The ePrivacy Directive, often referred to as the EU cookie law, is a benchmark regulation that requires websites to obtain clear consent from users before collecting or storing personal information through cookies. Its primary objective is to protect individuals’ privacy by giving consumers control over how their data is collected and used online.

However, while the EU law remains a significant standard, it is essential to know also about India’s Digital Personal Data Protection (DPDP) Act, a key regulation aimed at strengthening online privacy rights for of Indian users. The DPDP Act mandates similar compliance for websites and businesses operating within India or targeting Indian users, focusing on consent-based data collection and transparency in data processing.

In this guide, we will walk you through the EU cookie law, India’s DPDP Act, as well as US and UK’s cookie law. Understanding these frameworks will help ensure your website meets global privacy standards and protects your users’ data effect.

What Is Data Privacy Law?

Data privacy law refers to a set of legal regulations that govern how personal data is collected, stored, used, and shared by organizations. These laws are designed to protect individual’s privacy by ensuring their personal information is handled responsibly and securely.

At its core, data privacy law aims to give individuals control over their own data, including the right to access, correct, or delete it. It also sets out guidelines for organizations on how they must protect personal data from misuse, breaches, or unauthorized access.

Key Principles Often Found in Data Privacy Laws Include:

Consent

Organizations must obtain explicit consent from individuals before collecting or processing their personal data, including the cookies deployed by the websites on the individual’s machines.

Transparency

Businesses must take consent of individuals about the data they are collecting and how it will be used.

Data Security

Businesses are required to implement security measures to protect personal data from breaches or unauthorized access.

Rights of Individuals

Data privacy laws typically grant individuals rights such as access to their data, the right to correct or delete information, and the right to withdraw consent.

Accountability

Businesses must be accountable for how they process and protect personal data, and they may be subject to audits or penalties for non-compliance.

Why Was Data Privacy Law Created?

Data privacy laws were created to address growing concerns about the collection, use, and protection of personal information in an increasingly digital world. With the rise of online services, social media, e-commerce, and digital platforms, individuals’ personal data such as names, addresses, financial details, and browsing habits has become a valuable asset for businesses. However, the unchecked use of this data raises significant privacy and security risks, including identity theft, misuse, and unauthorized access.

Data privacy laws like the DPDP Act, GDPR, PDPL, and CCPA were established to protect individuals’ privacy rights, promote transparency in data collection, and ensure that businesses handle personal data responsibly. These laws also support individuals by giving them greater control over their personal data and holding businesses accountable for their data practices.

Here are some use cases for each of these key data privacy regulations:

1. DPDP (Digital Personal Data Protection) Act – India

The DPDP Act was introduced to safeguard personal data of Indian citizens and promote trust in the digital economy in 2022 and came into effect in Aug 2023. It addresses issues related to data breaches, misuse of personal information, and the lack of consent-based data collection.

2. PDPL (Philippine Data Privacy Law) - Philippines

The PDPL was enacted in 2012 to protect the personal data of individuals in the Philippines, ensuring transparency and accountability in data processing. This law mandates that businesses obtain explicit cookie consent from individuals before collecting or processing their personal information. It also outlines strict penalties for unauthorized data processing, data breaches, and violations of privacy rights, promoting the responsible handling of personal data to foster trust in the digital era.

3. PDPL (Personal data protection law) - Indonesia

Indonesia’s PDPL, introduced in 2022, focuses on strengthening the protection of personal data across sectors in the country. This law requires organizations to implement robust data security measures, obtain clear consent, and grant individuals the right to control their personal data. The PDPL emphasizes the importance of safeguarding sensitive data and mandates penalties for violations, marking a significant step toward improving privacy rights in Indonesia’s rapidly digitalizing society.

4. PDPL (Personal Data Protection Law) - Saudi Arabia

In Saudi Arabia, the PDPL was introduced in 2021 to establish a comprehensive framework for data protection. It governs the processing of personal data in both the private and public sectors, ensuring that data is collected lawfully, securely, and with proper consent. The law improves individual rights to access, correct, and erase personal information while holding organizations accountable for data misuse, with stringent penalties for non- compliance.

5. PDPA - (Personal Data Protection Act) - Tanzania

Tanzania’s PDPA, enacted in 2022, aims to safeguard citizens’ privacy and personal data. It sets out clear guidelines for data controllers and processors, requiring them to obtain informed consent before processing personal data. The law promotes data security and transparency, and it gives individuals more control over their personal information, while imposing penalties for any breach of privacy regulations in the digital era.

6. GDPR (General Data Protection Regulation) - European Union

The GDPR is the cornerstone of data privacy laws in the European Union, enacted in 2018. It provides individuals with greater control over their personal data, requiring businesses to implement strong data protection measures, obtain explicit consent, and ensure transparency in data processing activities. The regulation enforces strict penalties for non- compliance, emphasizing the protection of personal data across all member states and aiding trust in the digital economy within the EU.

7. CCPA (California Consumer Privacy Act) - United States

The CCPA came into effect in 2020, offering residents of California improved privacy rights. It grants consumers the right to know what personal information is being collected, the ability to request deletion of their data, and the right to opt out of the sale of personal data. The CCPA mandates businesses to be transparent about their data practices and imposes significant fines for non-compliance, supporting California consumers to take control of their personal information in the digital age.

Penalties for Non-compliance with GDPR Law

Non-compliance with data privacy laws like GDPR, DPDP, PDPA, PDPL, and CCPA can result in severe penalties:

DPDP (Digital Personal Data Protection) Act – India

• Penalties for non-compliance can range from ₹5 crore to ₹250 crore, depending on the severity of the violation.
• Penalties may include fines for failing to implement appropriate data protection measures, failure to notify breaches, and non-compliance with data subject rights.

PDPL (Philippine Data Privacy Law) – Philippines

• Fines range from ₱100,000 to ₱5 million for non-compliance.
• Criminal liability includes imprisonment ranging from 1 year to 7 years, depending on the severity of the violation.
• Penalties may apply for failure to secure data, unauthorized processing, or unauthorized disclosure of personal data.

PDPL (Personal Data Protection Law) – Indonesia

• Fines of up to IDR 5 billion (approximately $330,000 USD).
• In cases of severe violations, imprisonment can range from 5 to 10 years.
• Penalties can be imposed for data breach failure, non-consensual processing of personal data, and failure to fulfill obligations related to personal data protection.

PDPL (Personal Data Protection Law) – Saudi Arabia

• Fines can reach up to SAR 5 million (approximately $1.3 million USD) for violations.
• In addition to financial penalties, repeat offenders may face prison terms, depending on the severity of the breach, with a maximum imprisonment period of 2 years.

PDPA (Personal Data Protection Act) – Tanzania

• Fines of up to TZS 100 million (approximately $42,000 USD).
• Imprisonment of up to 10 years for severe violations, including unlawful processing of personal data or failure to ensure data protection measures.
• Other penalties can be imposed for failure to comply with the Act’s provisions regarding the processing of personal data.

GDPR (General Data Protection Regulation) – European Union

• Fines can be as high as €20 million or 4% of the company’s global annual turnover, whichever is greater.
• Penalties depend on the severity of the violation, such as failure to ensure data subject rights or failure to report data breaches.
• Organizations can also face reputational damage and restrictions on processing personal data.

CCPA (California Consumer Privacy Act) – United States

• Fines can reach up to $2,500 per violation and $7,500 for each intentional violation.
• Companies that fail to address violations or fail to provide the opportunity to correct violations may face higher penalties.
• In case of a data breach, consumers may also be entitled to damages for unauthorized access to personal data.

Failure to comply can lead to reputational damage, legal consequences, and loss of consumer trust.

Cookie Law Checklist: Things you need to do

Cookie law FAQs

1. What are the exceptions to cookie laws?

There are no exceptions to cookie law. Each region and each business need to comply with cookie laws. (Please reconfirm. There are exceptions for govt and essential services to not take consent for private data. Is there a similar provision for cookie consent as well?)

2. How long does cookie consent last?

Cookie consent usually lasts for 12 months. After this period, users should be prompted to give consent again to ensure compliance with privacy laws. This timeframe can vary depending on local regulations, so it’s important to stay updated with specific requirements.

3. What is the best way to obtain consent?

The best way to obtain consent is through a clear and active opt-in process. This involves displaying a cookie banner when users first visit the site, explaining what cookies are used and their purposes. Provide users with clear options to accept or reject cookies and allow them to easily manage their preferences.

Summary

The DPDP Act (Data Protection and Privacy Law) in India mandates that websites obtain explicit consent from users before placing cookies on their devices. This law aims to protect the privacy and personal data of Indian citizens by ensuring transparency and control over how their data is collected and used.

pIn addition, other data privacy laws, such as the GDPR (General Data Protection Regulation) in the EU, the CCPA (California Consumer Privacy Act) in the US, and the PDPA (Personal Data Protection Act) in the Philippines, also enforce strict cookie consent requirements. These laws ensure that businesses clearly inform users about cookie usage and obtain explicit consent. Non-compliance with these regulations can lead to significant penalties, legal actions, and reputational damage.