Cookie Consent Under the DPDP Act

What India's data protection law means for your cookie banners, trackers, and analytics
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Cookie Consent in India: What the DPDP Act Changes

For years, cookie banners in India were mostly decoration, something copied from European sites because it looked professional. The DPDP Act, 2023 changes that. With the DPDP Rules 2025 notified on 14 November 2025, the law is fully operational, and cookie consent in India now has real legal weight behind it.

Here is the key idea: the DPDP Act applies to all digital personal data. Whenever a cookie or tracker collects data that identifies or follows an individual, think analytics cookies, advertising trackers, and personalization cookies, you are processing personal data. And under the Act, processing personal data needs either valid consent or a narrow legitimate use. For most website tracking, that means consent.

Get it wrong, and you are exposed to the same penalty framework as any other DPDP violation, with fines reaching ₹250 crore per violation for the most serious failures.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

What a DPDP-Compliant Cookie Banner Looks Like

Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous. For cookie banners, that translates into four practical rules.

No Pre-Ticked Boxes

Consent cannot be assumed or pre-selected. Boxes that arrive already checked, or banners that treat scrolling as agreement, do not count as consent.

Clear Affirmative Action

The visitor must actively opt in, a deliberate click on a clear choice. Consent must be informed: the visitor knows what they are agreeing to.

Purpose-Linked Consent

Consent must be specific to a purpose. Analytics, advertising, and personalization are different purposes, and a single vague "Accept all or leave" wall does not make consent free or specific.

Easy Withdrawal

Withdrawing consent must be as easy as giving it. One click to accept means the visitor should not need a treasure hunt to say no later.

Start With a Cookie Audit

Most websites run far more trackers than their owners realize: analytics scripts, ad pixels, social media embeds, chat widgets, heat maps. A cookie audit puts the full list on the table so you can fix consent properly. A good audit answers:

  • What cookies and trackers run on your site, including ones loaded by third-party scripts you forgot about
  • Which ones collect personal data and therefore need consent under the DPDP Act
  • What purpose each one serves, so consent can be linked to purposes honestly
  • Whether your banner and records would hold up if the Data Protection Board asked for proof of valid consent

Cookie data also feeds into your wider compliance picture: it belongs in your data inventory and mapping, and if your site serves minors, remember that tracking and targeted ads at under-18 users are banned entirely, see our page on children's data under DPDP.

Consent Rules Are the First Deadline to Hit

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and cookie consent sits right in the first wave.

Get My Cookies Checked Free

Want the Complete DPDP Picture?

Cookies are one consent touchpoint among many. See the full law, deadlines, penalties, and compliance checklist on our main DPDP guide.

Learn Everything About DPDP Compliance

DPDP Cookie Consent: Frequently Asked Questions

Would Your Cookie Banner Survive a DPDP Check?

Find out in one free audit: we review your cookies, consent flows, and records, and hand you a clear fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.