What Are Cookies and How Do They Shape the Digital Experience?
Internet cookies are files that websites use to obtain information about a user's device and preferences. These help in retrieving the user's preferences like login information or previous browsing activity and are immensely useful in improving the ease of use of digital tools because they enhance navigation and facilitate personalization. For businesses, cookies are also useful in understanding the users' behaviour patterns, refining their marketing campaigns, and placing ads accordingly. For these reasons, data security and the unauthorized access and use of personal information are rising issues of concern in use of digital cookies. As a result, regulatory authorities and businesses are taking measures to ensure economic and informational transparency, more robust data protection, and clearer consent regulations so that users retain control over their digital footprints.
Cookies Regulations Around the Globe
Cookies are unique identifiers of internet users and can be used to store and transmit personal information of the users. For this reason, cookies come within the definition of personal information and are subject to foundational data protection principles such as requiring lawfulness and transparency in use, purpose limitation, collection minimization, storage limitation, maintaining accuracy and integrity of the information and protecting the privacy of individuals as part of deployment. Hence, several personal data protection legislations around the world, either directly or indirectly, apply to use of cookies. Some of these legislations make a direct reference to cookies providing clear directions.
However, not all cookies are essential for smooth functioning of the website or delivery of services being availed through the website, some are optional and used to gather additional data. The most prominent data privacy legislation General Data Protection Regulation (GDPR) classifies the cookies as essential and non-essential creating a case of legitimate use exception for essential cookies and requiring specific consent for use of non-essential ones. In fact several data privacy legislations such as the Brazilian, Chinese and the New Zealand law all require the organizations to obtain specific consent for use of non-essential cookies, a mechanism popularly known in the privacy world as "opt-in" requirement. There are certain legislations such as the California Consumer Privacy Act, that of Australia and Hong Kong that have adopted an "opt-out" approach (i.e. the individuals may request to opt-out of sale or further use of their data through a tool or mechanism provided for the purpose) for use of non-essential cookies. Hence, creating a requirement for businesses to cater to geographically specific cookie banners.
With technological advancement, personal data privacy is taking a further centre stage and there may be a surge in cookie related legislations. Germany's Consent Management Regulations1 seek to enhance user experience by lowering the number of repetitive cookie banners2 through centralized consent management. International businesses need to adjust to a developing patchwork of cookie rules that prioritize user preferences, transparency, and permission.
Is Your Cookie Banner Ready for India's New Data Law?
India's Digital Personal Data Protection Act, 2023 (DPDPA) does not directly address the issue of cookies; however, it implicitly governs them through the stipulations regarding consent for data collection and processing. The legislation prescribes that consent should be "free, specific, informed, unconditional, and unambiguous (with a clear affirmative action taken by the data principal)" and must be obtained prior to or at the time of processing of personal data. Hence, the cookie banner will have to identify all purposes for which personal information is being collected and the users should be provided an option to elect their choices i.e deploying the opt-in mechanism for non-essential cookies. With regard to use of essential cookies such as those indispensables for website functionality, the same may qualify as "legitimate use" (an exception as per Section 7), meaning that explicit consent may not be requisite for their usage.
The websites and enterprises employing tracking or analytics cookies would be required to establish opt-in consent frameworks which the users have given by an affirmative action. The opt-in options will have to clearly describe the nature of information collected and the purpose for which the personal data will be processed, and organizations should ensure that the principles of data privacy are complied with including that of transparency, data limitation and minimization.
Moreover, the consent is valid till the data principal withdraws it, meaning that users should be afforded a straightforward method for retracting consent, thereby obliging companies to ensure that there is a consent management process in place. Consequently, it is anticipated that there will be an escalation in the prevalence of detailed cookie banners and consent management platforms (CMPs) within the Indian context. Another aspect of consent is through consent managers and it will be interesting to see how consent managers' role will pan out with respect to the use of cookies.
Draft Digital Personal Data Protection Rules, 2025 further introduce stringent notification obligations,3 thereby also necessitating that businesses furnish a transparent privacy notice that elucidates how cookies gather and process personal data.
A significant concern under the DPDPA pertains to the transnational transfer of data acquired through cookies. In instances where cookies transmit personal data beyond Indian jurisdiction, businesses are mandated to ensure adherence to forthcoming data localization standards and any prospective adequacy criteria prescribed by the Indian government. Non-compliance with the DPDPA may result in substantial penalties, with fines potentially reaching ₹50 crore for inappropriate management of personal data for this purpose.4
The Road Ahead
To align with these newly instituted regulations, enterprises operating websites within India ought to ensure that the privacy policies on their websites are revised to comply with the new law to disclose the categories of cookies employed, the data they collect, the duration of data retention, and their respective purposes. In addition to the policy, organizations would be required to update the notice to users as mandated, implement a more rigorous cookie consent process which incorporates transparency specifically for non-essential cookies while providing clear alternatives for users to either accept or decline them.
Footnotes
1. TDDDG - nichtamtliches Inhaltsverzeichnis. (n.d.). https://www.gesetze-im-internet.de/ttdsg/
2. Kruse, L. (2025, March 18). Will cookie banners disappear in 2025? DWC. https://www.dwc-consult.com/en/blog-post/will-cookie-banners-disappear-in-2025
3. Ministry of Electronics and Information Technology. (2025). Digital Personal Data Protection Rules, 2025. Rule 3.
4. Government of India. (2023). The Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Schedule, pursuant to Section 33(1). Ministry of Electronics and Information Technology. https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
