A Project by Meridian Bridge Strategy
Book Consultation
Compliance Guide

Cookie Consent Under DPDP: What Indian Websites Need

DPDP doesn't explicitly regulate cookies, but website tracking and analytics still involve personal data processing. Here's what Indian websites need to know.

Hello there! Ever wonder what those “Accept Cookies” banners are all about, especially now with India’s new privacy law? You’re not alone. While the Digital Personal Data Protection (DPDP) Act, 2023, doesn’t explicitly mention “cookies,” it has a HUGE impact on how Indian websites handle them. Why? Because cookies often collect Personal Data, and the DPDP Act is all about how you, as a business, handle that data.

Think of this as a friendly chat over chai, not a boring legal lecture. We’re here to make DPDP cookies compliance practical and easy for you.

What This Means Under DPDP for Your Website

The DPDP Act focuses on Personal Data. This is any information that can identify an individual, directly or indirectly. Things like their name, email, phone number, and yes, often their IP address or browsing history (collected by cookies) count! If your website uses cookies for analytics (like Google Analytics), advertising (like Facebook Pixel), or even to remember user preferences, you’re likely processing Personal Data.

As a business operating a website, you become a Data Fiduciary. This means you’re the one who decides why and how personal data is collected and used. Under DPDP, you generally need to get valid consent from an individual before processing their Personal Data. For cookies that aren’t strictly necessary for your website to function, this means you need to ask for permission, not just assume it. This is where cookie consent India starts to look a lot more serious. Ignoring this can be a costly mistake, so understanding website tracking DPDP implications is crucial.

Forget those tiny, pre-ticked boxes or buried links. DPDP requires valid consent, which means it must be:

  • Free: Users must have a genuine choice.
  • Specific: You need to tell them what data you’re collecting and why.
  • Informed: They should understand the implications.
  • Unambiguous: A clear, affirmative action (like clicking “Accept”) is needed. No passive consent.

Practically, this translates to:

  • A prominent cookie banner or pop-up that appears when a user first visits your site.
  • Clear language explaining what cookies are used for (e.g., “to improve your experience,” “for marketing,” “for analytics”).
  • Options for users to accept or reject different categories of cookies (e.g., “Analytics,” “Marketing,” “Functional”). Essential cookies (those needed for your site to work, like remembering items in a cart) can usually be set without explicit consent, but you should still inform users about them.
  • An easy way to withdraw consent later. This is often through a “Cookie Settings” or “Privacy Preferences” link, usually in the footer of your website.
  • A link to your detailed Privacy Notice or Cookie Policy, where users can learn more.

Common Mistakes Businesses Make

It’s easy to get this wrong, especially if you’re adapting old practices. Here are a few common pitfalls to avoid:

  • Ignoring cookies altogether: Thinking “it’s just a website thing” and not connecting it to Personal Data is a big risk. Any cookie that collects identifiable information falls under DPDP.
  • Pre-ticked boxes: This is a classic no-no. Consent must be active. If a user doesn’t click anything, you can’t assume they’ve agreed to non-essential cookies.
  • Generic, vague language: Using phrases like “We use cookies to improve your experience” without detailing how or which specific cookies are used isn’t transparent enough for DPDP.
  • No option to reject: If your banner only has an “Accept” button and no clear “Reject All” or “Manage Preferences” option, it’s not giving users a free choice.
  • Burying consent options: Making it hard for users to find cookie settings or to withdraw consent defeats the purpose of informed consent.
  • Assuming GDPR compliance is enough: While GDPR (Europe’s privacy law) is a great starting point, DPDP has its own nuances. Don’t assume your existing GDPR solution covers all cookie consent India requirements without a review.

How to Comply: Steps You Can Take

Getting your website ready for DPDP doesn’t have to be overwhelming. Here’s a practical roadmap:

  1. Audit Your Website’s Cookies: Use a tool (many free browser extensions or online scanners exist) to identify all the cookies your website sets. Categorize them: essential, analytics, marketing, functional. Understand what data each one collects. This insight is key for addressing DPDP cookies properly.
  2. Update Your Privacy Notice/Cookie Policy: Clearly explain what cookies you use, why you use them, what data they collect, how long they last, and how users can manage or withdraw consent. Be specific.
  3. Implement a Consent Management Platform (CMP): This is software that helps you display a cookie banner, manage user choices, and record consent. Many reputable CMPs are available (some with free tiers for small businesses). Look for one that supports granular consent.
  4. Design a User-Friendly Banner: Make sure your cookie consent banner is easy to understand, offers clear choices (Accept All, Reject All, Customize), and links to your updated policy.
  5. Ensure Easy Consent Withdrawal: Provide a persistent way for users to change their cookie preferences after their initial choice, typically via a “Cookie Settings” link in your website footer.
  6. Document Everything: Keep records of the consent you’ve obtained and the settings chosen by users. This is your proof of compliance.

For more detailed strategies, check out our analyses on various DPDP aspects.

Real-World Scenario: An Online Fashion Store

Imagine “ChicThreads,” a small online fashion store based in Bengaluru. Before DPDP, ChicThreads used Google Analytics to track visitor numbers and Facebook Pixel to run targeted ads. Their old website footer just said, “This site uses cookies.”

With DPDP: ChicThreads realizes that collecting IP addresses, browsing patterns, and ad interactions via these cookies is processing Personal Data. They now implement a proper cookie banner that pops up on first visit. The banner clearly states: “We use cookies for analytics and marketing to give you a better shopping experience. Would you like to manage your preferences?”

Users are given options:

  • Accept All
  • Reject Non-Essential
  • Customize (allowing them to tick or untick “Analytics Cookies” and “Marketing Cookies”)

ChicThreads’ updated Privacy Policy clearly explains that Google Analytics and Facebook Pixel are used, what data they collect, and for what purpose. They also provide a “Cookie Settings” link at the bottom of every page, allowing users to change their minds anytime. This proactive approach ensures compliance and builds trust, avoiding a potential up to ₹250 Crore penalty for non-compliance.

What Data Does This Involve?

Cookies can collect various types of data. Here’s a quick look at what’s commonly involved and its general risk level under DPDP:

Data Type Collected by CookiesExamples/DescriptionDPDP Risk Level
Cookie IDUnique identifier for a browser sessionMedium
IP AddressUser’s internet protocol address (can be tied to a location)High
Browsing HistoryPages visited, time spent, clicksHigh
Location DataGeneral geographical location based on IP addressMedium
Device InformationBrowser type, operating system, screen resolutionLow
PreferencesLanguage choice, theme (if stored by non-essential cookies)Medium
Essential FunctionalitySession IDs for shopping carts, login status (necessary cookies)Low (if truly essential)

Processing High-risk data without proper consent is where the biggest DPDP headaches come from.

Why This Matters: The Big Picture & Penalties

Complying with DPDP isn’t just about avoiding a fine; it’s about building trust with your customers. In today’s digital world, people care about their privacy. Being transparent and giving them control shows you respect their choices. Failing to comply can lead to significant penalties, potentially up to ₹250 Crore for serious violations of personal data processing. This isn’t just a slap on the wrist; it can be business-altering. Stay informed with our industry guides to keep your business safe and compliant.

Quick Actions You Can Take This Week:

  1. Scan Your Website: Use a free online cookie scanner or browser extension to list all cookies your site uses and what data they collect.
  2. Review Your Privacy Policy: Make sure it clearly explains your cookie practices, data collected, purposes, and how users can manage their consent.
  3. Investigate CMPs: Start researching Consent Management Platforms (CMPs) that fit your budget and technical capabilities.
  4. Draft Your Cookie Banner Text: Prepare clear, simple language for your cookie banner that outlines choices for users.
  5. Plan for Consent Withdrawal: Decide how users will be able to change their cookie preferences later (e.g., a “Cookie Settings” link in the footer).
  6. Inform Your Team: Ensure anyone managing your website or marketing understands the new requirements for DPDP cookies.

Real-World Examples Companies struggling with this issue

Healthcare

1mg

60

Tata 1mg's privacy policy demonstrates a robust approach to data security and provides mechanisms for data principals to exercise certain rights, such as withdrawing consent. However, the policy currently lacks explicit alignment with several critical provisions of India's Digital Personal Data Protection Act 2023. Key areas requiring enhancement include the granularity of consent, clear definition of data retention periods, explicit mention of DPDP Act-mandated rights like nomination, and the escalation process to the Data Protection Board. Given the sensitive nature of health-related personal data processed by 1mg, precise DPDP compliance is essential to build and maintain user trust while navigating India's evolving data protection landscape.

⚠️ Consent mechanism bundled with service terms — not explicitly 'freely given' and granular per Section 6, and no mention of Consent Manager integration.
⚠️ Data retention period undefined — uses 'as long as necessary' language, lacking specific timelines or automated erasure triggers per Section 9.
+4 more gaps detected
Mar 2026 View Report
Government

Aadhaar (UIDAI)

55

Aadhaar is unique — it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

⚠️ DPDP Section 17 exempts government from some provisions but not all
⚠️ Biometric data (fingerprints, iris scans) security adequacy questions remain
+4 more gaps detected
Feb 2026 View Report
Telecom

Airtel

48

Airtel's privacy policy, updated in June 2024, makes an effort towards transparency but doesn't fully align with the DPDP Act 2023. Key gaps include ambiguous data retention, lack of explicit cross-border transfer details, and broadly defined legitimate uses which could fall short of DPDP's specific consent requirements.

⚠️ Vague data retention periods — 'as long as necessary' language
⚠️ Lack of explicit DPDP Act 2023 references throughout
+5 more gaps detected
Mar 2026 View Report
📞 Free Consultation