Delve into the intricacies of India's Digital Personal Data Protection Act (DPDPA) 2023 and grasp the essential elements required for a compliant cookie consent banner. Learn who needs a DPDPA-compliant banner, the specific requirements it must meet, and potential penalties for non-compliance with the law.
The India Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law, imposing significant requirements on businesses that process personal data online. It comes into effect in 2024.
Every business that must comply with the India DPDPA needs a DPDPA-compliant cookie banner to obtain consent for using cookies on their website or app.
Explore more privacy compliance insights and best practices
The DPDPA cookie consent requirements apply to you if:
If you meet any of these criteria, the law applies to you. And if your website uses cookies, it means that you need a cookie banner that meets the legal requirements.
Cookie banners serve the purpose of informing users about your use of cookies, requesting consent, and recording it. They must meet the legal requirements for obtaining valid consent for the use of cookies.
Therefore, the cookie consent requirements determine what the cookie banners should look like. The 2023 India DPDPA requirements for data collection via cookies prescribe that the consent must be:
Unlike many other data privacy laws that require explicit consent, the Indian Digital Personal Data Protection Bill does not require specific consent for each processing purpose.
The General Data Protection Regulation (GDPR) of the EU, the Brazil LGPD, the UK DPA, and many other data protection regulations require data controllers to obtain consent for each purpose of processing personal data. The Indian law does not require such granularity.
It means that you can get general consent for all purposes. If the user consents to your use of cookies, you can use marketing, advertising, analytics, preferences cookies, and all the other cookies you choose to use. As a data fiduciary, you just need to ensure that the consent is freely given, accompanied by an up-to-date privacy notice, and given by an explicit and unambiguous action.
Read more about India's DPDPA consent requirements in our in-depth article.
The India DPDPA cookie consent requirements inform your decision on what the cookie banner should look like. In general, it must meet the following requirements:
A DPDPA-compliant cookie banner shares some similarities with GDPR-compliant banners and with CCPA-compliant banners. However, it is not the same with either of them.
The most significant difference between a DPDPA consent banner and one that meets the GDPR requirements is the granularity of consent. When you need to comply with the GDPR, the UK DPA, the LGPD, or similar data privacy regulations, you have to obtain specific consent. It means that you need one consent for Google Analytics, a separate one for Meta and TikTok pixels, and so on.
In India, on the other hand, the user either agrees to all the cookies at once or declines them altogether. You have the right to ask for granular consent, but it is not legally required.
The US state privacy laws do not require explicit opt-in for firing cookies toward users' devices. Some laws do require consent for the processing of sensitive personal data, but such data is rarely obtained via cookies.
The approach of the US regulators, as well as those in Australia, is to provide users with the right to opt-out of the processing. And that's where they differ significantly from the Indian DPDP Act. In India, consent comes before the use of cookies. In the US, the use of cookies comes before opting out. And in many cases, users cannot even opt-out.
Data fiduciaries who do not comply with the DPDA Act face the threat of the following penalties:
The Data Protection Board of India can impose penalties for violations. When it comes to cookie consent violations, it is clear that the prescribed penalty is up to INR 50 crore. The actual penalty amount would depend on multiple factors, including but not limited to whether the rights of data principals have been respected, whether the data is being processed in accordance with the Act, if there are reasonable security practices and procedures, whether the processing involves the collection of sensitive personal data, if international data transfers to unsafe countries have been in place, and others.
To meet the DPDPA cookie consent standards, you need to use a consent manager that's registered with the Data Protection Board to obtain, record, and retain user consent. That's where Secure Privacy can help.
As the registration gets underway, Secure Privacy will be on the list and ready to assist businesses such as yours in adhering to legal requirements. Our India DPDPA-compliant cookie consent banner has been built already and will be available once the law becomes effective.
