There are no specific Indian laws regulating cookies.
Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which set out general data protection obligations, consent of the information provider is the only ground for the collection of sensitive personal data or information or “SPDI” – a subcategory of personal data that includes passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information.
While the use of cookies does not require consent, to the extent cookies are used to collect SPDI, consent must be obtained prior to the deployment of such cookies. Separately, market practice has also evolved in a manner where organisations generally seek consent for the use of cookies, regardless of whether any SPDI is collected through such use.
Yes. The SPDI Rules are generally complied with.
None.
There are no specific Indian laws regulating cookies. To the extent these categories of cookies collect SPDI, consent is required prior to the deployment of such cookies.
The SPDI Rules require consent to be obtained in writing or through electronic modes. Implied consent is not acceptable in respect of collection of SPDI through the use of cookies.
There are no specific Indian laws requiring cookie notices. However, under the SDPI Rules, organisations are required to provide a policy detailing their practices relating to the handling of or dealing with personal data. This policy must include a clear and easily accessible statement of a regulated entity’s practices and policies.
Given the open-ended nature of this requirement, it is advisable to provide for a cookie notice, or detail cookie practices in the privacy policy.
Yes. However, market practice has evolved to include the use of cookie banners as best practice.
There are no specific Indian laws prohibiting the use of cookie walls.
No, not presently.
None that we are aware of.
Yes. A new data protection law, titled the Digital Personal Data Protection Act, 2023 (“DPDPA”), was passed in 2023 but is not yet in force. Implementation is expected during the second half of 2024. Once implemented, it will repeal and replace the SPDI Rules. The DPDPA does not specifically regulate cookies but prescribes notice requirements and stricter consent thresholds in comparison to the SPDI Rules. Specific requirements in relation to the manner in which companies must provide notices, consent requests, and obtain consent are expected to be prescribed by the Indian government. This analysis may be revisited once such rules have been prescribed.