the information, (3) using of information for a specific purpose only, and (4) using of information only for the required period. Nonetheless, no guidance exists as to how consent is to be collected, the validity of consent collected in different circumstances, the extent of information to be disclosed, the permissible classifications of ‘essential’ and ‘non-essential’ cookies, the validity of cross-border cookie data transactions (i.e., standard of “same level of data protection”), consequences of denial of consent to non-necessary cookies, etc.

With the presence of a plethora of unanswered questions, data literacy concerning cookies in India continues to remain underdeveloped. This allows the exploitation of data subjects, who not only face a lack of remedial channels but also struggle to become aware of such harms in the first place. In light of this, we must turn to specifically identifying such harms and locating their solutions.

III. Psycho-Social Factors ‘Nudging’ Cookie Consent

The drawbacks and difficulties with online cookies stem from uncertainty about how websites acquire personal data. This seems to stem from not knowing exactly what a web cookie is. People also feel a lack of control over online cookies and do not always understand why they're being used to harvest personal data. Additionally, several studies have evidenced the use of ‘dark patterns’ in formulated cookie banners/notices which attempt to ‘nudge’ user consent towards accepting non-essential third-party cookies. As noted by Luxembourg’s National Commission for Data Protection (‘CNPD’), some of these include: (1) different sizes (e.g., a huge “agree” button with a little hyperlink for “refuse”); (2) distinctive fonts (e.g., an “accept” button with legible font and a “refuse” button with an unintelligible font); (3) contrasting colours/highlights (e.g., an “accept” button in a strong contrast making it clearly visible, while a “refuse” button with very low contrast compared to the rest of the banner, and therefore not very visible). Other forms of nudges include auto-enrollment (the ‘opt-out’ method), maintaining an information dump/deficit, or prompting the acceptance of cookies by a majority of web-visitors. In some such cases, such as auto-enrollment, cookie acceptance has been seen to duplicate in percentage, compared to the ‘opt-in’ method. Other studies have concluded the negative effects of outsourcing information onto another webpage and reference to browser settings for consent management. Resultantly, several sectoral regulators operating under the GDPR have specifically outlawed such practices and penalized the use of the same by companies like Google and Facebook.

IV. Global Cookie Standards and Best Practices


Under the General Data Protection Regulation, 2018, companies must choose a legal basis for processing personal data (Article 6(1)(a)). Obtaining consent required it to be voluntarily provided, particular, informed, unambiguous, explicit, revocable and requested in a legible and accessible way (Articles 4(11) and 7). Further, Recital 32 of GDPR, as well as the Planet49 GmbH Case, reads that consent given in the form of a preselected tick in a checkbox does not imply active behaviour of the user and that pre-ticked boxes do not constitute consent. A strong presence of the purpose limitation and data minimization principle is also found in Article 5(1)(b), with regulators such as the Finnish and Belgian DPAs laying down the contours of the availability (manner), explicitness (language), and specificity (extent) to which such information must be disclosed.

The ePrivacy Directive (‘ePD’), supplements the GDPR in the area of electronic communication, such as websites. Unlike GDPR, which is a rule immediately enforceable in all European countries, the ePD is a directive that each member state must apply in its national legislation. Under the ePD, website publishers must get user consent before collecting and processing personal data using non-mandatory (not strictly necessary for the service requested by the user) cookies or other tracking technologies (Article 5(3)). Moreover, Recital 66 of the ePD is quite explicit while directing that “the methods of offering the right to refuse should be as user-friendly as possible”.

Additional guidance issued under the GDPR, by several individual DPAs, have also specifically outlawed certain malpractices. The Dutch DPA, for example, stated that cookie walls that demand that website visitor agrees to their internet browsing being tracked for ad-targeting as the ‘price’ of entry to the site are not compliant with the GDPR. Similarly, sites that claim to obtain ‘consent by scrolling’ would post a small banner at the top of the screen with their GDPR consent information and indicate that “by continuing to scroll, you grant consent to the usage of cookies.” According to the Greek DPA, this cannot constitute full consent as the act is indistinguishable from scrolling to read the remainder of the page. The United Kingdom’s Information Commissioner’s Office, for its part, has also identified cookies that may be classified as strictly necessary and those which may not fall under such categories to promote data literacy.


The California Consumer Privacy Act (‘CCPA’) took effect on January 1, 2020. It impacts companies that gather data on Californians that fit one of three criteria: earn $25 million-plus in revenue, process data of 50,000 consumers, households, or devices, or derive at least 50% of its annual revenue from selling the personal information of California residents.

For data collection, the CCPA requires websites to tell consumers about what data they collect, how they handle it, and whom they share it with. Providers, however, are only obligated to deploy the opt-in method for visitors aged 13 to 16 years. For ages above 16, they can drop cookies as soon as the user visits a page, as long as it notifies them about the types of personal data collected and their usage. Unlike the GDPR, the CCPA compels companies to offer customers the option to opt-out of the selling of personal information. Websites should thus include a “Do Not Sell My Personal Information” link or button on their homepage. The “Do Not Sell” page should include a link to the website's privacy policy and an opt-out option for targeted ads.

V. Looking Forward: The Data Protection Bill, 2021

In November 2021, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, introduced a new draft version of the bill, in the form of the DPB, 2021 subsuming under its ambit non-personal data. While the draft, and the report, still fail to acknowledge cookies as a matter of legislative concern, the codification of several principles of best practices (such as the need for express, rather than implied consent) is very welcome. Note, however, the acute lack of any conversation regarding the above-mentioned issues, including that of the use of dark patterns. Among the several concerns which arise, however, the ones highlighted below are those that may directly impact the collection and processing of cookie data.

A. Disclosure of Algorithmic Fairness in Processing Personal Data

Clause 23(1)(h) of the DPB, 2021, now demands disclosure of the “fairness of the algorithm and method used” in processing personal data. This means that intermediaries could potentially be required to disclose granular information regarding key processes conducted on personal data. For instance, intermediaries may be required to delineate how cookie data is used to conduct targeted advertising, including the process of selecting which targeted advertisement would be placed before the end user and the manner in which it will be displayed (the frequency, positioning, etc.). However, the vague language of the provision has been criticized to render the amendment inane. The precise content and extent of the information so required to be disclosed remain unmentioned. Interpretation as to the exact compliance point of the provision seems to have been left to forthcoming regulations or judicial interpretation (albeit without mentioning either). Additionally, the entity responsible for assessing whether certain information contributes to the determination of the ‘fairness’ of the algorithm used is also unassigned. Inspiration as to the requisite level of specificity, in this case, may be drawn from the February 2021 report of the NITI Aayog on Responsible AIwhich states, in great detail, a self-assessment procedure for AI usage and the method of determining and maintaining transparency for artificial intelligence systems. The report also maps ethical considerations and corresponding regulatory and technological management options to each consideration.

B. Denial of Service for Want of Consent

Under Clause 11(4) of the DPB, 2021, services or quality of service cannot be made conditional on the consent of a user to processing or collection that is not necessary for the same or denied “based on the exercise of consent”. While the latter may be a minor drafting error, the provision essentially outlaws the issue of consent walls and is in direct reference to the ongoing WhatsApp Privacy Policy controversy. Issues, however, remain as to the determination of necessary and unnecessary, a decision left wholly at the discretion of the service provider. While this is nothing out of the ordinary, in the absence of specific guidance from the DPA as to what may constitute essential cookies, the data subject is left to educate herself on the technical know-how of cookie engineering and granularly inspect the cookie/privacy policy to verify whether what has been classified as essential is, indeed, essential. Not only does this play into consent fatigue, but also allows service providers to mask malpractices in the fine print.

C. Special Concerns regarding Processing of Children’s Data

The current draft of the DPB, 2021 retains the age of majority as 18 years (note that the same has been reduced to 16 years under the GDPR, with options to lower the same to 13 years). Additionally, Clause 16(2) now requires both prior age-verification and parent consent before the processing of personal data belonging to minors. This may introduce onerous burdens upon platforms. For instance, age-verification mandates, depending on their required stringency, may require the collection of more information than previously required (such as Aadhar/One-Time-Password verification). Most parents might not be users of websites frequented by minors. Hence, consent flow must be made off-platform, onboarding not only issues such as consent fatigue, but impacting active users, revenue models and, in turn, increasing the risk of verification fraud. The psychological effects of allowing parents to solely govern the nature of online content accessed by children must also be