July 2023
1. Introduction
Cookies are small files that are transferred by a server to the user’s browser, which then track or monitor use of the website. Recently, cookies and their usage have come under scrutiny from data protection authorities. The seemingly harmless manner in which cookies are presented, obscure the risks they pose to the users, including violation of user’s privacy, access to confidential information, etc. Despite the associated risks, cookies remain widely used because of their ability to transform user experience by facilitating seamless browsing. This heightens the need for a legal regime that safeguards the user’s rights. Presently, India does not have a law that specifically mandates compliance with minimum standards for use of cookies.
This newsletter briefly discusses two landmark judgments of the French Commission Nationale De L’informatique Et Des Libertés[1] (“CNIL”) on cookie usage by websites; along with cookie centric compliances in India.
2. Use of Cookies: Permissibility and Compliances
2.1 Amazon Europe Case
(a) Background: On June 27, 2022, the French Council of State[2] confirmed a fine of €35 million against Amazon Europe Core (“Amazon”) for breach of Article 82 of the French Data Protection Act, 1978. The fine was originally imposed by a restricted committee of the CNIL. Both CNIL and Council of State held that Amazon had deposited cookies on user terminals without obtaining consent required under Article 82.
Article 82 states that (i) a user of an electronic communications service must be informed in a clear, complete manner of the purpose of access to the user’s terminal, and the means available to object to such action; and (ii) the user must give explicit consent after having received such information, which may even be expressed through browser settings.
(b) Contentions: CNIL’s ruling was premised on two major misses by Amazon (i) deposit of cookies on user terminals without obtaining explicit consent; and (ii) insufficient information provided to the user before depositing cookies in their terminal.
With respect to the first ground, Amazon asserted it was incorporated in Luxembourg and accordingly, only Luxembourg law was applicable to it, which did not require explicit user consent for depositing cookies. Invalidating this assertion, CNIL held that French law would be applicable as Amazon had a (i) French establishment that was providing marketing solutions, and (ii) cookies were deposited on users accessing Amazon France’s website. CNIL observed that Amazon France website placed more than 40 advertising cookies on the user’s terminal, without seeking express consent. It was held that to constitute effective consent, users must be fully informed of the purpose of cookies along with the means to refuse them. CNIL referred to its recommendation of September 17, 2020[3] and reiterated that information related to cookies must be visible, highlighted and complete; and data controllers must implement a two-step consent collection mechanism wherein users (i) must be informed of the precise purpose of the cookies, the possibility of refusing them and changing the settings by clicking on a link in the banner; and (ii) must be informed in a simple and intelligible way to accept or refuse all or part of the cookies. CNIL observed that the information banner presented on Amazon France’s website did not mention the means available for refusing the cookies, and such information was either non-existent or incomplete.
With respect to the second ground, Amazon submitted that (i) the user was redirected to its cookie policy upon clicking on a “find out more” tab on the website’s information banner; and that (ii) users visiting third-party sites and viewing Amazon’s advertisement on such sites had the option of clicking on the Adchoices icon to obtain information on cookies. Thus, Amazon stated that it had provided complete information to the users.
CNIL held that users visiting Amazon’s website were presented with a generic information banner stating “By using this site, you accept our use of cookies to offer and improve our services. Find out more.” The terms “offer and improve our services” was held to provide users with only a limited insight into the purpose of the cookies, and did not state in express terms the precise purpose of the cookies, which was to personalise content according to the user’s behaviour. It was further held that the page to which the Adchoices icon refers simply allowed the user to tick a box so that Amazon will no longer display certain advertisements, and contained no information on cookies.
(c) Decision: CNIL observed that almost 300 million Amazon identifiers were allocated in France over a period of 9 months, and this volume reflected the central place occupied by Amazon in the daily lives of people residing in France. Noting the gravity of the breach and Amazon’s turnover, CNIL imposed the fine along with an injunction against depositing cookies without complying with CNIL’s recommendations of September 17, 2020.
2.2 Google LLC and Google Ireland Case
(a) Background: On December 31, 2021, CNIL imposed a fine of €60 million against Google Ireland Limited, and €90 million against Google LLC Limited (collectively “Google”) for breach of Article 82 of the French Data Protection Act. The judgment was preceded by several complaints against the complexity of the refusal mechanism for cookies on Google’s French websites.
Significantly, this was not the first time when Google was penalised for its cookie usage. In December 2020, a restricted committee of CNIL had also observed that Google had not adequately informed users of the purpose of cookies and the means available to refuse such cookies.
(b) Contentions: Google asserted that simplification of the refusal process was not envisioned by the law, and CNIL could not transpose new legal requirements. As long as Google provided a refusal mechanism, it was irrelevant how the mechanism operated.
CNIL observed that consent provided by a user must be free, specific, informed, unambiguous, and must be manifested in a clear, positive act. Such consent cannot be regarded as freely given if the user has no free choice or is unable to refuse or withdraw consent without detriment. A check carried out by CNIL’s delegation found that accepting cookies simply required the user to click on an I accept button; however, refusing cookies required the user to undertake five steps before they could be removed. It was observed that such mechanisms implicitly encourage users to accept cookies, rather than going through a lengthy mechanism to refuse them. Presenting a difficult process for refusing cookies only creates an illusion of choice. The methods by which this refusal can be expressed, biases the expression of choice in favour of acceptance. Further, CNIL noted that websites that provided a refuse all button for cookies saw a decrease in the acceptance of cookies.
Refuting Google’s contention, CNIL further observed that, under Article 81(2)(b) of the GDPR, it has the powers to draw up and publish guidelines, recommendations, or references to facilitate compliance with the data protection law, and referred to its recommendations of July 2019[4]. Article 2.30 of these recommendations state that “data controllers must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity.”[5] CNIL observed that the 2019 recommendations only illustrate the law in concrete terms, and do not create new obligations.
(c) Decision: Consequently, noting the reluctance of Google to adopt mandatory legal compliances despite previous decisions against its cookie practices, and the turnover earned, CNIL imposed fines along with injunction against continuing the present mechanism for refusal of cookies.
3. Regulation of cookies in India
Presently, India does not have a law on data privacy, and data protection is primarily governed by the Information Technology Act, 2000 (“IT Act”) along with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”). There is also no law, regulation, or guideline on cookie related compliances. However, to the extent cookies deposited on a user’s system access any sensitive personal data, such access will be governed by the SPDI Rules.
Rule 6 of the SPDI Rules require body corporates to obtain consent in writing, whether through email or fax or letter, for collection of sensitive personal data. This consent must be obtained prior to the collection. Further, while collecting information, it must be ensured that the data subject has the knowledge (a) that information is being collected; (b) of the purpose of collection; (c) the intended recipients; and (d) the name and address of the agency collecting the information and agency that will retain the information. Rule 6(7) requires that data subjects be provided the option to refuse the collection of their data.
Further, an entity falling under the definition of “intermediary”[6] under the IT Act, must also comply with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Rule 3(a) requires an intermediary to publish the privacy policy, user access rules and regulations prominently on its website or applications. This will also include any cookie related rules, regulations, or policies.
To summarise, an Indian entity using cookies on their websites, platforms, applications, should ideally comply with the following minimum requirements, in order to avoid any potential future actions:
- Explain the nature, type, purpose of the cookies in clear, explicit terms and make such information easily accessible to the user;
- Seek explicit consent of the user and do not transmit cookies to the user’s browser before obtaining such consent; and
- Provide a clear right to refuse the cookies, and make the rejection mechanism for cookies as simple as acceptance.
Non-compliance may attract penalty under the IT Act. For instance, Section 43 of the IT Act provides that if any person accesses or secures access to a computer system or network, or downloads, copies, or extracts any data from such computer system or network, or introduces any computer contaminant, shall be liable to pay damages to the affected user.
4. Conclusion
Recent judgments have paved the way for greater recognition of user rights when it comes to cookies. The decisions against entities like Google, and Amazon ordering them to bring their cookie policies in compliance with globally accepted privacy principles, has drawn attention to the routine use of cookies without proper checks and balances in place. Data protection authorities are leaning towards the idea that users should have the right to accept, reject, or customise their cookie preference, and have complete information as to the purpose of the cookies. CNIL’s decisions exhibit that any entity placing cookies on user terminals located in France would be governed by French law, and accordingly, penalized for any non-compliance. This highlights the need for platforms to ensure compliance with certain minimum standards while using cookies, regardless of country of operation or incorporation. The present system of using cookies must be overhauled in order to ensure compliance with new-age privacy principles and to provide a more comprehensive set of rights to users.
Author
[1] French administrative body ensuring application of data privacy laws
[2] Highest court of appeal in France
[3] The recommendations, lay down certain basic compliances that must be followed by entities using cookies. These compliances are centred around obtaining free, informed, and explicit consent, providing clear right of refusal and withdrawal, etc. The recommendations can be accessed here: Délibération n° 2020-091 du 17 septembre 2020 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d’un utilisateur (notamment aux « cookies et autres traceurs ») et abrogeant la délibération n° 2019-093 du 4 juillet 2019 (cnil.fr)
[4] This has been repealed by the recommendations of September 17, 2020
[5] The recommendations state that: the mechanism for expressing a refusal to consent to read and/or write operations be accessible on the same screen and with the same facility as the mechanism for expressing consent
[6] “Intermediary,” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes