What are India's DPDPA requirements for cookie consent?

Sameer Ahirrao -

The 2023 India Digital Personal Data Protection Act (DPDPA) requires businesses to obtain explicit user consent before using cookies or processing any personal data. Businesses can no longer use cookies to collect personal data from website visitors without their consent.

This Act represents a major shift in India’s privacy regulations, introducing strict requirements and penalties for non-compliance. Among the key changes is the requirement for explicit cookie consent, which is especially impactful for businesses operating in India. If you're affected by this, it's important to understand the new obligations.

Under India's DPDPA, consent is the primary legal basis for processing personal data, including cookies. Website operators, termed as data fiduciaries, can only use cookies for personal data processing if the user has explicitly consented to it. The law follows an opt-in model, meaning that cookies cannot be used until the visitor explicitly agrees.

What are cookies?

Cookies are small text files sent by websites to a user’s device to gather information for processing. When these cookies collect personal data, data protection laws like India's DPDPA come into play.

Common types of cookies include those used for Google Analytics, remembering website preferences, keeping items in a shopping cart, tracking for advertising purposes, and more.

Here are some of the main aspects of the DPDPA:

  • Consent-based processing: Organizations must get permission from individuals before collecting or using their personal data.
  • Data subject rights: Individuals can access, correct, and delete their personal data. They also have the right to object to how their data is processed and to request that their data be transferred to another organization.
  • Data processing requirements: Organizations must handle personal data in a fair, transparent, and accountable way, and ensure appropriate security measures are in place to protect it.
  • Data Protection Authority: The DPDPA establishes the Data Protection Board of India to oversee the law's implementation and enforcement. This authority can investigate complaints, issue directives, and impose fines for non-compliance.

The DPDPA also introduces the concept of a "significant data fiduciary," referring to data controllers that handle large amounts of personal data, similar to terms used under the GDPR. The specific companies that will fall under this category will be designated by the government.

Overall, the DPDPA marks a major step forward for data protection in India, aiming to enhance privacy rights and build trust in the digital economy.

How to collect India's DPDPA consent properly

To comply with the India DPDPA when obtaining consent, you need to ensure that the consent is:

  • Freely given: Consent must be obtained without pressure or coercion. You can't force users to consent by combining it with other terms and conditions or making it a requirement to access a service or product.
  • Informed: Users must be clearly informed about what they are consenting to. This includes details on the types of data being processed, the reasons for processing, and who the data is shared with. Providing a link to a DPDPA-compliant privacy policy can help ensure users are adequately informed.
  • Unambiguous: Consent must involve a clear, affirmative action from the user, such as clicking an "ACCEPT COOKIES" button. Simply assuming consent because the user is browsing the website or combining it with other terms is not acceptable.
  • Unconditional: Access to products or services cannot be dependent on consent. For instance, you cannot block access to public areas of a website if the user does not consent to the use of cookies.

What happens after collecting DPDPA consent?

After obtaining explicit user consent in line with DPDPA guidelines, you can use cookies and process data accordingly.

Data fiduciaries must keep records of the consent they have obtained to prove they are complying with the law.

Additionally, users (referred to as data principals) must have the option to withdraw their consent at any time. If a user withdraws consent, you must stop processing their data immediately.

What are the differences between the cookie consent requirements of the DPDPA and other data privacy laws?

Global businesses might be curious about how the DPDPA's cookie consent requirements stack up against other international data protection laws.

Compared to the EU's General Data Protection Regulation (GDPR), the main difference lies in the level of consent detail. The GDPR requires specific consent for each purpose, allowing users to accept or decline cookies individually based on their purpose. In contrast, the DPDPA does not require this level of granularity—general consent for cookie use is sufficient. While this makes the consent process simpler in India, it might result in users rejecting all cookies if they dislike certain types.

In comparison to U.S. laws like the CCPA or the VCDPA, the key difference is India’s use of the opt-in approach. U.S. laws typically operate on an opt-out basis, allowing businesses to use cookies until users choose to opt out. In India, businesses cannot use cookies unless users explicitly opt in.

Does India's DPDPA apply to my business?

India’s DPDPA applies to any business operating within India or targeting Indian customers.

The law covers:

  • The processing of personal data collected in India, whether in digital or digitized form.
  • The processing of digital personal data outside India, if it’s related to offering goods or services to individuals in India.

However, the DPDPA does not apply to Indian companies that primarily provide outsourcing services, where data is collected abroad and does not involve Indian data principals.

Examples of businesses likely to be subject to the DPDPA include:

  • E-commerce companies selling to Indian customers
  • Social media platforms with Indian users
  • Financial institutions serving Indian customers
  • Technology firms collecting data on Indian users

What are the consequences for failing to comply with the Digital Personal Data Protection Act 2023?

The Data Protection Board can impose hefty penalties for non-compliance with the DPDPA, including:

  • INR 10,000 for data principals who fail to meet their responsibilities under the Act.
  • Up to INR 50 crore for breaches of any Act provisions or implementing rules where no specific penalty is mentioned.
  • Up to INR 250 crore for failing to implement reasonable security measures to prevent a personal data breach.
  • Up to INR 50 crore for not obtaining required consent, depending on the specifics of the violation.

How can I meet the cookie consent requirements under the India DPDP Act?

To meet the DPDPA cookie consent requirements, you can use a consent manager registered with the Data Protection Board to request, collect, and store user consent.

How does Ardent’s Solution help with cookie consent requirements under India’s DPDPA?

Ardent’s TurtleShield CM (Consent Management) automates required user privacy notices, the gathering and management of consent/opt-out privacy preferences, and the operational honoring of preferences by both internal and downstream third-party data sharers.

Under the Digital Personal Data Protection Act (DPDPA) and all other new privacy regulations, user consent is now key to processing private data. TurtleShield CM stores preferences in a secure database, where they are always accessible via API, unlike deprecated “cookie” solutions that store them inside the user’s browser.

We refer to TurtleShield CM as “Enterprise Consent” because it uniquely handles the ingestion of private data from every type of touchpoint used by modern enterprises.

TurtleShield CM works with native mobile apps, web apps, email, SMS text messaging, voice commands, on IOT devices, and even in physical locations such as retail, hospitality, and sports venues.

When audiences include children under 18 age, TurtleShield CM provides a streamlined compliance flow supporting age estimation, identifying parents and guardians, and gathering their consent as required by regulations.