#PrivacyofthePeople: this Cookie will not crumble…

tl;dr

In the last #PrivacyofthePeople post, we captured the conflict between efficiency and privacy posed by the use of voice assistants. In this post, we highlight the same conflict posed by a more fundamental component of our everyday internet: cookies. While cookies presently perform a lot of key functions in ensuring a smooth user experience (such as ensuring that your shopping cast stays with you through different pages on an online marketplace), they also raise concerns about user privacy and data collection as we discuss here.

Why should you care?

Do you play Wordle everyday? Obviously! Do you use your favourite websites regularly? Obviously! Well, almost all websites you use place cookies on your device in order to identify you, your preferences and information about you like your username and password or your pin code. This information, stored in your devices through cookies, if not protected by law, can be exploited by websites to help create your data profile which can be used for monetary gains, or expose you to data breaches and law enforcement data-demands. Keep reading to find out how cookies work, and how the Data Protection Bill, 2021 proposed by the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 addresses associated privacy concerns.

Why do websites store cookies?

Web cookies are packets of data, created by websites/web servers and stored on a user’s electronic device by their web browser. The term ‘cookie’ used in programming draws its genesis from ‘fortune cookies’ - cookies embedded with messages. Web cookies are embedded with textfiles which contain a unique name-value pair. An example of a name-value pair is a unique ID. Whenever you visit any website for the first time, the website creates a unique ID number for you and stores it on your computer as a cookie file. During this visit, the selected links, visited pages, information provided on the website through forms, items added on shopping carts etc. are stored on the website’s database. When you visit the same website for the second time, the cookies (i.e. the unique ID) created by the website during the first visit and stored on your device are retrieved by the website which helps the website identify you and your preferences when you visit the website. This often provides users with a personalised experience, saves time, and makes their experience on the internet hassle free.

A name-value pair is basically a name given to data, and a website can store many name-value pairs on a user’s device as a cookie file. This can include a main unique ID, a separate unique ID for each session, duration of a session, pin code, location, username and password to keep a user logged in, language preference, etc. In this way, cookies can store a wealth of personally identifiable data without user consent. Since cookies are stored locally on user devices, they reduce data-storage and maintenance costs for websites, while allowing them to create a personalised user experience.

Cookies and data

Cookies come in various types (though these may overlap):

  • Essential and non-essential: Essential cookies are those that are strictly necessary for carrying out communications over a network or for providing the specific service requested. Non-essential cookies are those which are used for analytics or advertising.
  • First party and third party: First party cookies are those used by the website you are visiting. Third party cookies are used by third parties such as advertisers whose ads may be running on the website you visit.
  • Session and persistent: Session cookies are those that expire after you close your browser and typically stored in temporary memory. Persistent cookies are those that generally expire only upon manual deletion and are generally stored on your hard drive.

The type of a particular cookie determines how harmful or useful it can be, depending on what type of data it helps to store and for how long. For example, non-essential cookies may indeed help websites customise your user experience, but they may also help entities track your behaviour across websites. Alternatively, session cookies may not collect as much user data, but they only have limited functionality.

In light of this, there arise two fundamental issues with cookies. Firstly, as mentioned earlier, the data which cookies point to contains a wealth of personal information that may often be sold to private companies. These entities may use this data to target you with exploitative ads or worse; as the Cambridge Analytica scandal showed, comprehensive data profiles of individuals can be built up by harvesting their personal data. Now, even while third party cookies are slowly being phased out (which are mostly cookies from advertisers), other types of cookies are not going anywhere (indeed, advertisers will still get access to tools such as Google’s Privacy Sandbox). Furthermore, when our data goes up for auction online, hundreds of entities get to view it, regardless of whether they are the winning ‘bidders’ or not. Thus, it is this very process of auctioning off this data from which any potential implications for user privacy stem.

The other issue is, of course, user consent. In India, unlike in other countries, websites do not ask users before deploying cookies of any type.  Therefore, at present, users are not even aware of the extent to which their data is being extracted and exploited. Cookies also bring with them issues of device and network security: through tools such as cookie tossing and cookie overflow attacks, attackers can hijack users' sessions and deliver malicious code.

The natural question then is the following: what all data should cookies collect? Furthermore, to what extent should personal data be collected?

Cookies and data protection

While users ostensibly have full control over deleting cookies from their device, by the time the user exercises this power vast amounts of data stored in the form of cookies have likely already been used by websites to create the user’s profile identifying them and their personal preferences. Furthermore, this control is not easily exercised: for example, simply going to your browser’s security settings and pressing the delete cookie button may not actually delete all the cookies.

The Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 released its report in December 2021 and introduced the Data Protection Bill, 2021 (‘Bill’) incorporating the amendments and omissions suggested by the JPC. Clause 11 of the Bill makes a provision for user consent. Application of Clause 11 in the context of cookies will imply that websites cannot process personal data of any user without taking their consent. The consent is required to be taken at the beginning of the data processing process and must be free and informed (as per Clause 7). The websites will have to provide information about the purpose of data processing, nature and categories of personal data collected, the right and the procedure to withdraw consent, details about sharing of personal data etc. Implementation of these clauses of the Bill will ensure that informed user consent is taken before placing any cookies on a user’s device.

The solutions

In order to address the privacy concerns associated with cookies, we recommend that:

  • Code of practice for the use of cookies: The Data Protection Authority, under Clause 50 of the Bill may specify a specific code of practice for the use of cookies by websites. A starting point could be the European Union’s General Data Protection Regulation (‘GDPR’) and the 2002 ePrivacy Directive which provide for a consent framework for the use of cookies which makes user consent for all cookies except strictly necessary cookies mandatory. This consent needs to be informed and websites must provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is taken.
  • No to ‘cookie walls’: Furthermore, any forthcoming data protection legislation must explicitly include a provision that allows users to access websites even if they do not consent to the use of certain cookies. Such guidelines may be based on the GDPR’s guidelines on consent and ‘cookie walls’ that block withheld access upon non-receipt of consent. The process of withdrawal of consent itself  must also be elaborated upon and must be made easy.

Important documents

  1. The report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 tabled on December 16, 2021 (link)
  2. Key Takeaways: The Joint Parliamentary Committee Report and the Data Protection Bill, 2021 #SaveOurPrivacy (link)
  3. Comparing the Data Protection Bill, 2021 with its predecessors (link)
  4. Our #PrivacyOfThePeople series, where we have discussed the impact of the PDPB on different sections of society (link)