The Digital Personal Data Protection (DPDP) Act, 2023, has significant implications for the privacy policies and cookie policies of websites operating in India. This blog will delve into the key changes and challenges brought about by the DPDP Act and how they affect the privacy and cookie policies of websites.
Key Aspects of the DPDP Act
Consent and Processing of Personal Data
The DPDP Act emphasizes the need for explicit consent before processing personal data. This consent must be given in clear and plain language, and the data principal must be informed of their right to access, correct, update, and erase their data. The act also provides for the withdrawal of consent at any time, with the ease of doing so being comparable to the ease with which the consent was given.
Purpose Limitation and Data Use
The DPDP Act introduces purpose limitations, meaning that personal data can only be processed for the specific purposes for which it was collected. This principle aims to ensure that data is not used for purposes other than those for which it was originally collected. However, the act allows for certain exceptions, such as processing by the State for the provision of benefits, services, licenses, permits, or certificates.
Data Fiduciaries’ Responsibilities
Data fiduciaries, such as website operators, are obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met. They must also provide notice of data collection and processing and ensure that data is not transferred outside India unless it is to a country notified by the central government.
Grievance Redressal and Compliance
The DPDP Act establishes the Data Protection Board of India to handle complaints and grievances and issue penalties for noncompliance. This board will play a crucial role in ensuring that data fiduciaries adhere to the provisions of the act.
Impact on Privacy Policies
Enhanced Transparency
Websites must provide clear and transparent information about how they collect, use, and protect personal data. This includes details on the purposes for which data is collected, the types of data collected, and the duration for which data is stored. The privacy policy must be presented in a clear and plain language, giving users the option to access it in English or any other language specified in the Eighth Schedule to the Constitution.
Consent Management
Websites must obtain explicit consent from users before processing their personal data. This consent must be specific and informed, and users must be given the option to withdraw their consent at any time. The privacy policy must clearly outline the consequences of withdrawing consent, such as the potential loss of access to certain services.
Purpose Limitation and Data Use
Websites must ensure that personal data is only processed for the specific purposes for which it was collected. This means that data collected for one purpose cannot be used for another purpose without explicit consent. The privacy policy must reflect this purpose limitation and outline the specific purposes for which data is collected.
Data Security and Retention
Websites must maintain the security and integrity of personal data. This includes ensuring that data is stored securely and that it is deleted once its purpose has been met. The privacy policy must outline the measures taken to protect data and the duration for which data is retained.
Impact on Cookie Policies
Cookie Consent
The DPDP Act requires websites to obtain explicit consent before placing cookies on users’ devices. This consent must be specific and informed, and users must be given the option to withdraw their consent at any time. The cookie policy must clearly outline the purposes for which cookies are used and the types of data collected through cookies.
Cookie Purpose and Duration
Websites must ensure that cookies are used for specific purposes and are deleted once their purpose has been met. The cookie policy must outline the duration for which cookies are stored and the measures taken to protect the data collected through cookies.
Third-Party Cookies
The DPDP Act allows for the use of third-party cookies only if the user has given explicit consent. This consent must be specific and informed, and the cookie policy must clearly outline the purposes for which third-party cookies are used and the types of data collected through them.
Conclusion
The DPDP Act, 2023, introduces significant changes to the way websites handle personal data and cookies. The act emphasizes the need for explicit consent, purpose limitation, and enhanced transparency. Websites must adapt their privacy policies and cookie policies to comply with these new requirements. The DPDP Act provides a robust framework for data protection in India, ensuring that personal data is handled responsibly and with the consent of the data principal.
Disclaimer: The views given above are for information purposes only, they should not be construed as Legal Advice.
Read: Navigating DPDP Act – Checklist for Indian Businesses https://corpotechlegal.com/2024/02/21/compliance-checklist-of-dpdp-act-2023-for-indian-businesses/