Cookie Consent for Indian Websites: DPDP Act Complete Requirements Guide

A complete guide to implementing DPDP-compliant cookie consent on Indian websites, covering cookie categories, consent banners, preference centres, cookie policies, and audit trail requirements.

Cookie Consent Under the DPDP Act: What Indian Websites Must Do

Cookies and similar tracking technologies are ubiquitous on modern websites. From analytics to advertising, session management to personalisation, cookies power essential website functions. Under the Digital Personal Data Protection (DPDP) Act, cookies that collect or process personal data — which includes most analytics and marketing cookies — require explicit, informed consent from the user before being set.

This is a fundamental shift from the previous approach where Indian websites could set cookies without any user notification or consent. This guide covers everything you need to know about implementing DPDP-compliant cookie consent on your Indian website.

Do All Cookies Require Consent Under DPDP?

Not all cookies are treated equally under the DPDP Act. The determining factor is whether the cookie processes personal data or can be used to identify a data principal (individual user).

Categories of Cookies

Category	Description	Examples	Consent Required?
Strictly Necessary	Essential for basic website functionality. The website cannot function without them.	Session cookies, authentication tokens, shopping cart cookies, CSRF tokens	No (legitimate interest / necessary for service)
Functional	Remember user preferences and enhance experience but are not strictly required.	Language preferences, theme settings, accessibility options	Yes
Analytics	Collect anonymised or pseudonymised data about website usage for performance improvement.	Google Analytics, Hotjar, Mixpanel, Plausible	Yes
Marketing / Advertising	Track users across websites for targeted advertising and campaign measurement.	Google Ads, Facebook Pixel, LinkedIn Insight Tag, retargeting pixels	Yes
Social Media	Enable social sharing features and track engagement across social platforms.	Facebook Like buttons, Twitter share widgets, embedded social feeds	Yes

The key principle: if a cookie processes personal data or contributes to user profiling, it requires explicit consent before being set.

Implementing a DPDP-Compliant Cookie Consent Banner

Essential Banner Elements

A compliant cookie consent banner must include:

Clear, plain-language explanation of what cookies are used and why
Purpose-specific consent options — Users must be able to accept or reject each category individually
Accept All / Reject All buttons — Both options must be equally prominent and accessible
Customise option — Link to a detailed preference centre for granular control
Link to cookie policy — Full details of all cookies used, their purposes, and retention periods
Language selection — Consent notices should be available in languages understood by your users

What NOT to Do

No pre-checked boxes — All non-essential cookie categories must default to "off"
No cookie walls — You cannot block access to the website unless the user accepts all cookies
No dark patterns — The "Accept" and "Reject" options must be visually equal. Do not make "Reject" smaller, less colourful, or harder to find
No implied consent — Continuing to browse the website does not constitute cookie consent under DPDP
No firing cookies before consent — Non-essential cookies must not be set until the user actively gives consent

Building a Cookie Preference Centre

A preference centre is a dedicated page or modal where users can review and modify their cookie consent choices at any time. Under the DPDP Act, consent withdrawal must be as easy as giving consent (Section 6), making a well-designed preference centre essential.

Preference Centre Requirements

Always accessible — Provide a persistent link (e.g., in the footer or via a floating widget) so users can access it at any time
Category-level controls — Toggle switches for each cookie category (Functional, Analytics, Marketing, Social)
Cookie-level transparency — List individual cookies within each category with their name, purpose, domain, expiry, and type
Save and apply immediately — When users change preferences, non-essential cookies that have been rejected must be deleted and their associated scripts blocked
Multilingual support — Preference centre content should be available in the same languages as your consent banner

Cookie Policy Requirements

Every Indian website using cookies should maintain a comprehensive cookie policy that includes:

What cookies are — Plain-language explanation of cookies and similar technologies
Types of cookies used — Categorised list with descriptions
Specific cookies — Table listing each cookie with its name, purpose, provider, expiry, and type (first-party/third-party)
How to manage cookies — Instructions for managing cookies through browser settings and the preference centre
Third-party cookies — Details of third-party services setting cookies and links to their privacy policies
Updates to the policy — How and when the policy is updated, and how users will be informed
Contact information — How to reach your DPO or privacy team for cookie-related queries

Cookie Scanning and Discovery

Before you can manage cookie consent properly, you need to know exactly which cookies your website sets. Many websites set cookies they are not even aware of — through third-party scripts, embedded content, analytics tools, and advertising pixels.

How Cookie Scanning Works

Automated crawl — A scanner visits every page of your website and records all cookies set during the browsing session
Script analysis — Identifies third-party scripts that set cookies and the domains they communicate with
Categorisation — Classifies discovered cookies into categories (necessary, functional, analytics, marketing)
Gap identification — Highlights cookies that are not covered by your current consent mechanism

The Complynz CMP includes an automated cookie scanner that crawls your website, discovers all cookies and trackers, categorises them by purpose, and integrates the results directly into your consent banner configuration. This ensures no cookie goes unnoticed or unconsented.

Technical Implementation: Tag Orchestration

Simply showing a consent banner is not enough — you must actually block non-essential cookies and scripts until consent is given. This is where tag orchestration comes in.

How Tag Orchestration Works

Script blocking — Third-party scripts (analytics, marketing pixels) are prevented from loading until the user consents to the relevant category
Conditional loading — Scripts are loaded dynamically based on user consent status
Consent-aware tag manager — Integrates with Google Tag Manager or similar tools to respect consent signals
Retroactive cleanup — When a user withdraws consent, associated cookies are deleted and scripts are unloaded

This is technically the most challenging aspect of cookie consent implementation. A good CMP handles this automatically, blocking and unblocking scripts based on consent status without requiring custom development.

Maintaining an Audit Trail

The DPDP Act requires that you can demonstrate compliance. For cookie consent, this means maintaining detailed records of:

Consent timestamp — When consent was given or refused
Consent version — Which version of the consent notice was shown
Choices made — Which categories were accepted and which were refused
User identifier — Anonymous identifier (not personal data) to link consent records
Withdrawal records — When and how consent was withdrawn
Banner configuration — What the banner looked like at the time of consent (for audit purposes)

Google Consent Mode v2 and DPDP

Google now requires websites using Google services (Analytics, Ads) to implement Consent Mode v2, which signals user consent status to Google's services. While Consent Mode was designed primarily for GDPR and EU regulations, it is increasingly relevant for DPDP compliance as well.

A DPDP-compliant CMP should support Google Consent Mode v2 integration, sending appropriate consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) based on the user's choices in your DPDP consent banner.

Getting Started with Cookie Consent Compliance

Implementing proper cookie consent is not just a legal requirement — it builds trust with your users. Here is a practical starting checklist:

Scan your website — Identify all cookies and trackers currently set by your site
Categorise cookies — Classify each cookie into the appropriate category
Implement a CMP — Choose a DPDP-compliant consent management platform
Configure consent banner — Set up a compliant banner with all required elements
Set up tag orchestration — Ensure non-essential cookies are blocked until consent is given
Create cookie policy — Draft and publish a comprehensive cookie policy
Build preference centre — Implement a user-facing preference centre for ongoing consent management
Test thoroughly — Verify that cookies are actually blocked when consent is not given
Monitor continuously — Schedule regular cookie scans to catch new cookies from website updates

Start with a DPDP compliance scan to assess your current cookie consent posture, and explore the Complynz CMP for an affordable, DPDP-native consent management solution with automated cookie scanning and no-code banner builder.