NOTE

COOKIE POLICY

This note aims to provide a brief introduction about cookies, consent required for use of such cookies
and consequences of accepting and rejecting such cookies.

Introduction

At the outset, it is relevant to mention that cookies are data files that get stored in the user’s device
once a user visits a website. During the time the device is on the website (and often up until the next
time that device accesses the website), the website remembers the device and gathers information
about what the device is doing or did in the meantime. In simpler terms, cookies let websites track
user behavior when they interact with the website, and sometimes when they interact with other
websites.

Generally, there are different types of cookies which are active on the website and interact with the
users while accessing the website, such as, necessary cookies, social media cookies, third-party
cookies, session cookies, zombie cookies, etc.

Requirement of Consent for using Cookies

The laws in India do not provide any legislative restrictions on the use of cookies explicitly. The
hon’ble Supreme Court of India in the matter of K.S. Puttuswamy v. Union of India [(2017) 10 SCC
1] has held that right to privacy is a fundamental right and that personal information of the user cannot
be utilized without the user’s consent. However, it is relevant to mention that cookies are not defined
as personal information in India which provides freedom to the websites to issue various types of
cookies including necessary and unnecessary cookies into the user’s device without their consent.
However, the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules 2011 will be applicable when cookies collect or process sensitive
personal data or information, a subcategory of personal data that includes passwords, financial
information, data relating to physical, physiological and mental health conditions, sexual orientation,
medical records and history and biometric information. Further, under Section 43 of the Information
Technology Act, 2000, permission from the data owner is required to download, copy or extract any
data or information from the computer, which squarely applies to cookies as well. However, there are
no specific guidelines or judicial precedents for the same.

The Digital Personal Data Protection Act, 2023 (“DPDPA”) was published in the official gazette
pursuant to a notification dated August 11, 2023, and will become effective from the date notified by
the Central Government. DPDPA does not specifically call out cookies. According to DPDPA,
consent is the only legal basis for processing personal data apart from other ‘legitimate uses’ (such as
when an individual voluntarily provides their personal information for a specified purpose or if
processing is necessary for employment-related purposes). The requirements of a valid consent under
the DPDPA is high (it needs to be free, specific, informed, unconditional and unambiguous with a
clear affirmative action, and is required to signify an agreement to the processing of personal data for
the specified purpose, and must remain limited to such personal data as is necessary for that purpose).
Accordingly, it is likely that an ‘opt-in’ consent (where users need to take an affirmative action to
confirm their approval) will be required in India to tread on the safe path in terms of privacy
compliance, they can, in addition to the privacy notice, display a separate cookie banner mentioning
the types of the cookies with a choice to accept or reject their use.

Consequences of Accepting or Rejecting Cookies

Cookies enhance the users’ experience. There are websites that use cookies even without the user’s
permission but cannot get information about the user. The potential problem with refusing to accept
cookies is that some website owners may not allow to use their websites if one doesn't accept their
cookies. Organizations will no longer provide access to their websites without cookie permission as
they simply or may not work without cookies and even if they do allow it, one may not receive the
full user experience on the sites. However, there are many websites that still allow a user to access
most of their sites without accepting cookies.

While generally cookies are considered only to track the user activities to understand the behavioral
pattern of the user to deliver tailored advertisements, however, some cookies can also store the
personal information of the user provided on the website. For instance, the credit card details that are
provided by the user on a website can be stored by them. Similarly, the third-party cookies may pose a
severe privacy risk which are placed by companies that do not own the website the user is visiting.
For instance, a user may be visiting an educational website that contains advertisements of various
other companies. All these companies who have placed advertisements on that educational website get
to track the activities of the user by issuing relevant cookies.

Attention is also invited to Recital 30 of EU’s General Data Protection Regulation (GDPR) which
provides that natural persons may be associated with online identifiers provided by their devices,
applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other
identifiers such as radio frequency identification tags. This may leave traces which, in particular when
combined with unique identifiers and other information received by the servers, may be used to create
profiles of the natural persons and identify them.