India Digital Personal Data Protection Act (DPDPA) 2023 Cookie Banner
Delve into the intricacies of India's Digital Personal Data Protection Act (DPDPA) 2023 and grasp the essential elements required for a compliant cookie consent banner. Learn who needs a DPDPA-compliant banner, the specific requirements it must meet, and potential penalties for non-compliance with the law.
The India Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law, imposing significant requirements on businesses that process personal data online. It comes into effect in 2024.
Who needs a DPDPA-compliant cookie consent banner?
Every business that must comply with the India DPDPA needs a DPDPA-compliant cookie banner to obtain consent for using cookies on their website or app.
The DPDPA cookie consent requirements apply to you if:
- You operate within India, or
- You target Indian customers abroad with your products or services.
What are the DPDPA cookie banner requirements?
Therefore, the cookie consent requirements determine what the cookie banners should look like. The 2023 India DPDPA requirements for data collection via cookies prescribe that the consent must be:
- Freely given. You must obtain consent without any form of force or coercion, ensuring that users aren't pressured into giving it, which leads us to the next requirement.
- Unconditional. The consent must not be tied to conditions, especially when it comes to accessing products or services. For example, users shouldn't be denied access to public website sections if they decline cookies. Such consent is invalid.
- Unambiguous. The user gives consent only by explicit, clear, and definitive action, such as clicking an "ACCEPT COOKIES" button. Merging consent with Terms and Conditions or assuming consent through mere website browsing doesn't qualify as clear affirmation.
- Requested in plain language. According to the DPDPA, all privacy notices must be written in plain language that is easy to understand. The DPDPA also defines plain language as "language that is clear, concise, and direct,and that uses common words and phrases that are easily understood by the average person." Legal jargon and technical terms do not belong in a cookie banner.
- Font size and format. Privacy notices must be written in a font size that is easy to read, and they must be organized in a logical and easy-to-follow way.
Unlike many other data privacy laws that require explicit consent, the Indian Digital Personal Data Protection Bill does not require specific consent for each processing purpose.
The General Data Protection Regulation (GDPR) of the EU, the Brazil LGPD, the UK DPA, and many other data protection regulations require data controllers to obtain consent for each purpose of processing personal data. The Indian law does not require such granularity.
The India DPDPA cookie consent requirements inform your decision on what the cookie banner should look like. In general, it must meet the following requirements:
- Request consent in an easy-to-understand way and in plain language
- Wait until the user clicks on a button to accept cookies
- Allow access to the website for users who do not accept cookies
DPDPA v. GDPR v. CCPA cookie banners
A DPDPA-compliant cookie banner shares some similarities with GDPR-compliant banners and with CCPA-compliant banners. However, it is not the same with either of them.
DPDPA v. GDPR, UK DPA, LGPD
The most significant difference between a DPDPA consent banner and one that meets the GDPR requirements is the granularity of consent. When you need to comply with the GDPR, the UK DPA, the LGPD, or similar data privacy regulations, you have to obtain specific consent. It means that you need one consent for Google Analytics, a separate one for Meta and TikTok pixels, and so on.
In India, on the other hand, the user either agrees to all the cookies at once or declines them altogether. You have the right to ask for granular consent, but it is not legally required.
DPDPA v. CCPA/CPRA, VCDPA, and US state privacy laws
The US state privacy laws do not require explicit opt-in for firing cookies toward users' devices. Some laws do require consent for the processing of sensitive personal data, but such data is rarely obtained via cookies.
What are the penalties for non-compliance with the India Digital Personal Data Protection Act 2023?
Data fiduciaries who do not comply with the DPDA Act face the threat of the following penalties:
- INR 10,000 for violations by a data principal;
- Up to INR 50 crore for violations where no specific penalties are prescribed; and
- Up to INR 250 crore for security and data breach violations.
The Data Protection Board of India can impose penalties for violations. When it comes to cookie consent violations, it is clear that the prescribed penalty is up to INR 50 crore. The actual penalty amount would depend on multiple factors, including but not limited to whether the rights of data principals have been respected, whether the data is being processed in accordance with the Act, if there are reasonable security practices and procedures, whether the processing involves the collection of sensitive personal data, if international data transfers to unsafe countries have been in place, and others.
How do you ensure compliance with the India DPDPA cookie banner requirements?
To meet the DPDPA cookie consent standards, you need to use a consent manager that's registered with the Data Protection Board to obtain, record, and retain user consent. That's where Secure Privacy can help.
As the registration gets underway, Secure Privacy will be on the list and ready to assist businesses such as yours in adhering to legal requirements. Our India DPDPA-compliant cookie consent banner has been built already and will be available once the law becomes effective.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.