India's New Digital Personal Data Protection Act (DPDPA) 2023: Cookie Policy

The 2023 India Digital Personal Data Protection Act (DPDPA) requires businesses to inform users of the use of cookies, and businesses may want to publish an India DPDPA cookie policy to meet these requirements.

Although not explicitly required by the DPDPA, having one is a good practice and will simplify meeting your obligations. Cookies are a widely spread method of processing of digital personal data of data subjects, and the data is protected under the new privacy regulation in India.

The DPDPA applies to two types of businesses:

• Those that process personal data within India; and
• Those that process personal data outside of India, but target Indian data principals by offering them goods or services from abroad.

If you belong to any of these businesses, the law applies to you and you need to learn more about an India DPDPA cookie policy.

What is the India Digital Personal Data Protection Act Cookie Policy?

An India DPDPA cookie policy is the document where you inform data principals about your use of cookies. That information is necessary for obtaining valid consent because the consent is valid only when users are well informed about all your privacy practices.

If your website uses cookies, you must obtain explicit users' consent before firing them to the users' devices. The consent request must be accompanied by a privacy notice where you inform the users what data you collect, why you process it, collecting sensitive personal data, details on international data transfers, third parties with whom you share information, data principal privacy rights, etc.

That notice is usually the privacy policy. You can include that information there, but you can also include it in a separate document called cookie policy. The cookie policy is not explicitly required by the law, but it is a good practice for ensuring transparency to your users. 

You can provide users with a link to the privacy policy and the cookie policy on your DPDPA-compliant cookie consent banner.

What are the cookie policy requirements by the India data privacy law?

The Digital Personal Data Protection Bill has no cookie policy requirements, but it prescribes transparency requirements. The most notable of them is the privacy notice obligation.

When you ask for consent from users, you must inform them about how you handle personal information. At the moment of collection of data, you need to obtain consent. To obtain informed consent, you need to provide them with the required information.

That's where the privacy notice comes into play.

Privacy policy is the most common form of a privacy notice, no matter what data protection law applies. The privacy policy also contains information on the use of cookies. Websites that rely on cookies, may prefer to separate the cookie information in a separate policy, which is what we know as a cookie policy.

Therefore, the India DPDPA cookie policy is required to contain information on:

• What cookies are being used. If you could list the exact names of the cookies, that would be best for transparency.
• The processing purposes. Although in India you don't need granular consent for processing purposes, nonetheless you need to inform users about the processing purposes. For most websites, the purposes include functionalities, preferences, analytics, and marketing. 
• Third-party with whom data is shared. Websites usually use cookies to collect data and share it with the data processors. For example, you share IP address and device information of users with Google Analytics for analytics purposes.
• Data retention. Each cookie stores the data for a specific period of time. That should be included in the cookie policy.

Penalties by the Data Protection Board for non-compliance

The DPDPA prescribes the following penalties:

• INR 10,000 for violations by a data principal;
• Up to INR 50 crore for violations where no specific penalties are prescribed; and
• Up to INR 250 crore for security and data breach violations.

Most website violations would fall under the second category of penalties of up to INR 50 crore. That's the upper limit for not being transparent with your website visitors about your use of cookies.

The Data Protection Board of India imposes penalties on data fiduciaries according to the data privacy law. This means that T=the data fiduciary should be extra cautious in negotiating contracts with data processors, as the data fiduciary must assume they will be held liable for any violation by the data processor.

How to comply with the India DPDPA 2023 Cookie Policy requirements?

Now you know the requirements, but applying them in a real-case scenario is not an easy task. You can draft your cookie policy, but can you be sure that it meets all the requirements? Are you sure that you've listed all the cookies on your website?

That's where Secure Privacy can help. We can help you get compliant with the DPDPA cookie requirements in three steps:

1. Scan the website with our scanner. It will show you what cookies are being used on your website and will help you classify the essential from non-essential cookies.
2. Generate a cookie policy and privacy policy. Based on your cookie scanner and some input from your side, our privacy policy generator and cookie policy generator will do the rest of the work.
3. Use an India-DPDPA-compliant cookie banner on your website. You must obtain explicit user consent for non-essential cookies. We have a proper template that works with cookie scanner reports to ensure that your website is compliant.

And that's it. You've met the DPDPA cookie policy requirements.