Explore the essentials of India's Digital Personal Data Protection Act (DPDPA) concerning cookie policies, compliance obligations, and penalties. Learn how businesses can align with these regulations and secure user data.
The 2023 India Digital Personal Data Protection Act (DPDPA) requires businesses to inform users of the use of cookies, and businesses may want to publish an India DPDPA cookie policy to meet these requirements.
Although not explicitly required by the DPDPA, having one is a good practice and will simplify meeting your obligations. Cookies are a widely spread method of processing of digital personal data of data subjects, and the data is protected under the new privacy regulation in India.
The DPDPA applies to two types of businesses:
Explore more privacy compliance insights and best practices
If you belong to any of these businesses, the law applies to you and you need to learn more about an India DPDPA cookie policy.
An India DPDPA cookie policy is the document where you inform data principals about your use of cookies. That information is necessary for obtaining valid consent because the consent is valid only when users are well informed about all your privacy practices.
If your website uses cookies, you must obtain explicit users' consent before firing them to the users' devices. The consent request must be accompanied by a privacy notice where you inform the users what data you collect, why you process it, collecting sensitive personal data, details on international data transfers, third parties with whom you share information, data principal privacy rights, etc.
That notice is usually the privacy policy. You can include that information there, but you can also include it in a separate document called cookie policy. The cookie policy is not explicitly required by the law, but it is a good practice for ensuring transparency to your users.
You can provide users with a link to the privacy policy and the cookie policy on your DPDPA-compliant cookie consent banner.
The Digital Personal Data Protection Bill has no cookie policy requirements, but it prescribes transparency requirements. The most notable of them is the privacy notice obligation.
When you ask for consent from users, you must inform them about how you handle personal information. At the moment of collection of data, you need to obtain consent. To obtain informed consent, you need to provide them with the required information.
That's where the privacy notice comes into play.
Privacy policy is the most common form of a privacy notice, no matter what data protection law applies. The privacy policy also contains information on the use of cookies. Websites that rely on cookies, may prefer to separate the cookie information in a separate policy, which is what we know as a cookie policy.
Therefore, the India DPDPA cookie policy is required to contain information on:
The DPDPA prescribes the following penalties:
Most website violations would fall under the second category of penalties of up to INR 50 crore. That's the upper limit for not being transparent with your website visitors about your use of cookies.
The Data Protection Board of India imposes penalties on data fiduciaries according to the data privacy law. This means that T=the data fiduciary should be extra cautious in negotiating contracts with data processors, as the data fiduciary must assume they will be held liable for any violation by the data processor.
Now you know the requirements, but applying them in a real-case scenario is not an easy task. You can draft your cookie policy, but can you be sure that it meets all the requirements? Are you sure that you've listed all the cookies on your website?
That's where Secure Privacy can help. We can help you get compliant with the DPDPA cookie requirements in three steps:
And that's it. You've met the DPDPA cookie policy requirements.
