The Changing Landscape of Cookie Laws in APAC
How are Cookie laws changing in APAC?
We recently covered the move away from the use of third-party tracking cookies (in our article on how cookies are losing their flavour). Big tech companies, including Google, Facebook, and Apple, are already contemplating how they will adapt to a world without third-party cookies – and regulators are increasingly turning their head to the issue, too.
Traditionally, in the absence of cookie-specific laws, privacy laws will cover the use of cookies if the information being collected comes within the definition of ‘personal information’ in the particular privacy laws. For example, tracking cookies may collect information about a data subject’s location and age, amongst other things, that can be used to identify individual users. Local privacy laws will apply to the collection and use of that information if it is considered ‘personal information’ or otherwise covered by those laws.
In the EU, the use of cookies has been covered by regulation known as the ePrivacy Directive, which applies to the actual cookie use, rather than just the information collected. This has clarified some of the uncertainty around the application of privacy laws to cookie usage. The ePrivacy Directive has had a significant impact on the use of cookies and is one of the main drivers for the move away from the use of cookies by big tech companies.
In the Asia Pacific region, some regulators are now joining the game, turning their attention to cookies, introducing changes specifically directed at certain cookies and making their use more difficult. However, this is not uniform and for many jurisdictions, cookies still need to be considered under general privacy regulation.
Here’s an overview of the privacy landscape, as it relates to the use of cookies, in some APAC countries:
Cookie laws in Australia
Australian privacy law does not include any specific regulation of cookies.
If the information collected is ‘personal information’ as defined in the Privacy Act 1988, the requirement is to provide notice when you collect the personal information which covers how you will use and disclose it. For many sites, this might mean a simple statement that the cookies are used to improve the user experience, with a link to the privacy policy page which should contain more information about the use and disclosure of information collected via cookies.
In October 2021, the Federal Government released a discussion paper covering many possible changes to the Privacy Act which included a proposal to clarify that the definition of personal information captures technical data and other online identifiers, including cookies[1]. If converted into regulation, it will clarify the application of the Privacy Act to cookies in Australia without lifting the bar for their use.
Cookie laws in Singapore
Currently under Singapore’s Personal Data Protection Act, there are no specific requirements relating to cookies. However, an organisation is obliged to comply with the PDPA if it engages in the collection, use or disclosure of personal data – including online.
Cookies probably fall under the general obligations of the PDPA since it defines personal data very broadly. If the PDPA does apply, an organization must think about obtaining consent before use of any cookies that collect personal information from individual.
The position in Singapore was further clarified by (nonbinding) revised Advisory Guidelines on Key Concepts in the PDPA on 1 October 2021, published by the Personal Data Protection Commission. The revised guidelines provide that consent is required by organisation’s before they use cookies while also advising organisations to provide a reasonable period for the individual to opt-out before it proceeds to collect, use, or disclose the personal data.
Cookie laws in China
In August 2021, the People’s Republic of China enacted a sweeping national data privacy law, the Personal Information Privacy Law (PIPL. The law will come into effect on November 1.
While there is no specific mention of cookies in the PIPL, it does cover the collection, use, storage, retention, and deletion of personal information. If the information captured by the cookies used comes within the definition of personal information then the PIPL may cover that collection. If the PIPL applies, companies which use cookies to collect information on citizens and residents of China should obtain adequate consent from data subjects before processing their personal information via tracking cookies.
We covered the PIPL here. You can read more about the PIPL here.
Cookie laws in India
Currently, there are no specific laws or regulations in India on the use of cookies. India does not recognise the use of cookies as triggering protections offered by the Information Technology Act 2000.
Although privacy has been recognised as a constitutional right in India, India does not (yet) have an all-encompassing data privacy law. Instead, citizens and residents of India rely on the limited protections offered by the Information Technology Act 2000. The Act does not require Indian companies, or foreign companies collecting data from data subjects in India, to provide users with control over their data. Instead, it simply requires businesses to disclose their sensitive personal information collection, usage, and storage practices on their website via a privacy policy and terms of conditions
However, India is in the process of developing and enacting a comprehensive national privacy law which is expected to be passed in either 2021 or 2o22. The drafting process has taken over three years but is widely anticipated to be finalised shortly. It is also widely anticipated that India will enact legislation pertaining to non-personal data, which may specifically regulate the use of cookies.
Cookie laws in South Korea
South Korea’s Personal Information Protection Act 2011 (PIPA) is a national comprehensive privacy law – and one of the strictest privacy regimes in the world. In South Korea, cookies are considered to be personal information where they may enable the identification of a specific individual person, including when the information is combined with other information. If the cookie contains personal information, then consent must be obtained.
South Korea’s PIPA gives data subjects GDPR-like rights over their personal information once it is collected by a business. These rights must be disclosed to data subjects via a public privacy, which might include disclosure of the use of cookies.
You can read more about the rights here and here.
Cookie laws in Japan
Japan’s national privacy law, the Act on the Protection of Personal Information (APPI), governs the handling of personal information in Japan and extraterritorially. Cookies are not directly regulated under the APPI, however any personal data collected by an organisation (including through cookies) is covered.
Notably, if the information obtained through the use of cookies:
- makes it possible for an organisation to identify a data subject when the information collected can be easily referenced to other accessible information, such as a membership or registration, and
- is used by the organisation;
then the use of cookies must be disclosed via the organisation’s privacy notice (showing the purpose of use) under the APPI.
The APPI is subject to review every three years and was amended in 2020 following the triennial review. While it is yet to be confirmed, it is likely that consent will be required in the future in circumstances where online identifiers (including cookies):
- are provided to third parties, and
- the third party may identify an individual based on the information provided to them.
These requirements are stricter than the existing law.
It is worth noting that the Japan amendments are directed at third party cookies, where information will be shared with third parties (typically for analytics and marketing purposes).
The amended APPI will come into force on 22 of April 2022. You can read more here.
Disclaimer
This blog contains general information. Although every effort has been made to ensure accuracy it should not be relied on as legal advice.
October 2021
[1] https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/ at 26.