How India is catching up on user data protection with DPDPA

India may not have a dedicated cookie law, but the Digital Personal Data Protection Act (DPDPA) sets clear principles for obtaining granular consent from users

By  Storyboard18Jan 28, 2025 2:44 PM
How India is catching up on user data protection with DPDPA
India may not have a dedicated cookie law, but the Digital Personal Data Protection Act (DPDPA) sets clear principles for obtaining granular consent from users

The Advertising Standards Council of India (ASCI) Academy, in collaboration with PSA Legal and Tsaaro Consulting, has released a comprehensive white paper titled 'Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA' to commemorate Data Privacy Day. The white paper explains in detail how granular consent takes shape in India towards building better privacy standards.

India may not have a dedicated cookie law, but the Digital Personal Data Protection Act (DPDPA) sets clear principles for obtaining granular consent from users, especially in cookie banners and privacy statements. Since cookies collect and store user data, consent under the DPDPA must comply with Sections 5 and 6 of the Act.

Under Section 5(1)(i), data fiduciaries must provide users (referred to as "data principals") with a notice outlining the personal data being collected and the purpose of its use before requesting consent. This mirrors Article 6(1)(a) of the GDPR, which requires data subjects to be informed about each purpose for processing their data before giving consent.

Section 6(1) of the DPDPA highlights that consent must be free, specific, informed, unambiguous, and given explicitly for a specific purpose. It further limits the use of personal data to that stated purpose alone. Moreover, Section 6(3) mandates that consent requests must be presented in plain, simple language, ensuring clarity for users. Importantly, under Section 6(4), users retain the right to withdraw their consent at any time.

These provisions align closely with Article 4(11) and Article 7 of the GDPR, which define consent as freely given, specific, informed, and unambiguous. The GDPR also requires that consent requests be clear, accessible, and understandable, and ensures users can withdraw consent whenever they wish.

The DPDPA’s emphasis on specificity and clarity ensures compliance with global standards, paving the way for the adoption of granular consent mechanisms in India.

First Published on Jan 28, 2025 2:44 PM

More from Storyboard18

Digital

Mumbai Police issue third summons to Kunal Kamra, ask him to appear on April 5

Mumbai Police issue third summons to Kunal Kamra, ask him to appear on April 5

Digital

CBI must work with startups to combat AI-driven crimes, says Vaishnaw

CBI must work with startups to combat AI-driven crimes, says Vaishnaw

How it Works

SEBI’s ID mandate for intermediary ads welcomed, but industry seeks stronger AI oversight

SEBI’s ID mandate for intermediary ads welcomed, but industry seeks stronger AI oversight

Gaming

Quick Commerce or Quick cash? Zepto’s promotion of illegal betting firm Parimatch

Quick Commerce or Quick cash? Zepto’s promotion of illegal betting firm Parimatch

Brand Marketing

Google to pay $100 million to settle 14-year-old ad lawsuit

Google to pay $100 million to settle 14-year-old ad lawsuit

Digital

OpenAI seeks $40 Billion in new funding to drive AI expansion

OpenAI seeks $40 Billion in new funding to drive AI expansion

Special Coverage

WPP drops DEI language amid U.S. scrutiny, while Ogilvy global CEO champions representation and purpose

WPP drops DEI language amid U.S. scrutiny, while Ogilvy global CEO champions representation and purpose

Special Coverage

Krafton's Srinjoy Das at GPS 2025: Future of gaming marketing is symbiotic, social, and surprise-driven

Krafton's Srinjoy Das at GPS 2025: Future of gaming marketing is symbiotic, social, and surprise-driven