Back to Blog
DPDP Act 8 min read

DPDP Act Cookie Consent: Website Compliance Guide

How to build a DPDP Act-compliant cookie consent mechanism for Indian websites — what requires consent, how to implement a CMP, and how DPDP differs from GDPR.

Key Takeaways
  • Cookies that process personal data (identifiable user tracking) are subject to the DPDP Act — a valid consent mechanism is required.
  • The DPDP Act requires consent to be free, specific, informed, unconditional, and unambiguous — cookie walls that block access unless users accept tracking cookies are non-compliant.
  • Strictly necessary cookies do not require consent; analytics, advertising, and preference cookies require granular consent.
  • The DPDP Act does not have an ePrivacy equivalent (like GDPR's Cookie Directive) — cookie consent obligations flow from the general consent framework.
  • Implement a Consent Management Platform (CMP) that provides granular opt-in controls and maintains audit-grade consent records.

In this guide

  1. Cookies and Personal Data Under the DPDP Act
  2. Consent Requirements for Tracking Cookies
  3. Categorising Cookies: What Needs Consent
  4. Implementing a Consent Management Platform
  5. DPDP Cookie Consent vs. GDPR Requirements
  6. Server-Side Tracking and First-Party Data
  7. Maintaining Cookie Consent Records

Cookies and Personal Data Under the DPDP Act

Cookies and similar tracking technologies (local storage, fingerprinting, pixels) process personal data when they identify or are capable of identifying an individual. Under the DPDP Act 2023, this processing requires a lawful basis. For most tracking beyond basic site functionality — analytics, advertising, personalisation, cross-site tracking — the appropriate lawful basis is consent.

Not all cookies involve personal data. A session cookie that stores a random session token without linking to user identity does not process personal data in the sense that the DPDP Act is concerned with. However, once a tracking cookie is linked to a user account, a persistent identifier, an IP address, or a device fingerprint that can be used to re-identify an individual across sessions, it becomes personal data processing subject to the Act.

Indian websites serving Indian users are subject to the DPDP Act for cookie-based tracking of those users, regardless of where the website is hosted. A SaaS company with servers in Singapore but Indian users is subject to DPDP consent requirements for tracking those users. The Act's extraterritorial scope (Section 3) covers processing connected with offering goods or services to Data Principals in India.

Consent Requirements for Tracking Cookies

Section 6 of the DPDP Act requires that consent be free, specific, informed, unconditional, and unambiguous. Applied to cookie consent, this means: users must actively opt in (not opt out, not "continued use of the site constitutes consent"), the consent must be specific to each purpose (analytics vs. advertising vs. personalisation), users must be clearly informed about what cookies do and who receives the data, and the consent must not be bundled with other terms.

"Unconditional" is particularly important for cookie consent: the DPDP Act prohibits conditioning access to a product or service on acceptance of unnecessary processing. A cookie wall that blocks access to your website unless users accept advertising cookies is non-compliant — you cannot require tracking consent as a condition of reading your content. Strictly necessary cookies for site function can operate without consent; everything beyond that should be optional.

Consent must be as easy to withdraw as to give. Cookie consent banners that offer a one-click "Accept All" but require multiple clicks through nested menus to decline non-essential cookies violate the ease-of-withdrawal requirement. The "Reject All" or "Accept Only Necessary" option must be as prominent as "Accept All."

Categorising Cookies: What Needs Consent

Strictly necessary cookies: these enable basic site functionality (session management, shopping cart, login authentication). They do not track users across visits or sessions for marketing purposes. Strictly necessary cookies do not require consent — they are covered by the legitimate interest of providing the service the user has specifically requested. Disclose them in your privacy/cookie policy but do not seek consent for them.

Analytics cookies: these track user behaviour on your site to understand traffic patterns and improve the product (Google Analytics, Mixpanel, Hotjar). Analytics cookies typically create a persistent user identifier and track behaviour over time. They require explicit opt-in consent under the DPDP Act because they process personal data for a purpose (product improvement analytics) beyond the immediate service delivery.

Advertising and marketing cookies: these track users across sites for ad targeting, retargeting, and conversion attribution (Google Ads, Meta Pixel, LinkedIn Insight Tag). These are among the most personal-data-intensive tracking technologies and require explicit opt-in consent with clear disclosure that data is shared with advertising networks. Cross-site tracking cookies — those that follow users across domains — require particularly robust consent given their reach.

Implementing a Consent Management Platform

A Consent Management Platform (CMP) is a tool that manages cookie consent collection, records, and enforcement. For DPDP Act compliance, your CMP must: present a compliant consent banner with granular opt-in controls; block non-essential tracking scripts until consent is given; store timestamped consent records for each user; honour consent withdrawal by blocking scripts when consent is withdrawn; and provide an API to check consent status for server-side decisions.

Popular CMPs include OneTrust, Cookiebot, Usercentrics, and TrustArc. Evaluate CMPs against DPDP Act-specific requirements: do they support Indian regulatory language? Do they support Aadhaar-based identity for consent records? Can they be configured to meet the specific "free, specific, informed, unconditional, unambiguous" standard? Can they generate audit-grade consent logs suitable for Board investigation evidence?

Beyond the banner, implement tag management to ensure non-consented tracking scripts are truly blocked. A CMP that presents a compliant banner but allows tracking scripts to fire regardless of consent choice is non-compliant — this is a surprisingly common technical implementation failure. Regularly test your CMP implementation by selecting different consent options and verifying (using browser developer tools or network monitoring) that the corresponding scripts are actually blocked.

DPDP Cookie Consent vs. GDPR Requirements

If your website already complies with GDPR cookie requirements (for European users), you have a significant head start on DPDP compliance. The core principles — granular opt-in consent, no cookie walls, ease of withdrawal — are shared. However, there are important differences that require specific DPDP adjustments.

GDPR has a companion regulation — the ePrivacy Directive (Cookie Directive) — that specifically addresses cookies and electronic communications. India does not have an equivalent specific regulation; cookie consent obligations under the DPDP Act flow from the general consent framework in Section 6. This means some of the more prescriptive GDPR cookie rules may not have a direct DPDP equivalent, but the general consent principles apply with full force.

GDPR allows "legitimate interest" as a lawful basis for some analytics processing, enabling analytics cookies without consent in some configurations. The DPDP Act's Section 7 (legitimate uses) is narrower and does not map cleanly to GDPR's legitimate interest. For Indian users, consent is the clearest available basis for analytics tracking. Do not assume your GDPR-compliant configuration satisfies DPDP requirements without a specific review.

Server-Side Tracking and First-Party Data

Server-side tracking — where analytics events are sent from your server rather than the user's browser — is growing as browser-based tracking becomes more restricted by browser privacy settings and ad blockers. Under the DPDP Act, server-side tracking still requires a valid consent basis if it involves processing personal data for purposes beyond service delivery.

First-party data strategies — building analytics on data you collect directly from users within an authenticated context, rather than third-party tracking cookies — align well with DPDP Act compliance. First-party analytics within an authenticated session (where the user has consented to analytics as part of the account relationship) is cleaner from a consent perspective than anonymous cross-session cookie-based tracking.

If you are migrating to server-side or first-party data approaches, update your privacy notice and consent flows to reflect the new data collection methods. The mechanism changes but the obligation remains: users must be informed and must consent to analytics processing of their personal data. Document the transition in your compliance records.

Maintaining Cookie Consent Records

For every user who visits your website, you should maintain a consent record that captures: the timestamp of the consent interaction, the version of the cookie policy in effect, the specific consent choices made (accepted analytics, declined advertising, etc.), and the consent ID (a unique identifier that links the record to the user session). This record is your evidence of compliance if a user later disputes their consent.

Cookie consent records should be retained for a sufficient period — at least 3 years — to support potential Board investigations. However, consent records themselves contain personal data (they can be linked to an identified user), so apply your privacy policy's data handling requirements to them. Anonymise consent records when they are no longer needed for compliance purposes.

Conduct regular cookie audits — scan your website to discover what cookies and tracking technologies are present, compare against your cookie policy and consent categories, and remove or re-consent any that are not covered. Websites evolve quickly and new tracking scripts can be introduced through third-party tools, content management systems, or ad tags without explicit privacy review. A quarterly cookie scan keeps your consent infrastructure current.

Frequently Asked Questions

Does the DPDP Act apply to cookies on a B2B SaaS login page that is only accessed by identified users?
The consent requirements for tracking cookies apply to the processing of personal data, not specifically to anonymous visitors. If your login page deploys analytics or marketing cookies that track identified or identifiable users, consent is required. Strictly necessary cookies for the login functionality itself do not require separate consent. Review what tracking is active on your authenticated pages versus anonymous pages.
Our website uses Google Analytics — do we need consent from Indian users?
Yes. Google Analytics creates persistent user identifiers and tracks behaviour over time — this constitutes personal data processing under the DPDP Act. Indian users must be given an opt-in opportunity before GA tracking fires. Configure your CMP to block the GA script until the user accepts analytics cookies. Also review your GA configuration: enable IP anonymisation and set data retention to the minimum period.
Can we use a legitimate interest basis for analytics cookies under the DPDP Act?
The DPDP Act's Section 7 "legitimate uses" are more narrowly defined than GDPR's legitimate interest. None of the Section 7 categories map cleanly to website analytics. Consent is the clearest available basis for analytics cookies under the DPDP Act. Do not attempt to rely on an equivalent to GDPR's legitimate interest for analytics in India without specific legal advice.
Do we need a cookie banner for our mobile app?
Mobile apps use SDKs and device identifiers rather than cookies, but the underlying DPDP Act consent requirement is the same. If your app deploys analytics SDKs, advertising SDKs, or tracking frameworks that process personal data, you need a consent mechanism — typically presented as an in-app consent screen at first launch. The CMP landscape for mobile apps is different from web but the compliance obligation is equivalent.
If a user initially consents to all cookies and then withdraws analytics consent, do we need to delete historical analytics data?
Processing conducted while consent was valid is not retrospectively unlawful. You do not need to delete historical analytics data collected before withdrawal. From the moment of withdrawal, stop firing analytics cookies for that user and stop including their data in new analytics processing. Future analytics events from that user should not be collected.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act Consent Requirements: What Valid Consent Means

DPDP Act

DPDP Act Consent Withdrawal: How to Handle Opt-Outs

DPDP Act

DPDP Act Privacy Notice Requirements: What to Include