Cookies and Data Protection Law
Every time you visit a website, the server leaves an identifier or an artifact on your system. That helps it track your activity throughout the web. It enables any website to identify, profile, or target you. Of the many resources like IP addresses, pixel tags, or other identifiers, the Cookie is one of the most widely used. Although not germane from a legal perspective, as we are still exploring the fundamentals, so thought of focusing in this article on "Cookies" and how they play an important role in safeguarding as well as sometimes violating our privacy rights.?
What does a Cookie exactly mean?
While major privacy laws (GDPR, DPDPA, or the CCPA) do not specifically define a Cookie, we may refer to some of the extracts where the term Cookie is used.
Recital 30 of the GDPR uses the word Cookie amongst the other identifiers that can be used to identify Natural Persons. It says that Natural Persons:
...May be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers, or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.?
Similarly, sec. 2(aj) of the California Consumer Privacy Act doesn't define a Cookie but clubs it among the "Unique Personal Identifiers" that can be "persistently" used to identify a person. Excerpt:
UPI means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family. For purposes of this subdivision, "family" means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody.
Thus, all the stipulations, requirements, and compliances relating to such identifiers apply to Cookies as well. A more straightforward definition of a Cookie can be found on the Legal Information Institute website maintained by Cornell, which says that a Cookie is:
Data created by an internet server while browsing a website that is sent to a web browser. The browser stores the information in a text file, and re-sends that information to the server each time the browser accesses the server.
How do Cookies work?
Cookies have become ubiquitous in the digital era. Advertisers, Websites, and Social Media platforms seek to scan and interpret every activity of a user so that they can provide a "customized" ad or recommendation. Generally, Cookies are stored on a user's device - necessarily the browser cache or program files. They may be updated from time to time depending on a user's activity and their role.
At the same time, a plenitude of Cookies, in general, have the potential to invade user's privacy. No wonder whenever you search for something personal - let's say certain types of clothes, some illness, disability, pain, or issue- the internet smears your online experience with similar ads. For instance, a friend recently searched for a hearing aid for her grandmother, and now she constantly keeps getting hearing aid ads everywhere, from YouTube to news websites.
Naturally, the law took much time to evolve, and only after the GDPR was a wider protection against such activities available. The State of California followed suit with the CCPA, while the UK also drafted a Data Protection Law simultaneously.
What do Cookies Contain?
Cookies are files that are stored on the user's device for different purposes, ranging from containing the login credentials and session IDs to remembering items in a shopping cart. Cookies that track a user session are ephemeral - they die (get deleted) once the session ends. This includes logging into your bank account or a social media session. Other types of Cookies may remain on the user's device for a specified or unspecified duration.
The advantage of Cookies is that they make our online experience easy and personalized. Each time you log in to the YouTube page, the best recommendations are known because the website knows it's "you."
领英推荐
If they are so helpful, then why complain?
Using a school essay-type language here - just as a coin has two sides - Cookies too may go beyond the purpose they intend to serve. For instance, it would generally be fine if a website puts in 2/3 Cookies that deal with a user's login creds, country customization, and news preference. Yet, as the example below shows, users are inundated with multiple other "Ad Cookies" as well. The snips below are from respective browsing sessions on Reuters, Bloomberg, and BBC on a Sunday.
Did you notice the Cookies from "other sites" in the above? From what their names indicate, the Cookies from other websites concern digital surveys, ad preferences, and even eCommerce.
GDPR and Cookies
The GDPR has laid down multiple safeguards to ensure that the collection of personal information through Cookies is subject to stringent requirements. No wonder you may have seen in the last few years that websites have started explicitly seeking consent from users before storing Cookies on your systems. Further, this must be accompanied by why a Cookie is being held, along with an option for the user to decline or withdraw consent later. Another interesting area where Cookies become relevant is the "right to be forgotten" under the GDPR, where users can seek deletion of their identity and data from a website.
Similarly, on the other side of the Atlantic (technically, California is on the western seaboard of the USA, so it is Pacific), the State of California made the CCPA law granting Californian consumers the right to know about their data. Similar to the GDPR, a user has the right to opt out of the sale of their personal data. Thus, the relevant Cookies must be deleted. That's it.
Do you think this is enough?
To answer in a single word - No. Stricter consent and disclosure requirements have led to the loss of user experience on many websites, to the extent that some claim that the GDPR spoiled the internet experience as a whole.
Further, with Apple flexing its privacy muscles, websites like Meta started adopting strategies with less and less reliance on cookies, paving the way for using artificial intelligence to take over the meticulous work of recommending ads (Meta's recent breakout earnings were attributable to this)
Let's see how Cookies are treated under the DPDPA, 2023, when the Rules are drafted.
To read the earlier articles in this series, click the links below:
Strategic Legal Leader | Data Privacy Evangelist | FIP | CIPP E & US | CIPM | GDPR | Mentor | Researcher | Speaker | Tech Enthusiast
1 年EU ePrivacy Directive and few caselaws like Planet49 decided by German Federal Court deal with cookies in great detail.
Risk Management |Contract Drafting | Compliance | Legal Counsel | Fraud Investigation |Payments Compliance
1 年So,is COOKIES a boon or bane ?