Consent Requirements and the Future of Cookies under the Digital Personal Data Protection Act

Author – Havish Dhanwantri
Studying B.Com.L.L.B at UILS,Panjab University, Chandigarh

Abstract

What is the future of cookies under the Digital Personal Data Protection Act? What are the consent requirements under the act and how will they affect the collection of digital personal data by data fiduciaries? Where are cookies headed towards as a data collection tool and will they be replaced? This article seeks to answer these questions and inform the readers regarding the matter, while also providing the relevant information required and informing the readers about the concepts discussed. This article aims to take a novel approach on the matter and simplify it for the readers.

Introduction

With the advent of the Digital Personal Data Protection Act (DPDP) represents a pivotal shift in the regulatory landscape governing data privacy. Central to this transformation is the evolving concept of consent, particularly in relation to cookies and similar tracking technologies. As digital interactions become increasingly sophisticated, the traditional mechanisms of obtaining user consent are being scrutinized and redefined. This article delves into the consent requirements under the DPDP act, exploring how these stipulations impact the deployment and management of cookies. Additionally, it examines the future trajectory of cookie regulations, considering both the challenges and opportunities presented by this new legal framework. Through a detailed analysis, we aim to illuminate the implications for businesses and individuals navigating the complexities of data protection in an era of heightened scrutiny and technological advancement.

What are Cookies?

Online websites use small data files called cookies to enhance user experience by storing information on a consumer’s device. These cookies are essentially small packets of data consisting of randomized characters that websites create and store on a user’s device when they visit a site. The primary purpose of cookies is to help websites recognize returning users and provide a more personalized browsing experience. When a user logs into a website, the cookie helps the site remember the user’s login details, preferences, and settings. This helps the user to save time and effort from entering their details again. Beyond just storing login details, cookies can also keep track of user preferences and settings, such as language choices, theme preferences, or even the items in a shopping cart.
Cookies also play a significant role in tailoring content to individual tastes. For example, a website like YouTube uses cookies to track the videos a user watches. Based on this viewing history, YouTube’s algorithms suggest videos that align with the user’s interests, making the experience more engaging and relevant. This personalization is made possible by the data stored in cookies, which allow websites to deliver content that matches the user’s previous interactions and preferences. In addition to enhancing user experience, cookies also support website functionality by remembering user activities and preferences across different sessions. This can include anything from remembering the user’s cart contents in an online store to keeping track of the last page visited on a news site. Overall, cookies are crucial for providing a customized, efficient, and user-friendly internet experience, making online interactions more seamless and tailored to individual needs.

Problems with cookies

Cookies are further divided into two main types-

1. Authentication Cookies
2. Tracking cookies
3. Authentication Cookies- As explained in the previous paragraph some cookies are used only to remember login details and relevant information to save time for the consumer, these cookies are called authentication cookies. These cookies are mostly first party meaning that they are used to store the data of the consumer by the organization itself, whose service the consumer uses. These kind of cookies are present in almost all online websites and help the website to identify the user and setup the site or app in a manner that they usually use.
4. Tracking cookies- These kind of cookies as the name suggests are used for tracking the user’s activity online. Primarily did not have the function of tracking user activity through multiple apps and sites and were only used to monitor the activity of the user that was relevant to the concerned brand or business. These kinds of cookies are usually third party, meaning that they are not stored by the site or app itself but are stored by a third party associated with the site or app.

The problems with cookies arises when they start to act as tracking systems used to track and profile a user rather than facilitating a comfortable user experience. Third party cookies are the primary concern in this regard as they are often used to collect the browsing history of a user and profile them on its basis. This raises serious privacy concerns for the user as an individual, in particular and the users of the app or website at large, in general. Moreover these small data files are not considered to be secured as this factor is dependent on the site, app or the third party itself that what kind of security system they have for the same, if any. This is true for both first party and third party cookies.

The Digital Personal Data Protection Act- Main Features

For a long period of time, the cyberspace in India has been regulated by The Information Technology Act, 2000 and with the rapidly increasing consumption of internet related services, particularly social media, a new legislation was required to handle the challenges posed by this increase. It should also be kept in mind that the IT act was not equipped to handle the cyberspace as it exists in its present form today and was made around 23 years back. In the field of cyberspace, this is a very long time. With increasing amounts of digital data being collected and processed by the big corporations and social media companies, The Ministry of Electronics and Information Technology, came up with the Digital Personal Data Protection Act which has been granted the approval of the President and is waiting to be enforced. The central features of the act are multifaceted-

1. The act mainly aims to smoothen the way for consumers to have more control over their data and how exactly it is being used by the data fiduciaries.
2. It also aims to setup a Data Protection Board which will deal with the matters related to digital personal data and all assorted matters coming within the purview of the act.
3. Along with providing a system for dealing with matters contained within the act, it also gives a boost to the privacy regulations already existing within India.
4. It grants the user whose digital personal data is being recorded and processed, various rights including the right to access, correct or erase digital personal data.

Consent requirements under the new Act

As the new act aspires to give consumers greater control over their digital personal data, it contains certain provisions to help them in this regard. The act requires the data fiduciaries (meaning the online website or app that the consumer is using the services of/or the third party through which such activity is conducted) to request the data principal (consumer) to give their consent to such collection of their digital personal data. This is a big step for the regulation of cyberspace in India considering that this is a novel feature in a latest legislation. This concept has been borrowed from the European General Data Protection Regulation (GDPR).

Coverage of cookies under the Digital Personal Data Protection Act

As there are no case laws regarding this as of now the guiding point for this discussion are two fold-

1. The inclusion of Cookies under The GDPR from which the DPDP act borrows certain provisions.
2. Information being collected by cookies being potentially covered under the definition of Digital personal data.
3. The GDPR from which the DPDP act borrows includes cookie consent as one of the significant provisions under the legislation. The general rule regarding cookie consent is that the consumer should be given a choice whether they want third party cookies to track their activity or not. Usually this notice pops up as soon as you open the site. Some sites have the issue of providing only 2 options of either accepting the cookies or redirect the user to a different page, whereas the option to reject such cookies is mandatory under the GDPR. This significantly increases the chances of cookies being covered under the Digital Personal Data Protection Act.
4. Considering the fact that cookies essentially collect and profile digital personal data and the main goal of the act is to give users greater control over how their data is collected and processed, there is a high chance that cookies will be covered under the definition of digital personal data under the act. This is so because if cookies are collecting digital personal data and tracking user activity then the what kind of control is the user left with if they are simply not given the option to choose? This essentially defeats the purpose of the act. Moreover consent requirements under the act also indicate the same.

Conclusion

The Digital Personal Data Protection Act (DPDP) represents a significant step in the regulatory framework for data privacy in India, reflecting an increased emphasis on consumer control and consent. The act’s provisions regarding consent are likely to have a profound impact on the use and management of cookies. As cookies, particularly third-party tracking cookies, are central to many privacy concerns, the DPDP’s requirements for explicit consent align closely with international standards such as the GDPR.

Overall, while cookies have been a fundamental tool in digital data collection, their role is being redefined in light of new privacy regulations. Businesses must prepare for these changes by adapting their data practices and ensuring compliance with the DPDP. In doing so, they will not only meet legal requirements but also foster trust with their users by prioritizing their privacy and autonomy.

FAQs

1. What is the Act (DPDP)?

The DPDP is a legislative framework in India designed to enhance data privacy and protection. It provides individuals with greater control over their personal data and establishes guidelines for how data fiduciaries (organizations collecting and processing data) must handle personal data.

3. How does the DPDP affect the use of cookies?

The DPDP mandates that data fiduciaries must obtain explicit consent from users before collecting their personal data through cookies. This includes giving users the option to accept or reject cookies, particularly third-party tracking cookies, thereby aligning with global standards like the GDPR.

4. What are the main types of cookies?

Cookies are primarily classified into two types:

• Authentication Cookies- Used to remember user login details and settings for a more personalized experience.
• Tracking Cookies- Used to monitor and profile user behaviour across multiple sites, often by third parties, raising significant privacy concerns.

1. What are the consent requirements for cookies under the DPDP?

The DPDP requires data fiduciaries to obtain explicit and informed consent from users before placing cookies on their devices. Users must be provided with clear options to accept or reject cookies, with a focus on transparency and user choice.

5. Will cookies continue to be used despite the DPDP?

Cookies will likely continue to be used, but their implementation will need to be adjusted to comply with the DPDP. This includes ensuring users have genuine control over their data and providing transparent options regarding cookie use. The regulation might also encourage the development of alternative data collection methods that better align with privacy standards.

 
Page 1 of 3

2. Considering the fact that cookies essentially collect and profile digital personal data and the main goal of the act is to
   covered under the Digital Personal Data Protection Act.
   option to reject such cookies is mandatory under the GDPR. This significantly increases the chances of cookies being
   the issue of providing only 2 options of either accepting the cookies or redirect the user to a different page, whereas the
   third party cookies to track their activity or not. Usually this notice pops up as soon as you open the site. Some sites have
   legislation. The general rule regarding cookie consent is that the consumer should be given a choice whether they want
3. The GDPR from which the DPDP act borrows includes cookie consent as one of the significant provisions under the
4. Information being collected by cookies being potentially covered under the definition of Digital personal data.
5. The inclusion of Cookies under The GDPR from which the DPDP act borrows certain provisions.
   As there are no case laws regarding this as of now the guiding point for this discussion are two fold-
   Coverage of cookies under the Digital Personal Data Protection Act
   General Data Protection Regulation (GDPR).
   India considering that this is a novel feature in a latest legislation. This concept has been borrowed from the European
   to give their consent to such collection of their digital personal data. This is a big step for the regulation of cyberspace in
   using the services of/or the third party through which such activity is conducted) to request the data principal (consumer)
   help them in this regard. The act requires the data fiduciaries (meaning the online website or app that the consumer is
   As the new act aspires to give consumers greater control over their digital personal data, it contains certain provisions to
   Consent requirements under the new Act
   access, correct or erase digital personal data.
6. It grants the user whose digital personal data is being recorded and processed, various rights including the right to
   regulations already existing within India.
7. Along with providing a system for dealing with matters contained within the act, it also gives a boost to the privacy
   assorted matters coming within the purview of the act.
8. It also aims to setup a Data Protection Board which will deal with the matters related to digital personal data and all
   being used by the data fiduciaries.
9. The act mainly aims to smoothen the way for consumers to have more control over their data and how exactly it is
   The central features of the act are multifaceted-
   Content Checked For Plagiarism
   Characters
   6056
   Plagiarised
   Unique
   Words
   924
   0%
   100%
   Date
   2024-07-14
   PLAGIARISM SCAN REPORT

Page 2 of 3

5. Will cookies continue to be used despite the DPDP?
   choice.
   devices. Users must be provided with clear options to accept or reject cookies, with a focus on transparency and user
   The DPDP requires data fiduciaries to obtain explicit and informed consent from users before placing cookies on their
6. What are the consent requirements for cookies under the DPDP?
   significant privacy concerns.

• Tracking Cookies- Used to monitor and profile user behaviour across multiple sites, often by third parties, raising
• Authentication Cookies- Used to remember user login details and settings for a more personalized experience.
  Cookies are primarily classified into two types:

5. What are the main types of cookies?
   thereby aligning with global standards like the GDPR.
   through cookies. This includes giving users the option to accept or reject cookies, particularly third-party tracking cookies,
   The DPDP mandates that data fiduciaries must obtain explicit consent from users before collecting their personal data
6. How does the DPDP affect the use of cookies?
   processing data) must handle personal data.
   greater control over their personal data and establishes guidelines for how data fiduciaries (organizations collecting and
   The DPDP is a legislative framework in India designed to enhance data privacy and protection. It provides individuals with
7. What is the Act (DPDP)?
   FAQs
   their privacy and autonomy.
   with the DPDP. In doing so, they will not only meet legal requirements but also foster trust with their users by prioritizing
   privacy regulations. Businesses must prepare for these changes by adapting their data practices and ensuring compliance
   Overall, while cookies have been a fundamental tool in digital data collection, their role is being redefined in light of new
   standards such as the GDPR.
   cookies, are central to many privacy concerns, the DPDP’s requirements for explicit consent align closely with international
   likely to have a profound impact on the use and management of cookies. As cookies, particularly third-party tracking
   in India, reflecting an increased emphasis on consumer control and consent. The act’s provisions regarding consent are
   The Digital Personal Data Protection Act (DPDP) represents a significant step in the regulatory framework for data privacy
8. 
   Conclusion
   indicate the same.
   option to choose? This essentially defeats the purpose of the act. Moreover consent requirements under the act also
   personal data and tracking user activity then the what kind of control is the user left with if they are simply not given the
   covered under the definition of digital personal data under the act. This is so because if cookies are collecting digital
   give users greater control over how their data is collected and processed, there is a high chance that cookies will be

1. The act mainly aims to s
   the
   Protection Act which has been granted the approval of the President and is waiting to be enforced. The central features of
   media companies, The Ministry of Electronics and Information Technology, came up with the Digital Personal Data
   very long time. With increasing amounts of digital data being collected and processed by the big corporations and social
   cyberspace as it exists in its present form today and was made around 23 years back. In the field of cyberspace, this is a
   handle the challenges posed by this increase. It should also be kept in mind that the IT act was not equipped to handle the
   the rapidly increasing consumption of internet related services, particularly social media, a new legislation was required to
   For a long period of time, the cyberspace in India has been regulated by The Information Technology Act, 2000 and with
   The Digital Personal Data Protection Act- Main Features
   system they have for the same, if any. This is true for both first party and third party cookies.
   considered to be secured as this factor is dependent on the site, app or the third party itself that what kind of security
   individual, in particular and the users of the app or website at large, in general. Moreover these small data files are not
   to collect the browsing history of a user and profile them on its basis. This raises serious privacy concerns for the user as an
   facilitating a comfortable user experience. Third party cookies are the primary concern in this regard as they are often used
   The problems with cookies arises when they start to act as tracking systems used to track and profile a user rather than
   meaning that they are not stored by the site or app itself but are stored by a third party associated with the site or app.
   activity of the user that was relevant to the concerned brand or business. These kinds of cookies are usually third party,
   did not have the function of tracking user activity through multiple apps and sites and were only used to monitor the