What is the India Digital Personal Data Protection Act Cookie Policy?
An India DPDPA cookie policy is the document where you inform data principals about your use of cookies. That information is necessary for obtaining valid consent because the consent is valid only when users are well informed about all your privacy practices.
If your website uses cookies, you must obtain explicit users' consent before firing them to the users' devices. The consent request must be accompanied by a privacy notice where you inform the users what data you collect, why you process it, collecting sensitive personal data, details on international data transfers, third parties with whom you share information, data principal privacy rights, etc.
That notice is usually the privacy policy. You can include that information there, but you can also include it in a separate document called cookie policy. The cookie policy is not explicitly required by the law, but it is a good practice for ensuring transparency to your users.
You can provide users with a link to the privacy policy and the cookie policy on your DPDPA-compliant cookie consent banner.
What are the cookie policy requirements by the India data privacy law?
The Digital Personal Data Protection Bill has no cookie policy requirements, but it prescribes transparency requirements. The most notable of them is the privacy notice obligation.
When you ask for consent from users, you must inform them about how you handle personal information. At the moment of collection of data, you need to obtain consent. To obtain informed consent, you need to provide them with the required information.
That's where the privacy notice comes into play.
Privacy policy is the most common form of a privacy notice, no matter what data protection law applies. The privacy policy also contains information on the use of cookies. Websites that rely on cookies, may prefer to separate the cookie information in a separate policy, which is what we know as a cookie policy.
Therefore, the India DPDPA cookie policy is required to contain information on:
- What cookies are being used. If you could list the exact names of the cookies, that would be best for transparency.
- The processing purposes. Although in India you don't need granular consent for processing purposes, nonetheless you need to inform users about the processing purposes. For most websites, the purposes include functionalities, preferences, analytics, and marketing.
- Third-party with whom data is shared. Websites usually use cookies to collect data and share it with the data processors. For example, you share IP address and device information of users with Google Analytics for analytics purposes.
- Data retention. Each cookie stores the data for a specific period of time. That should be included in the cookie policy.
Penalties by the Data Protection Board for non-compliance
The DPDPA prescribes the following penalties:
- INR 10,000 for violations by a data principal;
- Up to INR 50 crore for violations where no specific penalties are prescribed; and
- Up to INR 250 crore for security and data breach violations.
Most website violations would fall under the second category of penalties of up to INR 50 crore. That's the upper limit for not being transparent with your website visitors about your use of cookies.
The Data Protection Board of India imposes penalties on data fiduciaries according to the data privacy law. This means that T=the data fiduciary should be extra cautious in negotiating contracts with data processors, as the data fiduciary must assume they will be held liable for any violation by the data processor.
