India Digital Personal Data Protection Act 2023 (DPDPA) Cookie Consent Requirements

The 2023 India Digital Personal Data Protection Act (DPDPA) requires businesses to collect explicit user consent for the use of cookies and for other types of data processing.

Starting in June 2024, businesses cannot use cookies freely to collect website visitors' personal data for processing. The DPDPA is a comprehensive data protection law that significantly changes the privacy regulatory landscape in India and imposes significant new requirements on businesses, as well as penalties for non-compliance.

The cookie consent requirement is among the most important novelties the law brings to businesses operating within India. If you also work there, this article will help you understand what is required of you.

Consent is one of the legal bases for data processing, according to the Indian DPDPA. When it comes to the use of cookies, consent is the only legal basis you can use.

Website operators, known as data fiduciaries under the law, can use cookies for the processing of personal data only if the user agrees with that.

The law relies on the opt-in principle, which means that the website must not use the cookies before getting explicit consent from the visitor.

What are cookies?

Cookies are small text files that the website sends to the user's device to collect data for processing.

Sometimes such data is personal data. That's where data protection laws such as the DPDPA are triggered.

The most common examples of cookies include Google Analytics cookies, cookies remembering your website preferences, cookies remembering your shopping cart, advertising cookies, and others.

What is the India Digital Personal Data Protection Act (DPDPA) 2023?

The India Digital Personal Data Protection Act (DPDPA) 2023 is a comprehensive data protection law that regulates the processing of personal data in India. It is the first comprehensive data protection law in India, and it is based on the principles of fairness, transparency, and accountability.

The DPDPA applies to all organizations that process personal data in India, regardless of size or location. It also applies to organizations that process the personal data of Indian residents, even if the organization is located outside of India.

The DPDPA requires organizations to obtain consent from individuals before collecting or processing their personal data. Individuals have the right to access, correct, and delete their personal data. They also have the right to object to the processing of their personal data and to port their personal data to another organization.

The DPDPA establishes the Data Protection Board of India to oversee the implementation and enforcement of the law. The Data Protection Authority has the power to investigate complaints, issue orders, and impose fines for violations of the law.

The DPDPA is still in its early stages of implementation, but it is expected to have a significant impact on the way that organizations collect and process personal data in India.

Here are some of the key features of the DPDPA:

• Consent-based processing: Organizations must obtain consent from individuals before collecting or processing their personal data.
• Data subject rights: Individuals have the right to access, correct, and delete their personal data. They also have the right to object to the processing of their personal data and to port their personal data to another organization.
• Data processing requirements: Organizations must process personal data in a fair, transparent, and accountable manner. They must also take appropriate measures to protect the security of personal data.
• Data Protection Authority: The DPDPA establishes a Data Protection Board of India to oversee the implementation and enforcement of the law. The Data Protection Authority has the power to investigate complaints, issue orders, and impose fines for violations of the law.

The Indian data protection law also introduces the concept of a significant data fiduciary. This is defined as "any data fiduciary or class of data fiduciaries as may be notified by the Central Government under Section 10." The government has not yet announced which companies will be considered significant data fiduciaries, but it is likely that these will be big companies that process vast amounts of personal data. It's equivalent to the data processor or data controller for GDPR.

The DPDPA is a significant development for data protection in India. It is expected to have a positive impact on the privacy rights of individuals and to help build trust in the digital economy.

How to collect India's DPDPA consent properly

To obtain consent in accordance with the India DPDPA, you must ensure that the consent is:

• Freely given, which means that consent must be obtained without forcing or coercion. For example, you must not force the users into giving consent by bundling it with other terms and conditions, or by making it a precondition for accessing a service or product.
• Informed, meaning that you must inform the user of what they are giving consent to. Such information shall include the categories of processed information, why you process the data, with whom you share it, and so on. A link to your DPDPA-compliant privacy policy could inform the users about that and ensure that consent is obtained.
• Unambiguous, meaning that consent is given only if the user has taken action to give consent. In most cases, that means an ACCEPT COOKIES button. Bundling consent with the Terms and Conditions is not an unambiguous action. Assuming that the user consents to the use of cookies just by browsing the website is not right either, as browsing is not an unambiguous action of giving consent.
• Unconditional, which means that you cannot condition access to products or services with consent. For example, you cannot condition access to the public parts of the website for users who do not consent to the use of cookies.
  

What happens after collecting DPDPA consent?

Once you have collected explicit users' consent according to the DPDPA principles, you can use cookies and process data with their help.

Data fiduciaries must keep records of the consent obtained in case they need to prove compliance with the laws.

They also must allow the user, i.e., the data principal, to withdraw the consent at any time. When the user withdraws their consent, you must not process their data anymore.

What are the differences between the cookie consent requirements of the DPDPA and other data privacy laws?

Global businesses may wonder how the DPDPA compares to other data protection laws worldwide regarding cookie consent.

Compared to the General Data Protection Regulation (GDPR) of the EU, the greatest difference is in the granularity of the consent. The DPDPA does not require granular consent, but the GDPR does.

When you collect cookie consent from EU users, you must request specific consent for each specific purpose. The data subjects can provide or decline consent for each specific purpose. The same goes for the withdrawal of consent.

In India, general consent for the use of cookies is enough. There is no need to ask for separate consent for each purpose. While this may simplify the process of obtaining cookie approval, some users who don't like specific cookies may decline all your cookies altogether.

When you compare Indian law with the laws in the United States, such as the CCPA or the VCDPA, the greatest difference comes in the use of the opt-in principle in India. The US laws rely on the opt-out principle, meaning that businesses can use cookies until users opt out. In India, businesses must not use cookies before the explicit opt-in by the user.

Does the India DPDPA apply to my business?

The India DPDPA applies to all businesses that operate from India and to all businesses that target Indian customers.

The DPDPA clearly states that the law applies to the processing of personal data within the territory of India, where the personal data is collected:

• in digital form; or
• in non-digital form and digitized subsequently.

It also applies to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India.

It is important to note that the law does not apply to many Indian companies that provide outsourcing services. These companies process data in India, but it has been collected abroad and does not affect data principals from India. Therefore, it may not apply to them.

Here are some examples of businesses that are likely to be subject to the DPDPA:

• E-commerce companies that sell goods or services to Indian customers
• Social media platforms that have Indian users
• Financial institutions that have Indian customers
• Healthcare companies that have Indian patients
• Technology companies that collect data about Indian users
  

What are the penalties for non-compliance with the Digital Personal Data Protection Act 2023?

The Data Protection Board can impose significant penalties on non-compliant data principals and businesses, including:

• INR 10,000 for failure by a data principal to perform duties stipulated under the Act.
• Up to INR 50 crore for breach of any provision of the Act or the implementing rules for which no specific penalty is stipulated.
• Up to INR 250 crore for failure to fulfill the obligation to take reasonable security safeguards to prevent a personal data breach.

According to the law, not obtaining consent may lead to a penalty of up to INR 50 crore, depending on various circumstances related to the violation.

How do I comply with the India DPDP Act cookie consent requirements?

You can comply with the DPDPA cookie consent requirements by requesting, collecting, and storing user consent with the help of a consent manager registered with the Data Protection Board.

Once the registration process begins, Secure Privacy will register and will be available for businesses like yours to ensure compliance with the law.

Our solution has a DPDPA module already and will be prepared to make you compliant and earn customers' trust from the first day the DPDPA becomes applicable.