India Digital Personal Data Protection Act 2023 (DPDPA) Cookie Consent Requirements
Explore the key implications of India's DPDPA 2023, focusing on cookie consent requirements, its impact on businesses, and the need for explicit user consent. Learn the essentials of the law and how to ensure compliance for data processing under the DPDPA.
The cookie consent requirement is among the most important novelties the law brings to businesses operating within India. If you also work there, this article will help you understand what is required of you.
The law relies on the opt-in principle, which means that the website must not use the cookies before getting explicit consent from the visitor.
What are cookies?
Cookies are small text files that the website sends to the user's device to collect data for processing.
Sometimes such data is personal data. That's where data protection laws such as the DPDPA are triggered.
The most common examples of cookies include Google Analytics cookies, cookies remembering your website preferences, cookies remembering your shopping cart, advertising cookies, and others.
What is the India Digital Personal Data Protection Act (DPDPA) 2023?
The India Digital Personal Data Protection Act (DPDPA) 2023 is a comprehensive data protection law that regulates the processing of personal data in India. It is the first comprehensive data protection law in India, and it is based on the principles of fairness, transparency, and accountability.
The DPDPA applies to all organizations that process personal data in India, regardless of size or location. It also applies to organizations that process the personal data of Indian residents, even if the organization is located outside of India.
The DPDPA requires organizations to obtain consent from individuals before collecting or processing their personal data. Individuals have the right to access, correct, and delete their personal data. They also have the right to object to the processing of their personal data and to port their personal data to another organization.
The DPDPA establishes the Data Protection Board of India to oversee the implementation and enforcement of the law. The Data Protection Authority has the power to investigate complaints, issue orders, and impose fines for violations of the law.
The DPDPA is still in its early stages of implementation, but it is expected to have a significant impact on the way that organizations collect and process personal data in India.
Here are some of the key features of the DPDPA:
- Consent-based processing: Organizations must obtain consent from individuals before collecting or processing their personal data.
- Data subject rights: Individuals have the right to access, correct, and delete their personal data. They also have the right to object to the processing of their personal data and to port their personal data to another organization.
- Data processing requirements: Organizations must process personal data in a fair, transparent, and accountable manner. They must also take appropriate measures to protect the security of personal data.
- Data Protection Authority: The DPDPA establishes a Data Protection Board of India to oversee the implementation and enforcement of the law. The Data Protection Authority has the power to investigate complaints, issue orders, and impose fines for violations of the law.
The Indian data protection law also introduces the concept of a significant data fiduciary. This is defined as "any data fiduciary or class of data fiduciaries as may be notified by the Central Government under Section 10." The government has not yet announced which companies will be considered significant data fiduciaries, but it is likely that these will be big companies that process vast amounts of personal data. It's equivalent to the data processor or data controller for GDPR.
The DPDPA is a significant development for data protection in India. It is expected to have a positive impact on the privacy rights of individuals and to help build trust in the digital economy.
How to collect India's DPDPA consent properly
To obtain consent in accordance with the India DPDPA, you must ensure that the consent is:
- Freely given, which means that consent must be obtained without forcing or coercion. For example, you must not force the users into giving consent by bundling it with other terms and conditions, or by making it a precondition for accessing a service or product.
What happens after collecting DPDPA consent?
Data fiduciaries must keep records of the consent obtained in case they need to prove compliance with the laws.
They also must allow the user, i.e., the data principal, to withdraw the consent at any time. When the user withdraws their consent, you must not process their data anymore.
What are the differences between the cookie consent requirements of the DPDPA and other data privacy laws?
Global businesses may wonder how the DPDPA compares to other data protection laws worldwide regarding cookie consent.
Compared to the General Data Protection Regulation (GDPR) of the EU, the greatest difference is in the granularity of the consent. The DPDPA does not require granular consent, but the GDPR does.
When you collect cookie consent from EU users, you must request specific consent for each specific purpose. The data subjects can provide or decline consent for each specific purpose. The same goes for the withdrawal of consent.
Does the India DPDPA apply to my business?
The India DPDPA applies to all businesses that operate from India and to all businesses that target Indian customers.
The DPDPA clearly states that the law applies to the processing of personal data within the territory of India, where the personal data is collected:
- in digital form; or
- in non-digital form and digitized subsequently.
It also applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.
It is important to note that the law does not apply to many Indian companies that provide outsourcing services. These companies process data in India, but it has been collected abroad and does not affect data principals from India. Therefore, it may not apply to them.
Here are some examples of businesses that are likely to be subject to the DPDPA:
- E-commerce companies that sell goods or services to Indian customers
- Social media platforms that have Indian users
- Financial institutions that have Indian customers
- Healthcare companies that have Indian patients
- Technology companies that collect data about Indian users
What are the penalties for non-compliance with the Digital Personal Data Protection Act 2023?
The Data Protection Board can impose significant penalties on non-compliant data principals and businesses, including:
- INR 10,000 for failure by a data principal to perform duties stipulated under the Act.
- Up to INR 50 crore for breach of any provision of the Act or the implementing rules for which no specific penalty is stipulated.
- Up to INR 250 crore for failure to fulfill the obligation to take reasonable security safeguards to prevent a personal data breach.
According to the law, not obtaining consent may lead to a penalty of up to INR 50 crore, depending on various circumstances related to the violation.
How do I comply with the India DPDP Act cookie consent requirements?
You can comply with the DPDPA cookie consent requirements by requesting, collecting, and storing user consent with the help of a consent manager registered with the Data Protection Board.
Once the registration process begins, Secure Privacy will register and will be available for businesses like yours to ensure compliance with the law.
Our solution has a DPDPA module already and will be prepared to make you compliant and earn customers' trust from the first day the DPDPA becomes applicable.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.