Brand Makers
Dil Ka Jod Hai, Tootega Nahin
How India is catching up on user data protection with DPDPA
India may not have a dedicated cookie law, but the Digital Personal Data Protection Act (DPDPA) sets clear principles for obtaining granular consent from users
Tech giants Google, Meta, YouTube, and Snap have earlier raised similar concerns over the Digital Personal Data Protection Act's restrictions on behavioural tracking.
The Advertising Standards Council of India (ASCI) Academy, in collaboration with PSA Legal and Tsaaro Consulting, has released a comprehensive white paper titled 'Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA' to commemorate Data Privacy Day. The white paper explains in detail how granular consent takes shape in India towards building better privacy standards.
India may not have a dedicated cookie law, but the Digital Personal Data Protection Act (DPDPA) sets clear principles for obtaining granular consent from users, especially in cookie banners and privacy statements. Since cookies collect and store user data, consent under the DPDPA must comply with Sections 5 and 6 of the Act.
Under Section 5(1)(i), data fiduciaries must provide users (referred to as "data principals") with a notice outlining the personal data being collected and the purpose of its use before requesting consent. This mirrors Article 6(1)(a) of the GDPR, which requires data subjects to be informed about each purpose for processing their data before giving consent.
Section 6(1) of the DPDPA highlights that consent must be free, specific, informed, unambiguous, and given explicitly for a specific purpose. It further limits the use of personal data to that stated purpose alone. Moreover, Section 6(3) mandates that consent requests must be presented in plain, simple language, ensuring clarity for users. Importantly, under Section 6(4), users retain the right to withdraw their consent at any time.
These provisions align closely with Article 4(11) and Article 7 of the GDPR, which define consent as freely given, specific, informed, and unambiguous. The GDPR also requires that consent requests be clear, accessible, and understandable, and ensures users can withdraw consent whenever they wish.
The DPDPA’s emphasis on specificity and clarity ensures compliance with global standards, paving the way for the adoption of granular consent mechanisms in India.
SPOTLIGHT
"The raucous, almost deafening, cuss words from the heartland that Piyush Pandey used with gay abandon turned things upside down in the old world order."
Read MoreThe new face of the browser: Who’s building AI-first browsers, what they do and how they could upend advertising
From OpenAI’s ChatGPT-powered Atlas to Microsoft’s Copilot-enabled Edge, a new generation of AI-first browsers is transforming how people search, surf and interact online — and reshaping the future of digital advertising.