Explore the key implications of India's DPDPA 2023, focusing on cookie consent requirements, its impact on businesses, and the need for explicit user consent. Learn the essentials of the law and how to ensure compliance for data processing under the DPDPA.
Explore more privacy compliance insights and best practices
India DPDP Phase 2 is expected to refine how cookie‑consent mechanisms interact with consent managers and cross‑border tracking
Starting in June 2024, businesses cannot use cookies freely to collect website visitors' personal data for processing. The DPDPA is a comprehensive data protection law that significantly changes the privacy regulatory landscape in India and imposes significant new requirements on businesses, as well as penalties for non-compliance.
The cookie consent requirement is among the most important novelties the law brings to businesses operating within India. If you also work there, this article will help you understand what is required of you.
Consent is one of the legal bases for data processing, according to the Indian DPDPA. When it comes to the use of cookies, consent is the only legal basis you can use.
Website operators, known as data fiduciaries under the law, can use cookies for the processing of personal data only if the user agrees with that.
The law relies on the opt-in principle, which means that the website must not use the cookies before getting explicit consent from the visitor.
Cookies are small text files that the website sends to the user's device to collect data for processing.
Sometimes such data is personal data. That's where data protection laws such as the DPDPA are triggered.
The most common examples of cookies include Google Analytics cookies, cookies remembering your website preferences, cookies remembering your shopping cart, advertising cookies, and others.
The India Digital Personal Data Protection Act (DPDPA) 2023 is a comprehensive data protection law that regulates the processing of personal data in India. It is the first comprehensive data protection law in India, and it is based on the principles of fairness, transparency, and accountability.
The DPDPA applies to all organizations that process personal data in India, regardless of size or location. It also applies to organizations that process the personal data of Indian residents, even if the organization is located outside of India.
The DPDPA requires organizations to obtain consent from individuals before collecting or processing their personal data. Individuals have the right to access, correct, and delete their personal data. They also have the right to object to the processing of their personal data and to port their personal data to another organization.
The DPDPA establishes the Data Protection Board of India to oversee the implementation and enforcement of the law. The Data Protection Authority has the power to investigate complaints, issue orders, and impose fines for violations of the law.
The DPDPA is still in its early stages of implementation, but it is expected to have a significant impact on the way that organizations collect and process personal data in India.
Here are some of the key features of the DPDPA:
The Indian data protection law also introduces the concept of a significant data fiduciary. This is defined as "any data fiduciary or class of data fiduciaries as may be notified by the Central Government under Section 10." The government has not yet announced which companies will be considered significant data fiduciaries, but it is likely that these will be big companies that process vast amounts of personal data. It's equivalent to the data processor or data controller for GDPR.
The DPDPA is a significant development for data protection in India. It is expected to have a positive impact on the privacy rights of individuals and to help build trust in the digital economy.
To obtain consent in accordance with the India DPDPA, you must ensure that the consent is:
Once you have collected explicit users' consent according to the DPDPA principles, you can use cookies and process data with their help.
Data fiduciaries must keep records of the consent obtained in case they need to prove compliance with the laws.
They also must allow the user, i.e., the data principal, to withdraw the consent at any time. When the user withdraws their consent, you must not process their data anymore.
Global businesses may wonder how the DPDPA compares to other data protection laws worldwide regarding cookie consent.
Compared to the General Data Protection Regulation (GDPR) of the EU, the greatest difference is in the granularity of the consent. The DPDPA does not require granular consent, but the GDPR does.
Phase‑2 rules may impose additional technical and record‑keeping obligations for cookie‑consent platforms
When you collect cookie consent from EU users, you must request specific consent for each specific purpose. The data subjects can provide or decline consent for each specific purpose. The same goes for the withdrawal of consent.
In India, general consent for the use of cookies is enough. There is no need to ask for separate consent for each purpose. While this may simplify the process of obtaining cookie approval, some users who don't like specific cookies may decline all your cookies altogether.
When you compare Indian law with the laws in the United States, such as the CCPA or the VCDPA, the greatest difference comes in the use of the opt-in principle in India. The US laws rely on the opt-out principle, meaning that businesses can use cookies until users opt out. In India, businesses must not use cookies before the explicit opt-in by the user.
The India DPDPA applies to all businesses that operate from India and to all businesses that target Indian customers.
The DPDPA clearly states that the law applies to the processing of personal data within the territory of India, where the personal data is collected:
It also applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.
It is important to note that the law does not apply to many Indian companies that provide outsourcing services. These companies process data in India, but it has been collected abroad and does not affect data principals from India. Therefore, it may not apply to them.
Here are some examples of businesses that are likely to be subject to the DPDPA:
The Data Protection Board can impose significant penalties on non-compliant data principals and businesses, including:
According to the law, not obtaining consent may lead to a penalty of up to INR 50 crore, depending on various circumstances related to the violation.
You can comply with the DPDPA cookie consent requirements by requesting, collecting, and storing user consent with the help of a consent manager registered with the Data Protection Board.
Once the registration process begins, Secure Privacy will register and will be available for businesses like yours to ensure compliance with the law.
Our solution has a DPDPA module already and will be prepared to make you compliant and earn customers' trust from the first day the DPDPA becomes applicable.
