Cookie Consent for Indian Websites: DPDP Act Complete Requirements Guide

Cookie Consent Under the DPDP Act: What Indian Websites Must Do Cookies and similar tracking technologies are ubiquitous on modern websites. From analytics to advertising, session management to personalisation, cookies power essential website functions. Under the Digital Personal Data Protection (DPDP) Act , cookies that collect or process personal data — which includes most analytics and marketing cookies — require explicit, informed consent from the user before being set. This is a fundamental shift from the previous approach where Indian websites could set cookies without any user notification or consent. This guide covers everything you need to know about implementing DPDP-compliant cookie consent on your Indian website. Do All Cookies Require Consent Under DPDP? Not all cookies are treated equally under the DPDP Act. The determining factor is whether the cookie processes personal data or can be used to identify a data principal (individual user). Categories of Cookies Category Description Examples Consent Required? Strictly Necessary Essential for basic website functionality. The website cannot function without them. Session cookies, authentication tokens, shopping cart cookies, CSRF tokens No (legitimate interest / necessary for service) Functional Remember user preferences and enhance experience but are not strictly required. Language preferences, theme settings, accessibility options Yes Analytics Collect anonymised or pseudonymised data about website usage for performance improvement. Google Analytics, Hotjar, Mixpanel, Plausible Yes Marketing / Advertising Track users across websites for targeted advertising and campaign measurement. Google Ads, Facebook Pixel, LinkedIn Insight Tag, retargeting pixels Yes Social Media Enable social sharing features and track engagement across social platforms. Facebook Like buttons, Twitter share widgets, embedded social feeds Yes The key principle: if a cookie processes personal data or contributes to user profiling, it requires explicit consent before being set . Implementing a DPDP-Compliant Cookie Consent Banner Essential Banner Elements A compliant cookie consent banner must include: Clear, plain-language explanation of what cookies are used and why Purpose-specific consent options — Users must be able to accept or reject each category individually Accept All / Reject All buttons — Both options must be equally prominent and accessible Customise option — Link to a detailed preference centre for granular control Link to cookie policy — Full details of all cookies used, their purposes, and retention periods Language selection — Consent notices should be available in languages understood by your users What NOT to Do No pre-checked boxes — All non-essential cookie categories must default to "off" No cookie walls — You cannot block access to the website unless the user accepts all cookies No dark patterns — The "Accept" and "Reject" options must be visually equal. Do not make "Reject" smaller, less colourful, or harder to find No implied consent — Continuing to browse the website does not constitute cookie consent under DPDP No firing cookies before consent — Non-essential cookies must not be set until the user actively gives consent Building a Cookie Preference Centre A preference centre is a dedicated page or modal where users can review and modify their cookie consent choices at any time. Under the DPDP Act, consent withdrawal must be as easy as giving consent (Section 6), making a well-designed preference centre essential. Preference Centre Requirements Always accessible — Provide a persistent link (e.g., in the footer or via a floating widget) so users can access it at any time Category-level controls — Toggle switches for each cookie category (Functional, Analytics, Marketing, Social) Cookie-level transparency — List individual cookies within each category with their name, purpose, domain, expiry, and type Save and apply immediately — When users change preferences, non-essential cookies that have been rejected must be deleted and their associated scripts blocked Multilingual support — Preference centre content should be available in the same languages as your consent banner Cookie Policy Requirements Every Indian website using cookies should maintain a comprehensive cookie policy that includes: What cookies are — Plain-language explanation of cookies and similar technologies Types of cookies used — Categorised list with descriptions Specific cookies — Table listing each cookie with its name, purpose, provider, expiry, and type (first-party/third-party) How to manage cookies — Instructions for managing cookies through browser settings and the preference centre Third-party cookies — Details of third-party services setting cookies and links to their privacy policies Updates to the policy — How and when the policy is updated, and how users will be informed Contact information — How to reach your DPO or privacy team for cookie-related queries Cookie Scanning and D