The Digital Personal Data Protection Act (DPDPA), which is yet to come into force, does not specifically call out cookies. Personal Data, as defined under the DPDPA, means any data about an individual who is identifiable by or in relation to such data [Section 2(t) of DPDPA, 2023]. To the extent cookies contain any identifiable information about an individual, the organizations should obtain consent for the use of such cookies, because it implies processing of personal data. The consent mechanism provided in DPDPA states that the consent should free, specific, informed, unconditional, and unambiguous. Hence, the approach seems like aligning with the EU standards rather than the US or Canada standards. Thus, for organizations to tread on the safe path in terms of privacy compliance, they can, in addition to the privacy notice, display a separate cookie banner mentioning the types of the cookies with a choice to accept or reject their use. Further, organizations can publish a cookie policy containing an explanation about cookies, the purposes of their use, retention timeframe, and the way users can configure their preferences/settings regarding the cookies. If the cookies do not contain personal information, it appears that there is no requirement to obtain consent or even notify the individuals. Having said that the detailed rules and regulations of the DPDPA is yet to come.
Source: Barandbench
