Introduction
In cyberspace as it exists today, there is hardly any website which does not depend upon the usage of a cookie functionality. From an e-mail client and streaming platform to blogs and gaming portals, almost all of them incorporate the use of cookies for very basic operations that users can carry out on these websites. In fact, over the last couple of years, we have all observed that a pop-up outlining the cookie statement comes up whenever we open a website. In order to proceed with browsing, we have to agree to the use of certain necessary cookies whereas other additional ones can be refused. It often gets confusing for web users to decide whether they should allow cookies from the website or not since the policy clearly mandates that the cookie will effectively track the data that is generated by users. Further, a doubt also arises in a user’s mind as to which cookies are really necessary and which ones are not useful to their browsing experience. So, what are cookies?
Cookies:
A Primer
Basically,
a web cookie is a
text file that contains pieces of data. For example,
the first time you visit a news site, a cookie is created that stores a set of
keys which will be used for identifying your computer on the next visit.
Moreover, if you select certain preferences for the sort of news you wish to
read and in what language, then this data will also be collected and stored.
The next time you visit this news site, data stored in this cookie will be
processed by the server to identify the computer network and use previously
collected data of news preference to model further interactions in a manner
which is specifically suited to you. This is an example of a very basic Hyper-Text
Transfer Protocol (HTTP, which is used in transferring files over the internet)
cookie that is helpful in making browsing easier for users. Without the use of
this cookie, e-commerce portals like Amazon or Flipkart would not be able to
save items that users add to their shopping carts once the page is closed.
There are several other benefits to web
cookies for both users and developers. For the latter, one of the most crucial
advantages is that the cookies are all stored locally on the user’s device and
do not require space to be cleared on the server. Thus, cookies are an
extremely effective and cost-efficient way of storing user information and
personalising their experience without actually investing in server space. Cookies
also let websites recognize users and personalise various elements such as
advertising. In consideration of all these benefits, cookies seem to be a very
favourable tool for users and developers alike. However, there is a flip side
to the use of cookies, which becomes apparent on further analysis.
Risk Factors
A cyber-attack can potentially target
the cookies stored on a computer and gain access to all sorts of data which is stored in them such as passwords,
codes, and other sensitive information. This will also allow a hacker to keep
track of a user’s browsing sessions and histories, thus leading to a breach of
privacy at the very least. The level of threat posed by a cookie depends
largely upon its source. A cookie which is created directly by the website
which is being interacted with is known as a first-party cookie, whereas
third-party cookies are created by separate websites from the one with which a
user is interacting.
In the case of a first-party cookie, the data will generally remain safe unless the host website itself has not been compromised leading to a user data breach. On the other-hand, it is difficult to even keep track of how many cookies have been granted access to a user’s data because of the numerous advertisements that any website has on its pages, and these types of cookies are then utilised by the advertisers to assess the user’s browsing history by matching and identifying their data with cookies derived from other websites. Let us take an example that user A visited an e-commerce website X which contained advertisements for a company M. The cookie placed by M will record a unique identification for A’s device. Subsequently, when A visits another portal Y, which also has advertisements for M, the cookie which records A’s identification will be able to match this data and interpret that A is the same person visiting both websites. Thus, it becomes very easy for an advertising company to track a user’s movements in cyberspace through the use of third-party cookies.
Illustrative Cookie Policies
In this section, the author will
attempt to analyse the cookie policies of certain popular websites. To begin
with, let us take the portion of Google’s Privacy and Terms which talks about their use of
cookies. In the most basic sense, Google uses cookies to store user preferences
such as language and advertisement relevancy as well as to analyse visitor
counts for a particular page. It is provided that “most people who use
Google services have a cookie called “NID” in their browsers. This cookie
contains a unique ID used to remember your preferences and other information
such as your preferred language, how many search results you prefer to have
shown on a results page (for example, 10 or 20), and whether you want to have
Google’s Safe Search filter turned on. Each NID cookie expires 6 months from a
user’s last use.”
YouTube also employs cookies to store
user preferences regarding page configuration, autoplay, etc., as well as for
security purposes to help “authenticate users, prevent fraud, and protect
users as they interact with a service.” In addition to these, there are
personalisation and advertising cookies as well, which Google uses for
displaying ads and measuring their effectiveness so that more relevant
advertisements can be shown. Twitter’s Cookie Policy provides an upfront list of services
for which cookies are used, such as to “keep you logged in to Twitter,
deliver features and functionality of Twitter services, save and honour your
preferences, personalize the content you see, protect you against spam and
abuse, show you more relevant ads, provide subscription features and distribute
certain content, understand how you interact with our services and where we can
improve.”
It is stipulated that Twitter also
allows third-parties, such as those who incorporate Twitter’s advertising
services, to make use of these cookies and related data. However, there is no
option for a user to reject the use of any cookie being used by Twitter, and
the use of their services is taken to imply the acceptance of being subjected
to these cookies. When a person is signing up for a new account on Twitter, a
small message is displayed below the ‘Sign Up’ button which reads, “By
signing up, you agree to the Terms of Service and Privacy Policy, including
Cookie Use.” The Wikipedia cookie statement, on the other hand, states that no
cookie is actually required for reading or editing any of the content on their
websites. In the event that a user wishes to sign up with the website for the
purpose of making edits, then the use of cookies would be required in order to
associate account data with the user and the edits that they perform.
Regulatory Regimes
There is a substantial lack of
legislation, national or international, which governs the use of cookies in
cyberspace. The most extensive authority on this subject is the General Data
Protection Regulation (GDPR), enacted and adopted by the European Union in 2016,
while it came into force in 2018. Essentially, the GDPR prohibits processing of any sort of data which
could be used to identify a person, such as their name, nationality, sexual
orientation, etc., without their explicit consent. This consent must be specific,
informed, and unambiguous in nature, in addition to being given freely.
The GDPR gives users legal rights over
their personal information, which include the right to be made aware of a
website’s privacy policy before they browse that website, the right to access information
about how their data is utilised, the right to object to any activities
involving their personal information or even to have such information deleted
if it is no longer needed for the intended purpose, the right to limit
processing of personal data in certain circumstances, and several others. Under
the GDPR, website owners and operators are legally responsible for ensuring
that personal data is gathered and treated legitimately. If a website outside
of the EU collects data from EU residents, it must also comply with these norms.
It is mandated that a website can only gather personal data from users after
they have provided their explicit agreement to the precise purposes of its
usage. There are certain conditions which must be met according to the GDPR for
using cookies: (1) before any cookie activation, prior and express consent must
be sought (except for whitelisted, necessary cookies), (2) users must be able
to activate some cookies but not others, and they must not be compelled to
consent to all cookies or none at all, (3) consent must be freely granted, (4)
consent must be as easy to withdraw as it is to provide, and (5) consents must
be stored safely and renewed once a year.
The ePrivacy Directive, 2002, which is also known as the cookie
law, is another authoritative document that lays down guidelines for
tracking, confidentiality, and monitoring users’ activities online. The Cookie
Law is a piece of privacy legislation that requires websites to get consent
from visitors to store or retrieve any information on a computer, smartphone,
or tablet. If any website has users visiting it from inside the European Union,
then it will be subject to the rules of the ePrivacy Directive, which require the
website controller to: withhold all cookies until users have given explicit
consent to their activation, give end-users clear and comprehensive information
about all cookies embedded on the website in simple language, ask end-users for
consent to all cookies in as user-friendly a way as possible, and enable end-users
to refuse/withdraw consent as easily as they can provide it.
Analysis
Let us now examine the effectiveness
and functionality of data privacy rules such as the GDPR on the rampant use of
cookies. In late 2021, Alphabet and Meta, the respective parent companies of
Google and Facebook, were collectively penalised by more than 200 million euros in
France by the Commission Nationale de l’Informatique et des Libertés for
not facilitating free consent for the use of cookies as required by the GDPR.
While users only had to press a single button in order to accept all cookies,
refusing them entailed more complicated and time-consuming manoeuvres, which
users were more likely to avoid due to the multiple clicks it involved.
In a study
conducted in 2020 of users residing in the European Union, it was found that a
whopping 93% of them accepted the use of all cookies even though websites were
providing an option to open another window for going through and managing their
cookies. This means that by making it harder for users to refuse the use of
cookies, a website is not actually allowing users to make free and informed
choices over the deployment of cookies since refusal is actively being
discouraged. Websites are trying to find ways to surpass
the GDPR requirements for free consent by employing various methods to get
users to press the accept button. For instance, in an
analysis of fifty popular websites, it came to light
that 64% of them did not comply with these laws. This figure includes giants
such as Google, Facebook, and Twitter, which have millions and millions of
people using their services on a daily basis, thus illegally collecting the
data of so many unassuming people.
Therefore,
it can be seen that even though a liability has been cast upon websites falling
under the jurisdiction of the European Union to comply with the GDPR in
formulating appropriate cookie policies and collecting informed consent from
users before making use of various cookies, it is hardly followed by any
website. From the smallest entity to the largest technology conglomerate, none
of these websites has thought it fit to comply with the norms as the monetary
benefits obtained from collecting and processing users’ personal data are too
high to forego. Another reason for such blatant non-compliance is the toothless
nature of the GDPR, which does not have any proper enforcement or penalising
mechanism. A French group recently handed out fines to Google and Facebook,
which gave people hope that independent regulators will step up to the plate
and make sure websites follow the rules.
Conclusion
& Way Ahead
In
India, there is neither any comprehensive personal data privacy regulation, nor
is there any explicit legislation governing the use of cookies. The Supreme
Court ruled in K.S. Puttuswamy v. Union of India [(2017) 10 SCC 1] that
the right to privacy is a fundamental right guaranteed by Part III of the
Indian Constitution. It also says that the user’s personal information cannot
be used without his or her consent. Cookies, however, are not considered to
fall under the ambit of personal information in India. As a result, Indian
companies are not required to include a cookie policy in their privacy policies,
and this allows websites to place many types of cookies on users’ devices
without their consent, including both necessary and superfluous cookies. Thus, the fact that the user was exposed to other people
without their consent is a violation of their right to privacy.
It
is imperative in such a scenario that the void in the Indian legislative sphere
is filled up by an effective and privacy-oriented law at the earliest. In
essence, this law should clearly stipulate the indispensable condition of
obtaining free consent from users before a cookie can be placed on their
device. Additionally, an attempt should be made to delineate certain broad
categories of cookies, classified on the basis of threat levels to privacy and
availability of safeguards, which are and aren’t permitted for use so that the
onus is put on websites at the implementation stage itself to keep a tab on the
legality of their cookie usage. To avoid the lack of compliance and enforcement
that have been found to be at fault with the GDPR, this statute must put in
place a strict framework for dealing with contraventions of norms. A system of
strikes, in combination with an accessible complaint mechanism, can be
established where each successive strike upon a website will attract a range of
penalties. Upon crossing a threshold of strikes, the website can be blocked and
provided with a time window by the regulator to cure all defects. Ultimately, it
is the state’s role to step into the shoes of a regulator and prevent the curse
of these omnipresent cookies from disturbing the cyberspace.
(This article was originally published on National Law Institute University, Bhopal's Cell for Law & Technology Blog and can be accessed through these links: Part I, Part II.)
No comments:
Post a Comment