The Advertising Standards Council of India (ASCI) has released a pivotal white paper titled Navigating Cookies – Recalibrating Your Cookie Strategy in Light of the DPDPA aimed at guiding businesses in India on the treatment of cookies under the new Digital Personal Data Protection Act, 2023 (DPDPA), and the upcoming Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules).

This white paper offers crucial insights into how advertisers can adapt their practices to comply with the evolving data protection landscape while continuing to optimise their use of cookies for targeted advertising, behavioural tracking, and personalised content delivery. ASCI’s guidance presents a clear pathway for businesses to meet the requirements of consent under the DPDPA and introduces best practices for cookie management.

Cookies, in the context of digital advertising, are small text files placed on a user’s device during their online browsing session. These files collect and store personal information, preferences, and browsing history, which advertisers use to tailor advertisements, track user activities, and deliver personalised content. The white paper categorises cookies into six primary types: essential cookies, performance/analytics cookies, functionality cookies, targeting/advertising cookies, social media cookies, and security cookies. Each type serves a distinct function, from ensuring basic website functions to enhancing user experience and personalising advertising.

While these cookies provide valuable benefits to businesses, they also raise concerns regarding user privacy, prompting the need for robust consent mechanisms that have become a focal point of global data protection regulations.

Drawing comparisons with international laws such as the European Union’s General Data Protection Regulation (GDPR), the white paper underscores the importance of obtaining granular, informed, and unambiguous consent from users before deploying cookies that collect personal data. The GDPR mandates clear and detailed cookie consent mechanisms, allowing users to make individual choices regarding each cookie’s purpose. ASCI’s white paper mirrors this approach, emphasising that cookie consent in India should be equally specific, offering users transparency about what data is being collected and for which purpose.

The white paper explores cookie consent practices followed in various jurisdictions, providing a comparative analysis of global standards. For instance, the EU’s e-Privacy Directive sets clear guidelines for cookie consent, including the requirement for users to be informed about the purpose and nature of the cookies being used and to have an option to refuse cookies entirely. It also highlights the trend in European countries, such as Italy and France, where scrolling does not amount to consent, and where cookie walls (which force users to accept cookies to access website content) are prohibited. Additionally, countries like Spain and Luxembourg have specific regulations on cookie duration, with limits on how long cookies can persist on users’ devices. In other regions, such as Canada and California, users are granted additional rights to delete, correct, and access their data, further complicating the cookie consent process for businesses operating globally.

A call for clarity

In India, however, the absence of a specific law governing cookies makes it imperative for advertisers to adhere to the DPDPA's consent requirements. The white paper outlines how websites in India will need to provide clear notices to users about the personal data being collected and obtain explicit consent before cookies are deployed. However, there are certain gaps in current cookie consent practices in India. Based on an analysis of various websites across multiple sectors, it was found that many websites failed to display adequate cookie consent banners, and those that did lacked clear opt-out options and transparency. In many cases, users were presented with vague, non-granular consent choices, such as an “accept all” button, without any means to reject or customise preferences. This failure to adopt best practices can be detrimental not only from a compliance perspective but also in terms of user trust. ASCI recommends adopting more user-friendly designs for cookie consent banners, ensuring that these banners are not only clear but also offer granular choices for users to manage their cookie preferences effectively.

To help businesses comply with these regulations, the white paper suggests creating a “Cookie Preference Centre” on websites, which would enable users to grant or withdraw consent and manage cookie preferences in an organised, user-friendly interface. It also recommends leveraging automation tools to ensure that cookie banners remain compliant with region-specific regulations and that cookies are regularly audited and categorised.

While offering practical recommendations for improving cookie management and user control, the white paper also underscores the need for ongoing regulatory guidance as India’s data protection laws continue to evolve.

(The writer is a data privacy and technology lawyer)

Disclaimer: The views expressed above are the author's own. They do not necessarily reflect the views of DH.