• Essential/strictly necessary cookies that are fundamental for websites’ functioning and enable basic features.
• Performance/Analytics cookies that collect anonymised data on how users interact with a website to help optimise performance.
• Functionality cookies that store user preferences and settings to improve user experience.
• Targeting/Advertising cookies that track user activity to deliver personalised advertisements.
• Social media cookies that are developed by social media platforms to track user activity, recommend content, and track interactions for analytics and advertising.
• Security cookies that protect user accounts by preventing fraudulent access and identifying traffic.

• EU GDPR: While the GDPR does not specifically address cookie consent management, it mentions how online identifiers such as IP addresses and cookie identifiers, combined with other information received by the servers can be used to create profiles of persons and identify them. Further Directive 2002/58/EC or the “e-Privacy Directive” provides key principles for cookie consent management including, informing the user about the purpose and nature of information stored, methods to give/refuse consent, providing an opportunity to refuse cookies, and conditional access to website content if cookies can justify legitimate purpose.

  The Whitepaper also discusses how GDPR requires consent to be granular to allow users to give consent for each purpose instead of bundled permissions. The Whitepaper suggests that this can be achieved through detailed cookie banners, granular opt-ins and providing easy, straightforward and readily accessible mechanisms to withdraw consent.

• Specific European countries: In addition to discussing the GDPR, the Whitepaper also mentions the cookie consent practices followed in specific countries such as scrolling not amounting to consent in Italy, prohibition on cookie walls and offering alternatives in France, emphasising user control within 24-month interval and limiting persistent cookies to 12 months in Spain and Luxembourg respectively.
• Canada: As per the Whitepaper, Canada requires organisations to provide options to withdraw consent.
• UK GDPR: The UK GDPR requires obtaining explicit consent and providing the option to periodically renew the consent preferences.
• California: Lastly, California laws require providing the rights to know, delete and correct data.

In light of these gaps, the ASCI suggests implementing transparent and user-friendly cookie consent banners, clear opt-out mechanisms for non-essential cookies, and providing granular consent options to enable users to manage their cookie choices.

To comply with the DPDPA, websites will be required to provide notice prior to/along with the request for consent informing the users about the personal data being collected and the purpose for collecting the same, among other things. The websites will also have to obtain consent that is free, specific, informed, unconditional, and unambiguous, signifying an agreement for processing personal data for a specific purpose, and being limited to that specific purpose.

The Whitepaper states that the requirement of obtaining ‘specific’ consent under the DPDPA is comparable to the requirement of granular consent under the GDPR. It also briefly analyses the impact of the DPDPA on various industries, namely, e-commerce, social media platforms, tech and SAAS companies, digital advertising and marketing, healthcare, and finance. To comply with the DPDPA, the Whitepaper proposes that these industries consider inter alia redesigning their cookie management practices and user interfaces to provide clear information on the purpose of each cookie and the data being processed and allow users to make granular choices.

• Dark patterns: The Whitepaper discusses how dark patterns can appear in cookie consent banners in the form of visually biased displays such as making the “accept all” button brighter and more accessible, using larger fonts and high contrast colours, use of pre-selected checkboxes etc.
• Consent or Pay model: Websites also use the “consent or pay model”, which creates a cookie wall and forces users to either accept all the cookies being shared through the consent option or pay a subscription fee to ensure that the data is not being shared with third parties. As per the Whitepaper, not providing a “reject all cookies” option even under the pay option would create issues from providing a meaningful and granular consent perspective.
• Consumer protection: While the Consumer Protection Act, 2019 (“CPA”) does not specifically govern the use of cookies, it places obligations on advertisers to ensure transparency and fairness in advertising and marketing. Particularly, the CPA considers disclosure of personal information (which was shared in confidence) without obtaining consent as unfair trade practice. To ensure compliance with the CPA, the Whitepaper suggests that cookie banners clearly articulate the type of data being collected, purpose of collection, disclosure with third parties for personalised advertising, use of simple and easily understandable language, providing unambiguous options for providing/withdrawing consent, and disclosing how the data will be used and managed.

• Providing a clear cookie consent banner with the options to accept, reject, and customise preferences
• Classifying cookies to allow users to make informed choices
• Conducting regular audits and removing outdated cookies
• Legal scrutiny of tracking and storage of content
• Providing clear options to withdraw and modify consent
• Providing detailed privacy policy outlining the practices pertaining to data collection, data usage and user rights.

• The Whitepaper suggests using a “Cookie Preference Center” which is a website tool that allows users to grant or withdraw consent and manage their cookie preferences ensuring compliance with data protection regulations.
• Creating an effective cookie policy providing details of the technical specifications, consent management, information transparency, and user control interface has also been suggested.
• Practices of implied consent, concealing consent options, use of non-compliance dark patterns and neglecting third-party cookies should be avoided.
• Automation tools that inter alia automatically adapt cookie banners to comply with region-specific regulations, regularly scan websites and categorise cookies, maintain a centralised database of user consent, and keep cookie banners and policies updated with regulatory changes should be leveraged.