.svg){kind=small}
.png)
The DPDP Act doesn't mention cookies, yet most Indian businesses are scrambling to implement cookie banners on their websites and apps.
In this article we break down:
- Why cookie banners are required under DPDP - even though the Act is technically silent
- Analysis of different cookie types
- What officials in MeITy are signalling about cookie banners
- Things you must keep in mind when implementing a cookie banner under DPDP
Does the DPDP Act mention cookies?
No. The Digital Personal Data Protection Act, 2023 does not mention the word "cookie" anywhere.
This is different from the GDPR, which explicitly addresses cookies and similar tracking technologies.
But silence on cookies is not the same as exemption from cookies.
So why do cookies fall under DPDP?
The answer lies in how the DPDP Act defines "personal data."
Section 2(t) defines personal data as any data about an individual who is identifiable by or in relation to such data.
This "in relation to" framing is important. Personal data under DPDP is not limited to data that directly identifies someone (like a name or Aadhaar number). It also includes data that relates to an identifiable individual — even if that data, on its own, cannot identify them.
Cookies fit this description. A cookie sitting on your browser may not contain your name. But it is tied to your device, your session, your browsing behaviour. It relates to you and you alone.
When combined with other data points — or even on its own in some cases — it can be linked back to an identifiable person.
This is why cookies fall under the DPDP Act's definition of personal data. Not because the Act names them, but because of what they are: data in relation to an identifiable individual.
What kind of data do cookies collect?
Cookies are not a single category. Different types of cookies collect different kinds of data — and almost all of it qualifies as personal data under DPDP.
Each of these cookie types collects data that — by itself or in combination with other information — relates to an identifiable individual. This brings them within the scope of "personal data" under Section 2(t).
What do the Rules and official guidance say?
The DPDP Act provides the legal framework. But recent official documents have gone further in clarifying that cookies fall within scope.
The NeGD Business Requirements Document on Consent Management Systems (2025) explicitly states that cookies will fall under the broad consent management framework under DPDP. It specifies that cookie consent must include granular consent options, explicit opt-in mechanisms, auditable consent logging, auto-expiry, and user dashboards for managing preferences.
The ASCI Academy whitepaper "Navigating Cookies" (2025) reinforces this position. It highlights that industries — including e-commerce — must implement transparent cookie banners with clear opt-in and opt-out functions, consent withdrawal options, and auditable records. It also flags the need to avoid dark patterns in cookie consent flows.
These documents are not binding law. But they signal the direction regulators and standard-setting bodies are taking. Treating cookies as outside DPDP scope is increasingly difficult to defend.
What does DPDP-compliant cookie consent look like?
Section 6 of the DPDP Act and Rule 3 of the Draft DPDP Rules set out the requirements for valid consent. Applied to cookies, this means:
1. Consent must be informed and specific. Your cookie banner must clearly explain what data is being collected, for what purpose, and by whom. Vague language like "we use cookies to improve your experience" is not sufficient.
2. Consent must be obtained through affirmative action. Pre-ticked boxes do not count. The user must actively opt in. This applies especially to non-essential cookies (analytics, advertising, functional).
3. Consent must be granular. Users should be able to accept or reject different categories of cookies independently. An all-or-nothing approach does not meet the standard.
4. Consent must be withdrawable. Users must have a clear way to withdraw consent after giving it. This means your cookie preferences should be accessible at any time — not just on first visit.
5. Consent must be logged and auditable. You must store a record of what the user consented to, when, and how. This is your proof in case of disputes or regulatory scrutiny.
6. Notices must be available in English and scheduled Indian languages. Rule 3 requires consent notices to be provided in English and other Indian languages as notified. Your cookie banner should support this.
What should you do to remain compliant?
If your website or app uses cookies — and almost all do — here's what you should act on:
Audit your cookies. Identify what cookies your site uses, what data they collect, and what purpose they serve. Classify them by type.
Implement a compliant banner. Build or deploy a cookie consent mechanism that supports granular opt-in, clear explanations, and language options.
Log consent. Store records of user consent — what was accepted, what was rejected, when, and through what action.
Enable withdrawal. Make it easy for users to change their preferences at any point, not just on first visit.
Review periodically. Cookie usage changes as you add new tools, analytics, or integrations. Your consent mechanism should keep pace.
If you’re looking to implement DPDP-compliant cookie banners - Consentin can help
Consentin Cookies is a lightweight cookie consent product built for DPDP compliance.
You configure it via a dashboard, add a single line to your website footer, and you're live — typically in minutes, not weeks.
It supports granular consent categories, multilingual notices, withdrawal, and auditable logging out of the box.
This post is for informational purposes and does not constitute legal advice. For specific compliance decisions, consult qualified legal counsel.
.avif)
