Crunching Cookies: Achieving The Sweet Spot Of Privacy With Consent Policies

What are Cookies?

In the 1990s when websites were having difficulty in remembering who their users were or what they did in previous website visits, Lou Montulli, a network engineer, invented the HTTP cookie or what is widely known as internet cookies or simply as cookies.¹

Cookies are essentially small text files that are placed by websites on customers' devices as they are browsing. These cookies are then processed and stored by the web browser. By themselves cookies are harmless and serve crucial functions, but they can also store a lot of data that can possibly identify an individual without having to obtain their consent.

The purpose of cookies can broadly be pointed out as:

1. uniquely identifying users,
2. managing their browsing sessions,
3. facilitating personalized user experiences,
4. targeted advertisement.²

What information do cookies collect?

Websites collect a variety of data from its users, for a myriad of purposes. This includes data provided through forms on websites, like email addresses, credit card information, and other information provided by the user. Other types of information are gained from tracking technology, which include cookies. These data include:

1. IP addresses which determine a user's location.
2. Information about how the user interacts with websites. For example, what they click on and how long they spend on a page.
3. Information about browsers and the device the user uses to access the site with, and,
4. Browsing activity across different sites. ³

The combination of this information gives those who collect the information, an insight into the user's online behavior.

Why is that a problem?

The function of cookies is to track the digital footprint of individuals in order to be able to target the customers with advertisements that are tailored to their taste and requirements.

There are certain critical privacy concerns when dealing with cookies:

1. Identification and Tracking: Cookies are used to track user activities on a website. It can store information such as user preferences, login status, and among other data. This activity is essentially profiling individuals.
2. Privacy Risks and profiling: Cookies can pose privacy risks, especially when they are used for tracking users across multiple websites, as this can lead to the creation of user profiles that may be exploited for targeted advertising. This activity creates an identifiable profile of an individual, therefore fall under the purview of data protection legislations as an extension of personal data An example of the same would be searching for a particular product on Amazon and then the same or related products appearing on the person's Instagram feed.
3. Cookie Hijacking: Cookie hijacking or tossing refers to unauthorized access of cookies, which can potentially lead to account compromises or unauthorized access to user data. This happens when a hacker can steal the user's cookie and gain unauthorized access to their accounts. Hackers can gain limitless access to an individual's resources. For example, an attacker may steal someone's identity or confidential company data; purchase items; or steal from bank accounts.

Kinds of cookies

The two ways in which cookie information is collected are first-party and third-party web tracking.

1. First-partyanalytics is a tracking method in which trackers are issued by a website that a user views directly. Examples: passwords, language setting, session length and number of visits, previous searches and views.
2. Third-party tracking is the practice in which a tracker on a website is set by a different website than the one the visitor is currently on. They collect and send information about a user's browsing history to other companies, for advertising purposes.⁴

Are cookies necessary for websites to function?

1. Essential or necessary cookies are cookies that support functioning of the website, such as login information, or if it's an ecommerce website, payment cookies or shopping cart information. All websites require strictly necessary cookies in order to operate properly.
2. Non-essential cookies are cookies which are not required for a website to function.⁵ However, they may improve a user's experience with the website. Examples of nonessential cookies are advertising trackers and cookies left by third-party widgets or embedded content that can only be installed on a user's device with their explicit consent.

Storage of cookies

1. Session or temporary cookies are deleted once the browser is closed. If the website doesn't set the expiry date, the browser will delete the cookie once it's closed.
2. Persistent cookies, encompasses all cookies that remain on the hard drive until the user erases them or the browser does, depending on the cookie's expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary.⁶

Is seeking consent mandatory under the cookie law?

Under the GDPR

The GDPR or the General Data Protection Regulation, addresses cookies as being online identifiers of natural persons⁷ Companies do have a right to process the personal information, as long as they receive a granular, unambiguous consent via a clear affirmative action or if they can confirm that they have a legitimate interest.

A legitimate interest is a condition when the processing of personal information is required for carrying out specific business purposes for the company. For examples, address required for delivering goods to the customer. However, the company must specify the purpose of the collection of the data.⁸ Essential cookies can be collected under legitimate interest, however, non-essential cookies require explicit consent.

The basic requirements for a valid legal consent are defined in Article 7 of the GDPR. According to the same, consent must be freely given, specific, informed and unambiguous, and a clear affirmative action of the data subject. The word "free" implies that the action should be a real choice by the data subject.

The e-Privacy Directive or the "Cookie Directive"

In 2002, the Directive 2002/58/EC of the European Parliament nicknamed the "cookie directive" was adopted, ⁹The Directive permits the use of cookies for legitimate purposes if individuals have been provided with clear and precise information about the purposes of the cookies and have had the opportunity to refuse them.¹⁰.The subsequent proposed e-Privacy Regulations of 2017 aims to centralize cookie consent, alleviating arbitrary cookie-consent mechanisms. It further proposes to make cookie control more user-centric.¹¹

The Bundeskartellamt ruling: Processing of special categories of personal data

In the Bundeskartellamt ruling the Court of Justice of the European Union (CJEU) held that cookies collected from user sites that when data of the users visits to websites and apps which is related to one or more special categories of data¹², and these information points are being collected to link to the user then the use of the data must be regarded as processing of special categories of personal data.¹³

Opportunity to exercise choice by the Data Subject?

Manner of collecting consent: Opt-in and Opt-out cookies

Opt-in is giving explicit consent from an individual before engaging in any activity such as sending marketing emails. Whereas opt-out is the process of allowing individuals to decline or withdraw from participating in a certain activity such as receiving marketing communications.¹⁴ Therefore, as per the understanding of the law, opt-in cookies follow the explicit action required for a valid consent. An example of opt-in cookies would be when the customer, themselves consent to receiving promotional emails, while opt-out is a process by which, the customer checks a box to decline receiving promotional emails. So the difference is between a positive action and a negative action.

Cookie walls and their legality

A cookie wall is a pop-up that restricts or blocks access to a website until the user accepts cookie usage. Using cookie walls is not compliant with data privacy laws like the GDPR and ePrivacy Directive unless strict conditions are met for the use of cookie walls, websites can only implement one if it satisfies the certain criteria under the law. Furthermore, cookie walls are obsolete under the California Consumer Privacy Act (CCPA).¹⁵

In January 2023, France's data protection watchdog, CNIL, fined TikTok €5 million ($5.4 million) for making it difficult to refuse cookies on its website. CNIL found that TikTok manipulated consent by discouraging users from rejecting cookies. They required multiple clicks to refuse cookies, but only one click to accept them. TikTok resolved the issue by adding a "Refuse all" button to its site.¹⁶ . In August 2022, Sephora, a prominent beauty retailer, became the first company publicly fined for violating California's Consumer Privacy Act (CCPA). California Attorney General announced a settlement with Sephora to address the alleged CCPA violations, which included using data tracking technologies such as cookies that sent consumers' data to external ad tech and analytics companies without properly informing or offering an opt-out choice to consumers.¹⁷

Ahana bag , Former Junior Associate at S.S. Rana & Co. has assisted in the research of this article.

Footnotes

1 https://www.cookieyes.com/blog/internet-cookies/

2 https://gdpr.eu/cookies/

3 https://www.cookiepro.com/blog/website-tracking/

4 https://piwik.pro/glossary/third-party-tracking/

5 https://www.dataguard.co.uk/glossary/non-essential-cookies

6 https://securiti.ai/blog/persistent-cookie/

7 Recital 30 says, "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

8 https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-andorganisations/legal-grounds-processing-data/grounds-processing/what-does-groundslegitimate-interest-mean_en

9 https://www.edps.europa.eu/sites/default/files/publication/dir_2002_58_en.pdf

10 https://www.edps.europa.eu/sites/default/files/publication/dir_2002_58_en.pdf

11 https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation

12 Article 9(1) of the GDPR, Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

13 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62021CJ0252

14 https://securiti.ai/blog/opt-in-vs-optout/#:~:text=Opt%2Din%20is%20giving%20explicit,such%20as%20receiving%20marketing %20communications.

15 https://termly.io/resources/articles/cookie-walls/#are-cookie-walls-legal-in-the-eu

16 https://www.politico.eu/article/tiktok-fined-e5m-in-french-privacy-case/

17 https://www.forbes.com/sites/tomchavez/2022/10/27/on-privacy-regulators-areawakening-the-consumerand-its-an-innovation-imperative/

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.