After years in the making, India is finally implementing its Digital Personal Data Protection Act (DPDPA). India’s DPDPA has been many years in the making, having been slow to implement its rules as a single, cohesive data protection and governance framework. The Indian Ministry of Electronics and Information Technology (MeitY) has been at the center of India’s move toward being a leader in digital infrastructure, but India has nevertheless taken its time to create a comprehensive approach to data privacy, only introducing the concept in 2023.
DPDPA taking shape but still not comprehensive
India’s DPDPA continues to take shape in draft form and will continue to evolve. As yet, there is no official date at which the DPDPA will enter into force, and various provisions of the Act are likely to take effect incrementally in a phased approach.
Indian law, as shown so far, remains more fragmented and vague as compared to existing law in other jurisdictions, such as the EU’s GDPR. But its fluidity is seen as possessing the potential for change and innovation that may better support India’s “domestic tech ecosystem”. It is, according to many analysts, unlikely to become as prescriptive as GDPR and similar data protection regulations.
What does the DPDPA cover?
DPDPA establishes data protection principles, data subject rights, and data controller obligations. Some of the key principles of DPDPA include:
- Personal data may only be used for the specific purpose(s) for which it was collected.
- Collection of personal data must be done in a lawful, fair and transparent manner.
- Efforts should be made to ensure that the personal data collected is accurate and up to date.
- The duration of data storage must be limited to the period necessary for using it in the stated way/stated purposes for which it was collected.
- Efforts must be made to ensure that there is no unauthorized personal data collection or processing.
- A Data Fiduciary is responsible for said processing.
This is only a brief overview of what the law contains, but at its core, informed consent is a key component of the DPDPA and a critical aspect of how the data protection regulation should be framed. Consent has widely been seen as a broken process in the Indian approach to data collection and processing, and the current DPDPA aims to take a clearer consent-based approach to personal data. The new rules will rely on the introduction of a “consent artefact” approach to make sure that consent requests are more specific, unconditional and auditable.
It’s easy to be compliant with CookieHub
Sign up today and create a custom cookie banner for your website
- 30 day free trial
- No credit card required
Getting ready for DPDPA: Cookie consent
Like most data protection regulations, while DPDPA is an Indian law, it will have global repercussions, as India is a major hub for global businesses across industries. Businesses operating in India or that handle data from Indian customers need to take action to be in compliance.
With its reach, what are the key things organizations worldwide need to do to prepare? While a range of different actions will be required for businesses to comply, one critical area of action is cookie consent. According to a white paper published by the Advertising Standards Council of India (ASCI), only 6% of top Indian websites are prepared for DPDPA cookie consent compliance. The dipstick survey conducted indicates that cookie consent banners are missing in most major Indian websites, and among those that do have banners, most do not employ best practices, that is, many do not provide clear opt-out options or give users the ability to consent to specific cookies at a granular level.
How to address these shortcomings? In addition to focusing on user-friendly design, consent and transparency, cookie consent becomes considerably easier with a comprehensive cookie and consent management platform like CookieHub.
Are you compliant?
CookieHub automatically scans your website to detect cookies, ensuring all cookies are easily managed.