Taking Control of Cookies under DPDPA

For DPOs in India, one of the grey areas of compliance to be managed is the “Cookies Consent”.

Normally the Cookies are hosted on the website and the website is managed by the IT department. The content on the website is often written by the marketing department and contains company promotion and product promotion information. The marketing department may have a close watch on the content to ensure accuracy of product information.

The websites also contain the “Privacy Policy” and “Terms of Use” which are typically managed by the legal department.

In the case of listed companies, a part of the website contains investor information which is mandated by SEBI.

It is a tradition to have the “Privacy Policy” of the company displayed on the website along with the “Terms of use” and the contact details of the help desk, the Grievance officer and the DPO or Compliance officer.

For the public, the website is the first contact point for knowing the company and if there is no mention of a DPO or a Compliance officer or a Grievance officer, the inference is that the company is not fully compliant.

CISOs recognize that website is exposed to the public and hence could be a source for cyber attacks some of which may have reputational damage by defacement or more seriously, implanting of malware in the source code of the website. There have been many instances of content being manipulated, images being substituted or invisible spamming activity occurring through hidden pages on the website. Domain name re-directions, domain name squatting, etc are also considered security risks and hence a continuous monitoring of all pages of the corporate website is required to be monitored by the Information Security department for any modification.

The “Domain Name” and the website is also considered an important “Financial Asset” of a Company, and has IPR value. The CFO also has a stake on the brand value value of the domain and the value of the content as well as the traffic.

Thus, the website of a company serves many purposes and there are multiple stakeholders who are responsible for the content and directly or indirectly create liabilities for the organization.

Governance of a website is therefore an important corporate activity.

However, it is a common practice for most companies to register domain names and host the website with an external agency. Many of them use Cloud applications managed by different agencies. The hosting companies suggest statistical analysis and profiling of visitors. They also suggest certain monitoring of the visitors from the point of view of enhancing the user experience. Additionally the marketing companies try to use Google Analytics or other agencies to plant their own trackers and generate insights. With the use of AI in the background, we never know exactly how the information of the users may be used by these background agencies.

It is in this context that managing “Cookies Consent” assume importance. If the cookies collect any personal information of the visitors of the website, then the provisions of data protection laws may become applicable. The problem with a website is that anybody in the world including from over 140 countries which have specific data protection laws, may visit the website and the cookies may be collecting various information from them.

Currently DPOs donot consider it essential to treat the “Web hosting” company as a “Data Processor” and handle the data protection obligations. If the hosting is outside a country, there may also be a “Cross Border Data Transfer” issue to be resolved.

It is time for DPOs to get details of Cookies including what data each cookie collects, how long the information is stored and what is the purpose of each of the data elements that is collected.

If a Cookie is tagged as “Essential” or “Functional”, there is no need for it to be a persistent cookie nor to have the personal information such as the email address or name of the person even if it is available at log in. Every cookie that collects “Personal Information” is essentially a “Profiling tool”. The profiling itself may have a “Security Purpose” or a “Marketing purpose”. “Security” may be considered as a legitimate purpose but “Marketing” may not be.

Hence the Consent management has to understand and distinguish the type of data each cookie collects and display it on the website and not restrict the cookie information only to the “Name of the cookie” and its classification as “Analytical”, “Marketing” or “Functional”.

The DPO s need to take control of the Cookies and “No cookie should be installed on the website without the specific permission of the DPO”. If there is any “Profiling” of the visitors, then it has to have a proper legal basis with “consent” for marketing. “Security Profiling” of visitors may be considered as “Legitimate Use” but it has to be ensured that “Security profiling” is not converted into “Marketing profiling” either through ignorance or design.

I recall my own experience captured in the article “Union Bank and RSA Fiasco”, where I have highlighted that a “Security Scanning” may be mis understood if the security team is blindly following automated systems of profiling

I therefore urge DPO s to start exercising greater control on the web hosting and planting of cookies and obtaining the cookie consents as part of their compliance exercise. The current method of Cookie Consents which are followed under GDPR regime which simply asks for consent on the basis of a declaration such as “Accept All Cookies” or “Accept Functional Cookies only” etc., are insufficient. The Cookie consent has to list out each cookie, indicate the data elements collected, the purpose of collection and retention periods and obtain consent in a more informed manner.

Comments are welcome.

Naavi

Posted in Cyber Law | Leave a comment

The D-Day

This is just to record the night of 21/22nd June 2025, IST as an important day of our generation when we might have seen the closest to a World War 3 scenario.

India successfully conducted the Sindhur operations a few weeks back and hit Pakistani nuclear facilities significantly. But inside these facilities the US was hurt and moved into force a ceasefire before the final assault.

In Iran however, the same USA has moved in to neutralize the nuclear capabilities of Iran. Though the blow could be crippling, the counter action could create lot of problems to US in the form of terrorist attacks the way India has been bled for decades by Pakistan.

Neutralization or debilitation of terrorist forces anywhere in the world is welcome and as responsible global citizens we need to take note of this day as one of the most important day of our life.

Naavi

Posted in Cyber Law | Leave a comment

Free DPDPA Evaluation for Select Companies

DPDPA Compliance is a complex process which requires discovery of personal data to which the act is applicable, Classifying it appropriately, understanding how the different sections of the Act apply to the data and determining what risks of non compliance exists, what Governance and Technical measures are to be initiated to mitigate the risks.

Many companies might have already initiated some measures in this regard. Many companies are developing products and services to assist the companies for compliance.

In this scenario, FDPPI as the apex organization promoting DPDPA Compliance has initiated a project to provide One free assessment of DPDPA Compliance for any Company in India per week (Till the scheme is withdrawn at its discretion).

The assessment requires one online session of around 90-120 minutes with the DPO or equivalent senior management person who may be assisted by others in the company. During the session, Naavi will conduct an online evaluation interview with appropriate questions and record the answers.

Based on the answers provided, an evaluation report would be issued.

The evaluation would be based on the celebrated DGPSI system used by FDPPI.

There are no strings attached to this free offer which is a near substitute for a Gap Assessment which would normally cost a few lakhs for any company.

The offer is based on requests received and on first cum first served basis. Once the requests are received, the interviews would be scheduled appropriately. Initially around 12 bookings would be accepted for the next 3 months and a decision will be taken on its continuance.

We invite interested DPOs to contact through email to Naavi . Kindly use the subject line “Free DPDPA Assessment”.

Naavi

P.S: I have received a query about why FDPPI is giving this assessment free even if it is for one company per week.

I would like to state that there are two objectives.

  1. To remove the fear about DPDPA Compliance.
  2. To prevent companies being mislead.
  3. To provide an indication for Cyber Insurance readiness for DPDPA risk

Naavi

Posted in Cyber Law | Leave a comment

Name “Air India” attracts Risks of its own

The Air India crash has a distinct signature of what experts call as a near improbable total two engine failure. However this also significantly increases the possibility of an “Electronic Sabotage” which could have caused the fuel cut-off or hydraulic failure etc which the experts indicate as a possible reason.

Though Air India is no longer a national carrier and is as much private as any other airline, the perception is that its reputation good or bad is linked to the reputation of India. Hence the enemies of India both within the country or outside target the airline to indirectly bring down the reputation of Air India. Hence Air India faces an “Enemy Risk” which other airlines donot face.

Since today’s aircrafts are all controlled by electronics, the safety of the aircraft is very much dependent on the safety of the electronic systems just like controlling a large computer network. It appears that there needs to be a CISO for every aircraft.

The more we think Air India is the nation’s pride, the more attention we would attract of Pakistani terrorists.

One of the Risk management strategies for the airline now is to change its name though it would be a sad decision to take.

Naavi

Posted in Cyber Law | Leave a comment

Valuation of Data upheld by a Court

In an interesting decision of the UP State Consumer disputes redressal Commission, WhatsApp has been considered as a “Paid Service” with the payment having been received in the form of personal data shared by the account holder.

(Refer: article the420.in)

Naavi has been advocating the “Data Valuation” as one of the essential features of Data Management in a company and valuing of data and its disclosure is a recommended procedure under the DGPSI (Data Governance and Protection Standard of India) framework of compliance.

The exact value of the data may be under dispute but the fact that data has a a value is indisputable. In this case, the value of the data has not been specified in rupee terms but whatever is the benefit used by WhatsApp is to be treated as the consideration passed.

Hope Income Tax and GST is not applicable !

Naavi

Posted in Cyber Law | Leave a comment

Is Ahmedabad Crash an act of hacking?

For a long time there has been a discussion on whether the computer systems of an aircraft can be manipulated through external interference.

The tragic Ahmedabad plane crash will revive this discussion since there are certain indications of the possibility of such sabotage.

Apart from the social media watchers who are revealing some earlier X posts to suggest a terror plan, astrological analysis of the event also indicate the possibility of sabotage.

It is time the technical concerns, media concerns and astrological concerns may all be put to test with the investigations of the crash.

Let’s us watch the developments.

Naavi

Posted in Cyber Law | Leave a comment