We are all aware that Cookies are hosted on websites and they collect some technical information from visitors.
Normally cookies are implanted in the user’s system through at a location assigned by the browser. It is a text file and may contain some information.
The session cookies are those files which exist during a session and are automatically cleared when the session ends. Persistent cookies are those cookies that remain in the system and are available for future reference.
When a person visits a websites, a “Cookie Consent” is taken in which normally an option is given to provide consent for “Necessary Cookies”, “Statistical Cookies” and “Marketing Cookies”. Necessary cookies are normally mandatory while others can be optional.
When the person visits the same website again, the web server checks for the existence of the cookie related to the webserver using the cookie identity. Once it is found, it may use the information there in, to record the current session as related to the previous session. The web server may keep its own record of the earlier session and therefore build a profile of the user in its systems.
Certain cookies (mostly in the category of necessary cookies) are meant only to record the operating system, the browser used which are required for configuration of the web page. If it identifies the person as coming from a mobile, it may present a compatible page to enhance the viewer’s experience. If the information picked up is IP address, it can be analysed to identify the user’s location. Based on the location of the user, the content can also be modified.
In such uses the identify of the individual may not be required and hence the information may remain technical and statistical information of the “De-identified Personal Information” category.
However it is possible that some cookies which are “Persistent Cookies” and not deleted after the session, may capture more identifiable data of the individual and store it for future use. In such cases, a question arises whether the Cookie is a “Personally identifiable information” as per the data protection laws such as GDPR or DPDPA.
If a person is normally visiting a website and does not provide any of the information such as his name, email address etc in the process, the Cookie can only access statistical and technical information. In such cases it may not be a “Personally identifiable information” . If however the web server maintains such data which is linked to some other identified data in its possession and can link the current session with the personal information already available with the server, then the cookie gathered information along with the available information together becomes personally identifiable and comes under data protection laws.
The consent to be taken by the web site therefore depends on what is the configuration of the Cookie and whether any personal data of the visitor is already with the web server and also whether the cookie is a persistent cookie or not.
If cookies are not “Secure Cookies” the data may be transferred on http connections without transit encryption.
Usually the web sites are managed by the hosting company and the data fiduciary may not have a clear understanding of what cookies are in place and what kind of parameters they collect.
Hence it is necessary for DPOs to collect this information and construct their cookie policy appropriately. In particular we need to understand if cookies collect information that are of personal nature and whether any copies of such information are stored in third party accessible systems.
Currently websites take a consent which is not specifically explaining what is the purpose of the cookie, what type of information it collects, how long it retains, how it is used etc. Hence it may be necessary to list each cookie and obtain consent for each cookie separately. The current practice of taking the consent for all cookies or for categories of cookies like functional cookies or advertising cookies etc. needs to be modified forthwith.
If DPOs donot take control of the cookies on their websites, they may be a source of concern at any point of time. Cookie Control may be simple but needs to be managed along with a periodical audit.
Naavi
