India's DPDPA 2023 Privacy Policy and Its Impact
India, one of the world's most populous and economically influential nations, has introduced new personal data protection laws. These laws mandate that websites must display a privacy policy that complies with the India Digital Personal Data Protection Act (DPDPA) 2023. The India's DPDPA requires that the privacy policy includes key elements to meet legal requirements.
This legislation, India's first comprehensive data protection law, was officially published on August 11, 2023, and came into effect in mid-2024.
In this article, we will cover:
- What does a DPDPA-compliant privacy policy in India entail?
- The essential components of such a policy
- Whether the India's DPDPA applies to your business
- How to create a compliant privacy policy for your website to adhere to the law?
What is India's DPDPA-compliant privacy policy?
A DPDPA-compliant privacy policy is a document that informs users about how their personal data is handled. According to the DPDPA, website or app operators (referred to as "data fiduciaries") must provide users ("data principals") with a notice at the time of collecting their consent. This notice should include:
- The personal data being processed
- The purpose of processing the data
- Instructions on how users can exercise their rights regarding their data
- How users can file complaints with the Data Protection Board of India
Consent must be informed, meaning users need to fully understand what they are agreeing to. Data fiduciaries must present this notice clearly when requesting consent, enabling users to make an informed choice. Additionally, the notice must remain up-to-date and include all legally required information. If not, the consent becomes invalid, rendering the processing of personal data unlawful.
What should be included in your India DPDPA privacy policy?
At a minimum, your privacy notice must include the following:
- Personal Data Being Processed: Specify the types of personal data you collect and process, such as email addresses, browsing history, purchase behavior, IP addresses, and device information.
- Purpose of Processing: Clearly state why you're processing this data. Common reasons include marketing, website analytics, or providing functionality on your website or app.
- How to Exercise Data Principal Rights: Users have rights under the DPDPA, which extend beyond just withdrawing consent. Your privacy notice must list these rights and explain how users can exercise them, typically by providing an email address or a web form for submitting data privacy requests.
- How to File a Complaint: Explain how users can file a complaint with the Data Protection Board of India if they are unsatisfied with your privacy practices.
You can include this information in your cookie consent banner, though it may be too lengthy. In that case, it’s better to provide a link to your full privacy policy in the banner.
For added transparency, you can also include information about data transfers outside of India, your data processors, and the identity of your Data Protection Officer (if you’re a significant data fiduciary). This could also help you comply with international data protection laws.
What are the penalties for having a non-compliant DPDPA privacy policy?
A privacy policy that is not compliant or up-to-date results in invalid user consent. Without valid consent, processing personal data becomes illegal. Such invalid processing violates the DPDPA and can result in penalties.
The Data Protection Board has the authority to impose the following fines:
- INR 10,000 if a data principal fails to fulfill their obligations under the Act.
- Up to INR 50 crore for violating any provision of the Act or its rules where no specific penalty is mentioned.
- Up to INR 250 crore for failing to implement adequate security measures to prevent a data breach.
The most common violations, such as invalid consent or non-compliant privacy policies, could result in penalties as high as INR 50 crore.
Does the India's DPDPA 2023 apply to your business?
These risks are relevant to your business only if the India Digital Personal Data Protection Act (DPDPA) applies to you.
The law applies if you handle personal data in digital form or if data is later digitized, and your business meets at least one of the following conditions:
- Your business operates within India, or
- Your business operates outside India but offers products or services to Indian residents.
In summary, if you are an Indian business, the law applies. If you're a foreign business targeting Indian individuals, the law applies to you as well.
How Ardent Privacy helps with India’s DPDPA privacy policy and comply with the India Data Privacy Law?
Here’s how Ardent Privacy can assist with compliance to the India Data Privacy Law:
1) Data Discovery & Classification
- Ardent Privacy helps businesses discover and classify personal data across their systems. This is crucial for compliance with DPDPA, which requires identifying and managing personal data efficiently.
- One of Ardent Privacy’s key features is data minimization, which ensures that companies only collect and retain the minimal necessary personal data. The DPDPA mandates that organizations should not retain personal data for longer than is necessary for the purposes it was collected.
3) Automated Data Subject Rights (DSR) Management
- The DPDPA grants data subjects several rights, such as the right to access, correct, and erase their data. Ardent Privacy can automate the process of responding to these requests by helping businesses: 1) Identify where personal data is stored. 2) Delete or anonymize data as required.
- India's DPDPA emphasizes valid and informed consent for processing personal data. Ardent Privacy’s tools can help manage consent, ensuring that companies are only processing data for purposes for which explicit consent has been obtained.
5) Assured Data Deletion & Anonymization
- To comply with the India's DPDPA, organizations must securely delete or anonymize personal data when it's no longer needed. Ardent Privacy provides features for assured data deletion or anonymization to meet these requirements.
6) Audit Trails & Reporting
- Ardent Privacy solutions include audit trails and compliance reporting, which help organizations demonstrate compliance during audits by regulatory bodies. This ensures transparency and accountability as required by the DPDPA.
7) Privacy by Design & Default
- Ardent Privacy integrates Privacy by Design principles into workflows. This includes ensuring that data privacy considerations are built into processes from the outset, aligning with DPDPA requirements to safeguard personal data at all stages.
8) Automate Privacy Impact Assessment
- The DPDPA requires organizations to assess the risk of processing personal data. Ardent Privacy can perform data protection impact assessments (DPIAs) to identify potential risks and take preventive measures, ensuring compliance with the law's risk management requirements.
In essence, Ardent Privacy’s solutions help organizations navigate the complexities of the India's DPDPA, ensuring full compliance while reducing operational overhead.