India Digital Personal Data Protection Act (DPDPA) 2023 Cookie Banner

The India Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law, imposing significant requirements on businesses that process personal data online. It comes into effect in 2024.

Who needs a DPDPA-compliant cookie consent banner?

Every business that must comply with the India DPDPA needs a DPDPA-compliant cookie banner to obtain consent for using cookies on their website or app.

The DPDPA cookie consent requirements apply to you if:

• You operate within India, or
• You target Indian customers abroad with your products or services.

If you meet any of these criteria, the law applies to you. And if your website uses cookies, it means that you need a cookie banner that meets the legal requirements.

What are the DPDPA cookie banner requirements?

Cookie banners serve the purpose of informing users about your use of cookies, requesting consent, and recording it. They must meet the legal requirements for obtaining valid consent for the use of cookies.

Therefore, the cookie consent requirements determine what the cookie banners should look like. The 2023 India DPDPA requirements for data collection via cookies prescribe that the consent must be:

• Freely given. You must obtain consent without any form of force or coercion, ensuring that users aren't pressured into giving it, which leads us to the next requirement.
• Unconditional. The consent must not be tied to conditions, especially when it comes to accessing products or services. For example, users shouldn't be denied access to public website sections if they decline cookies. Such consent is invalid.
• Informed. Data principals need to know what they consent to, which means that your consent request must be accompanied by clear information detailing what the user is agreeing to. This includes specifics like the types of data processed, the reasons for processing, and any third parties involved. Providing a link to a DPDPA-compliant privacy policy can help convey this information.
• Unambiguous. The user gives consent only by explicit, clear, and definitive action, such as clicking an "ACCEPT COOKIES" button. Merging consent with Terms and Conditions or assuming consent through mere website browsing doesn't qualify as clear affirmation.
• Requested in plain language. According to the DPDPA, all privacy notices must be written in plain language that is easy to understand. The DPDPA also defines plain language as "language that is clear, concise, and direct,and that uses common words and phrases that are easily understood by the average person." Legal jargon and technical terms do not belong in a cookie banner.
• Font size and format. Privacy notices must be written in a font size that is easy to read, and they must be organized in a logical and easy-to-follow way.

Unlike many other data privacy laws that require explicit consent, the Indian Digital Personal Data Protection Bill does not require specific consent for each processing purpose.

The General Data Protection Regulation (GDPR) of the EU, the Brazil LGPD, the UK DPA, and many other data protection regulations require data controllers to obtain consent for each purpose of processing personal data. The Indian law does not require such granularity.

It means that you can get general consent for all purposes. If the user consents to your use of cookies, you can use marketing, advertising, analytics, preferences cookies, and all the other cookies you choose to use. As a data fiduciary, you just need to ensure that the consent is freely given, accompanied by an up-to-date privacy notice, and given by an explicit and unambiguous action.

Read more about India's DPDPA consent requirements in our in-depth article.

The India DPDPA cookie consent requirements inform your decision on what the cookie banner should look like. In general, it must meet the following requirements:

• Request consent in an easy-to-understand way and in plain language
• Do not allow the use of cookies before obtaining consent
• Not allow the use of cookies when the user neither accepts nor declines cookies
• Wait until the user clicks on a button to accept cookies
• Provide information about the processing of personal data or a link to a privacy policy containing the necessary information
• Allow access to the website for users who do not accept cookies
• Do not assume that the user has agreed to the use of cookies by browsing the website
  

DPDPA v. GDPR v. CCPA cookie banners

A DPDPA-compliant cookie banner shares some similarities with GDPR-compliant banners and with CCPA-compliant banners. However, it is not the same with either of them.

DPDPA v. GDPR, UK DPA, LGPD

The most significant difference between a DPDPA consent banner and one that meets the GDPR requirements is the granularity of consent. When you need to comply with the GDPR, the UK DPA, the LGPD, or similar data privacy regulations, you have to obtain specific consent. It means that you need one consent for Google Analytics, a separate one for Meta and TikTok pixels, and so on.

In India, on the other hand, the user either agrees to all the cookies at once or declines them altogether. You have the right to ask for granular consent, but it is not legally required.

DPDPA v. CCPA/CPRA, VCDPA, and US state privacy laws

The US state privacy laws do not require explicit opt-in for firing cookies toward users' devices. Some laws do require consent for the processing of sensitive personal data, but such data is rarely obtained via cookies.

The approach of the US regulators, as well as those in Australia, is to provide users with the right to opt-out of the processing. And that's where they differ significantly from the Indian DPDP Act. In India, consent comes before the use of cookies. In the US, the use of cookies comes before opting out. And in many cases, users cannot even opt-out.

What are the penalties for non-compliance with the India Digital Personal Data Protection Act 2023?

Data fiduciaries who do not comply with the DPDA Act face the threat of the following penalties:

• INR 10,000 for violations by a data principal;
• Up to INR 50 crore for violations where no specific penalties are prescribed; and
• Up to INR 250 crore for security and data breach violations.

The Data Protection Board of India can impose penalties for violations. When it comes to cookie consent violations, it is clear that the prescribed penalty is up to INR 50 crore. The actual penalty amount would depend on multiple factors, including but not limited to whether the rights of data principals have been respected, whether the data is being processed in accordance with the Act, if there are reasonable security practices and procedures, whether the processing involves the collection of sensitive personal data, if international data transfers to unsafe countries have been in place, and others.

How do you ensure compliance with the India DPDPA cookie banner requirements?

To meet the DPDPA cookie consent standards, you need to use a consent manager that's registered with the Data Protection Board to obtain, record, and retain user consent. That's where Secure Privacy can help.

As the registration gets underway, Secure Privacy will be on the list and ready to assist businesses such as yours in adhering to legal requirements. Our India DPDPA-compliant cookie consent banner has been built already and will be available once the law becomes effective.