India

Can you place cookies without consent?

There are no specific Indian laws regulating cookies.

Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which set out general data protection obligations, consent of the information provider is the only ground for the collection of sensitive personal data or information or “SPDI” – a subcategory of personal data that includes passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information.

While the use of cookies does not require consent, to the extent cookies are used to collect SPDI, consent must be obtained prior to the deployment of such cookies. Separately, market practice has also evolved in a manner where organisations generally seek consent for the use of cookies, regardless of whether any SPDI is collected through such use.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes. The SPDI Rules are generally complied with.

Are there any exemptions if consent is required?

None.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

There are no specific Indian laws regulating cookies. To the extent these categories of cookies collect SPDI, consent is required prior to the deployment of such cookies.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

The SPDI Rules require consent to be obtained in writing or through electronic modes. Implied consent is not acceptable in respect of collection of SPDI through the use of cookies.

Can you set cookies without a cookie notice? 

There are no specific Indian laws requiring cookie notices. However, under the SDPI Rules, organisations are required to provide a policy detailing their practices relating to the handling of or dealing with personal data. This policy must include a clear and easily accessible statement of a regulated entity’s practices and policies.

Given the open-ended nature of this requirement, it is advisable to provide for a cookie notice, or detail cookie practices in the privacy policy.

Can you set cookies without a cookie banner/ management tool?

Yes. However, market practice has evolved to include the use of cookie banners as best practice.

Are you able to use cookie walls? 

There are no specific Indian laws prohibiting the use of cookie walls.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

No, not presently.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Yes. A new data protection law, titled the Digital Personal Data Protection Act, 2023 (“DPDPA”), was passed in 2023 but is not yet in force. Implementation is expected during the second half of 2024. Once implemented, it will repeal and replace the SPDI Rules. The DPDPA does not specifically regulate cookies but prescribes notice requirements and stricter consent thresholds in comparison to the SPDI Rules. Specific requirements in relation to the manner in which companies must provide notices, consent requests, and obtain consent are expected to be prescribed by the Indian government. This analysis may be revisited once such rules have been prescribed.