Explore the nuances of India's Digital Personal Data Protection Act (DPDPA) 2023, its impact on website operators, and the imperative elements required for a compliant privacy policy. Learn how to adhere to DPDPA standards, avoid penalties, and ensure valid consent under this new law.
India, a global giant in both population and economic scale, has introduced fresh personal data protection legislation requiring website operators to publish a privacy policy on their websites. Moreover, the India DPDPA-compliant privacy policy must contain several essential elements in order to meet the legal standards.
The new law, the India Digital Personal Data Protection Act (DPDPA) 2023, marks the country's first-ever comprehensive data protection law. While it made its debut in the Official Gazette on August 11, 2023, it comes into effect in mid-2024.
By then, you have to learn the privacy policy requirements to comply with the law. That's why in this article we will present you with:
India's new data privacy law is here! Download our free guide and ensure your business is compliant with the Data Protection Act.
India's DPDPA: Free Guide to Compliance
The privacy policy is the document with which you inform the users how you handle personal information. The DPDPA states that the data fiduciary, i.e., the website or app operator, at the moment of consent collection must provide the data principal, i.e., the website or app user, with a notice that includes the following:
The consent must be informed, which means that the user shall know what she is consenting to. That's why data fiduciaries must provide a notice to the data principals at the consent request. That way, the data principal can read the notice, learn what he gives consent to, and make an informed decision on whether to consent or not.
That leads us to the next important point: the notice must be up-to-date and contain the essential parts prescribed by the law. Otherwise, the consent won't be valid, and that would make the processing of personal data invalid as a whole.
The minimum you must include in your privacy notice is:
You can include all this information in your cookie consent banner, but in most cases, that would be too much text for a banner. In that case, you can provide a link to the privacy policy on the cookie banner.
Aside from the essential elements, you can add more transparency to the policy by adding information on the transfer of personal data outside India, who your data processors are, the identity of your Data Protection Officer, if you are a significant data fiduciary, and other information. That could also help you comply with other data protection laws outside of India.
A non-compliant privacy policy, or one that is not up-to-date, leads to invalid user consent. Invalid users' consent makes the processing of digital personal data invalid. Invalid processing is a violation of the DPDPA and leads to penalties.
The Data Protection Board is authorized to impose the following penalties:
The most likely scenarios related to invalid consent and non-compliant privacy notices may lead to a penalty of up to INR 50 crore.
All these risks apply to your business only if the India Digital Personal Data Protection Act applies to it.
It does apply if you process personal data in digital form or digitized afterward, and your business meets at least one of the following:
Basically, if you are an Indian business, the law applies. If you are a foreign business targeting Indian data subjects, the law also applies.
To meet the cookie consent rules set by India's new Digital Personal Data Protection Act (DPDPA), you'll need to ask for informed consent, and a compliant privacy policy will ensure that the obtained consent is valid.
A simple way to do this is by using a consent manager that's officially registered with the Data Protection Board of India. As soon as the registration process is open, Secure Privacy plans to register itself. Once that's done, businesses like yours can use Secure Privacy's services to make sure you're following the new law correctly.
We've already got a special feature designed just for DPDPA compliance, including a DPDPA-compliant privacy notice along with a cookie consent banner. So, the moment the new law goes into effect, our tool will be ready to help you not only meet the legal requirements but also build trust with your customers right from day one.
Start your Free Trial
As a startup, it is crucial to understand the General Data Protection Regulation (GDPR) and comply with its requirements to avoid significant fines and negative publicity. This article will explain the GDPR, its requirements, and the steps startups need to take to become GDPR compliant.
Explore how Privacy-Preserving Machine Learning, Zero-Knowledge Proofs, and decentralized identity frameworks are revolutionizing automated consent management. Discover the future of dynamic, user-centric consent beyond GDPR and CCPA compliance.
September 6, 2024Secure Privacy is now a Gold Tier Google Certified CMP Partner, ensuring top-tier consent management for businesses. Learn why this certification is vital for data privacy compliance and how it benefits your organization.