Understanding “Website Cookies Regulation” in India
What are Cookies? [1]
Every time a user visits any website there is a record of information about the user’s visit which includes content viewed, language preferences, time and duration of visit, or ads accessed. This information is recorded in small text files known as cookies. This information helps website owners and third parties to remember user’s devices. This also helps users to stay logged in on one website while they move between pages. Cookies are also used to track user’s online movements to serve them with targeted online ads.
Law regarding cookies [2]
· World: In Europe, the user must give his or her explicit consent to record the information of his visit on any website, application, etc under Article 5(3) of the General Data Protection Regulation (GDPR). Similarly, countries like the UK and Nigeria require explicit consent from users before using cookies. In Japan, consent is required only for third-party cookies. Contrarily, there is no cookie consent required in countries like Australia, the USA, and China.
· India: The Supreme Court of India in the case of K.S. Puttuswamy vs Union of India declared that the right to privacy is a fundamental right guaranteed under Indian Constitution. However, there is no specific law relating to the usage of cookies to date. Some people argue that cookies fall under the definition of ‘’Computer virus’ under the IT Act.
What’s next?
Since there is no cookie legislation in India, organisations are free to use personal data in any way they see fit to gain a competitive advantage. The Indian Government is in the process of passing new legislation (Personal Data Protection Law) to safeguard the personal data of users. New legislation is based on the GDPR and is still awaiting to be passed in India. The Personal Data Protection Bill 2023 mandates all organisations to take user consent for the use of cookies, however, the consent required for cookies is different from the consent required in the EU. In India, as per the new bill, only general consent is required which means no need to take a separate consent for each purpose. Also, there are heavy penalties in case the organisation doesn’t comply with the provisions of this Act. . [3]
References:
1. Ustaran E. (2023), European Data Protection Law and Practice, IAPP Publication.
2. Patnaik S. (2021), Cookies Crumbling: India needs a Cookie Law, Law School Policy Review & Kautilya Society, Link.
3. India Digital Personal Data Protection Act 2023 (DPDPA) Cookie Consent Requirements, Link.