Data PrivacyProtecting Personal Data in the Age of Essential and Optional Cookies

September 14, 20220


Internet users believe that their online actions are being watched every day for various reasons. We often notice that advertisements for a product that we searched for via search engine the day before, appear on our web browser or social media platforms the next day. Similarly, when we visit a website more than once, it can be seen that our information has been automatically saved or our last visit to the website has been recorded.

We continue to use the Internet without reading what is stated in the pop-up windows appearing on the websites and blindly agree to the terms therein. These pop-ups, commonly known as cookie policies, frequently offer information on how our data and interests are gathered and utilised through cookies for us to make better use of these websites.


Cookies, which are incorporated on any website are basic text files that a website’s server stores on our computer or mobile device, and only that server may retrieve or read the contents of that cookie. Each cookie is specific to its browser and will include some anonymous data such as a unique identity, the website name, and certain numbers. It enables a website to remember things like our preferences or the last time the website has been visited.

Although the information acquired and used by various types of cookies may differ, the operating concept of all cookies remains the same. When a user, initially logs in to a website, the Internet server generates a user-specific and unique identity. This identification is saved on the mobile device or computer that the browser is running on, and when the user returns to the website, the browser sends a cookie to the server, enabling the webpage to remember the user.  Cookies, in reality, serve as a type of Internet memory that runs across protocols that allow data to flow.


Cookies can be used for a wide variety of purposes, such as allowing us to proceed with the information from the previous page on a website, remembering our login details, such as the password, user name, and preferences, and presenting content and advertisements that are relevant to our needs and preferences. To accomplish these goals, several kinds of cookies are employed.

First-party cookies are those generated by the website we are visiting, while third-party cookies are made and stored on our device by various Internet providers on the website we are visiting. These third-party cookies are commonly found on many websites and are widely regarded as the most unwanted cookies, with the fear that they may pose privacy and security problems by developing a behavioural profile based on our browsing history and the content browsed.

As previously stated, online platforms and businesses employ numerous tactics to collect information, which they then combine with additional information to profile consumers for behavioural targeting. The present cookie usage explains why customers should be concerned about their privacy being violated.

Cookies as a Hindrance to our Security

Cookies have security consequences, and some websites rely on them for providing accessibility to control schemes. A website that requires users to login may place cookies in the browser with the login details or even the session data. Such placement of cookies may cause problems if the machine is shared by several users.

This sort of technology may be prone to misuse by unscrupulous third parties if not built appropriately. It is true that a packet sniffer application may intercept cookies as they are delivered from the browser to the server and get access to the relevant website that provided the cookies.

Since Domain Name System (hereinafter referred to as “DNS”) is needed to detect whether cookies are associated with a certain server, it may be feasible to trick or play ahead with the browser to send cookies to a server by momentarily manipulating the DNS. The breach of user login details is a major privacy infringement, as well as a major security risk.

Certain Online Transaction Processing Systems (hereinafter referred to as “OLTP”) that employ cookies should be very cautious in ensuring safety and privacy to the system’s users, as the preceding situation is possible, and the users would never allow a security breach. Some unlawful transactions that may occur may result in financial losses as well as consumer discontent.

According to the General Data Protection Regulation (hereinafter referred to as “GDPR”) and the Directive 2002/58/EC on Privacy in Electronic Communications, the data gathered by cookies is deemed to be personal data to the extent that the relevant data permits to identify the natural person. Companies or individuals who provide services via an online platform and use cookies in this platform should thoroughly examine the data gathered by the cookies used and obtain the consent of the related persons if they use the cookies to collect personal data.


Cookies are considered as a method to acquire personal data and are subject to the GDPR’s broad criteria governing the storage and processing of personal data. As a result, cookies used to collect data for analytics, advertising, and functional services such as chats and surveys must adhere to personal data standards.

Companies and businesses which fall under the jurisdiction of GDPR must satisfy the following standards in order to utilise cookies and comply with the GDPR:

  • Data subjects must have a choice: Simply using a website does not imply that they must accept all cookies. Data subjects should be able to accept or deny certain cookies, depending on the kind of data that the cookies retain. Furthermore, consent for these cookies cannot be combined with consent for other objectives or processing activities, for as grouping cookie consent to a privacy policy or combining functional cookies with advertising cookies.
  • Consent must be demonstrated by a clear affirmative action: Clicking an opt-in box, pressing an accept button, or selecting particular settings from a drop-down menu comes within the ambit of such range. Pre-ticked boxes on permission forms are not permitted and can result in severe fines.
  • Data subjects who refuse cookies must nevertheless have full access to the website: A webpage owner is not permitted to limit the services or functionality available to the visitors who do not wish to get their information monitored.
  • Data subjects must have the ability to opt-out: Data users must be able to withdraw their consent as readily as they gave it in the first place. With cookies, it should imply that data users can withdraw consent by performing the same activity they performed to provide consent.
  • Consent must be freely provided, explicit, informed, and unambiguous: Transparency is one of the GDPR’s most important purposes, so fully describing what information is gathered and how that information is shared is critical.


The majority of Internet users are still uninformed of cookie technology and the potential consequences of its functioning.  A large section of people are unaware that websites and marketers may follow their online habits by implementing cookies on their computers.

One of the most important criteria of data privacy regulation is that individuals understand how information gathered about them will be handled. The use of online data must be adequately represented in the privacy policies and cookie policies of the websites. The online platforms should practice openness, and ensure user confidence, and credibility.

Customers still desire customisation, despite increased consumer privacy standards, which means businesses must verify that the data they utilise is clean and correct. One approach to maintain this fragile balance is to employ cookies that retain information and give consent preferences, but third-party cookies are expected to become obsolete in the coming years, considering the rising data privacy concerns.

-Team AMLEGALS, assisted by Ms. Devanshi Jain (Intern)

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.