The Advertising Standards Council of India (ASCI) Academy, in collaboration with PSA Legal and Tsaaro Consulting, has released a comprehensive white paper titled ‘Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA’ to commemorate Data Privacy Day. The white paper explains in detail how granular consent takes shape in India towards building better privacy standards.
India may not have a dedicated cookie law, but the Digital Personal Data Protection Act (DPDPA) sets clear principles for obtaining granular consent from users, especially in cookie banners and privacy statements. Since cookies collect and store user data, consent under the DPDPA must comply with Sections 5 and 6 of the Act.
Under Section 5(1)(i), data fiduciaries must provide users (referred to as “data principals”) with a notice outlining the personal data being collected and the purpose of its use before requesting consent. This mirrors Article 6(1)(a) of the GDPR, which requires data subjects to be informed about each purpose for processing their data before giving consent.
Section 6(1) of the DPDPA highlights that consent must be free, specific, informed, unambiguous, and given explicitly for a specific purpose. It further limits the use of personal data to that stated purpose alone. Moreover, Section 6(3) mandates that consent requests must be presented in plain, simple language, ensuring clarity for users. Importantly, under Section 6(4), users retain the right to withdraw their consent at any time.
These provisions align closely with Article 4(11) and Article 7 of the GDPR, which define consent as freely given, specific, informed, and unambiguous. The GDPR also requires that consent requests be clear, accessible, and understandable, and ensures users can withdraw consent whenever they wish.
The DPDPA’s emphasis on specificity and clarity ensures compliance with global standards, paving the way for the adoption of granular consent mechanisms in India.
Read more: ASCI Academy releases white paper on navigating cookies in the age of DPDPA