Cookie Consent Obligations.
Cookie Consent Obligations
Cookies are small pieces of data stored on a user’s device by websites to remember preferences, track activity, or serve targeted ads.
The legal issue arises because cookies often involve personal data, making their collection subject to privacy and data protection laws.
1. Legal Principles
Cookie consent obligations are based on three core principles:
Informed consent
Users must be informed about the types of cookies used (functional, analytical, advertising).
Must understand purpose and consequences.
Opt-in consent
Cookies cannot be placed before consent (except strictly necessary cookies).
Pre-ticked boxes are invalid under most laws.
Transparency and accountability
Websites must provide clear cookie policies.
Users must be able to withdraw consent at any time.
2. Indian Legal Framework
Though India does not yet have cookie-specific legislation, obligations fall under:
Information Technology (IT) Act, 2000
Section 43A: Reasonable security practices for personal data.
Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011
Consent required for processing sensitive personal data, including online tracking.
Personal Data Protection Act, 2023 (PDPA)
Explicit consent required for personal data processing, including cookies.
Website operators must provide purpose, duration, and withdrawal mechanism.
Consumer Protection Act, 2019
Misleading or opaque cookie practices may constitute unfair trade practices.
3. Key International Principles
Since most cookie regulation is derived from EU GDPR and ePrivacy Directive, Indian websites targeting global users often follow these:
| Rule | Requirement |
|---|---|
| Explicit opt-in | No cookies without consent (except strictly necessary) |
| Granular control | Users can accept/reject categories (functional, analytics, advertising) |
| Informative notice | Clear information about cookie use |
| Withdrawal | Easy to withdraw consent anytime |
| Data minimization | Only collect necessary cookies |
4. Types of Cookies & Obligations
| Cookie Type | Consent Required? | Notes |
|---|---|---|
| Strictly necessary | No | Needed for website operation |
| Functional | Yes | Saves preferences/settings |
| Analytics | Yes | Tracks user behavior |
| Advertising/targeting | Yes | Personal data processed, highest scrutiny |
| Third-party cookies | Yes | Often involve cross-site tracking |
5. Key Case Laws
Even though India has limited cookie-specific cases, principles are drawn from privacy, consent, and EU precedents:
1. Justice K.S. Puttaswamy v. Union of India (2017, SC India)
Principle: Right to privacy is fundamental; online tracking requires consent.
Basis for cookie consent obligations under PDPA.
2. Google Spain SL v. Agencia Española de Protección de Datos (2014, EU CJEU)
Principle: “Right to be forgotten” linked to personal data processing; cookies storing identifiable info need consent.
3. Planet49 GmbH v. Bundesverband der Verbraucherzentralen eV (2019, CJEU)
Principle: Pre-ticked boxes for cookie consent are invalid; explicit opt-in required.
4. Fashion ID GmbH v. Verbraucherzentrale NRW (2019, CJEU)
Principle: Website operators jointly responsible with third-party trackers for consent and data processing.
5. Schrems II – Facebook & Data Transfers (2020, CJEU)
Principle: Cross-border data collected via cookies must comply with GDPR; no implicit consent.
6. In re: TikTok (2020, US FTC)
Principle: Tracking children’s data via cookies without parental consent violates COPPA; highlights extra restrictions for minors.
7. WhatsApp Privacy Policy Case (India, 2021, Delhi HC)
Principle: Users must consent to collection of metadata and tracking; implicit collection invalid.
6. Compliance Best Practices
Cookie banner / pop-up
Clearly inform users and obtain opt-in.
Granular consent
Users should choose categories of cookies.
Policy accessibility
Easy-to-understand cookie policy page.
Consent logging
Maintain records of who consented, when, and for which cookies.
Withdrawal option
Provide one-click mechanism to withdraw consent.
Third-party cookies
Ensure consent covers all trackers embedded by third parties.
7. Common Pitfalls
❌ Pre-ticked consent boxes
❌ Vague cookie policies
❌ Failure to disclose third-party trackers
❌ Ignoring withdrawal requests
❌ Collecting sensitive data without explicit consent
8. Enforcement
| Authority | Powers |
|---|---|
| Data Protection Authority (India) | Can fine or order compliance under PDPA |
| Consumer Protection Authority | Unfair trade practice enforcement |
| International regulators (EU, US) | Fines for global operations; GDPR / CCPA / COPPA compliance |
| Courts | Injunctions, damages, compliance orders |
9. Core Legal Position
Cookie consent is a legal requirement when cookies process personal or sensitive data, requiring informed, explicit, and revocable consent, with additional scrutiny for children, advertising, and third-party tracking.
One-Line Summary
Websites and digital platforms must obtain explicit, informed, and revocable cookie consent before placing non-essential cookies, ensuring compliance with privacy laws, consumer protection norms, and global data standards.
RELATED Blog
comments