How to Automate Cookie Scanning for DPDPA Compliance: 2026 Guide
Manual cookie audits take days and miss 30–40% of trackers. This guide shows how to automate cookie scanning for DPDPA 2023 compliance — what to scan, how to classify cookies, and how to build an auto-updating cookie policy without touching code.
What is Cookie Scanning and Why Does It Matter for DPDPA?
Cookie scanning is the automated process of crawling a website to discover, identify, and categorise all cookies, tracking pixels, local storage entries, and third-party scripts that collect user data. Under India's DPDPA 2023, you must obtain explicit user consent before setting any non-essential cookie or tracker — and you cannot obtain valid consent unless you know exactly what you're setting.
Without automated cookie scanning, you risk:
- Consent banners that don't list all your actual cookies
- Non-compliant cookie policies
- Setting trackers before consent is given (a direct DPDPA violation)
- Penalties up to ₹250 crore if audited by the Data Protection Board
The Four Cookie Categories Under DPDPA 2023
Before you can automate consent, you must understand how cookies are classified. DPDPA 2023 does not use the word "cookie" but the consent requirements apply to all technologies that collect personal data, including cookies. Industry standard (aligned with DPDPA and global practice) classifies cookies into four categories:
| Category | Examples | Consent Required? | DPDPA Treatment |
|---|---|---|---|
| Essential / Strictly Necessary | Session cookies, login state, CSRF tokens, cart state | No — required for service delivery | Exempt from consent under DPDPA (necessary for the contracted service) |
| Functional | Language preferences, UI settings, remember-me features | Yes — enhances experience but not essential | Requires consent under DPDPA purpose-based consent |
| Analytics | Google Analytics, Hotjar, Mixpanel, Plausible | Yes — data processing for analytics | Requires explicit consent — analytics is a processing purpose under DPDPA |
| Marketing / Advertising | Meta Pixel, Google Ads, LinkedIn Insight Tag | Yes — highest sensitivity | Requires explicit, granular consent — cannot be bundled with other purposes |
How Automated Cookie Scanning Works: Step by Step
Step 1: Crawl Your Website
An automated scanner visits your website's URLs — starting from the homepage, then following internal links to other pages. Each page is loaded in a headless browser that records every cookie, localStorage key, and network request made during the page load.
Step 2: Identify Each Tracker
The scanner matches discovered cookies against a database of known cookies. For example:
_ga→ Google Analytics → Analytics category_fbp→ Meta (Facebook) Pixel → Marketing category_hjid→ Hotjar → Analytics categoryJSESSIONID→ Session Management → Essential category
For unknown cookies (custom first-party cookies), the scanner uses pattern matching and ML classification to categorise them.
Step 3: Classify by Category
Each discovered cookie is assigned to one of the four categories above. This classification drives the consent banner — only non-essential cookies are blocked until the user gives consent for their category.
Step 4: Generate the Cookie Policy
The scanner auto-generates a cookie policy listing every cookie, its category, its purpose, who sets it, and how long it persists. This policy is linked to your consent banner and must be kept current.
Step 5: Block Cookies Until Consent is Given
This is the critical technical step. After classification, your consent management platform (CMP) must intercept the loading of analytics and marketing scripts and only allow them to fire after the user has explicitly consented to that category.
What to Look for in a Cookie Scanner for India
Not all cookie scanners are built for DPDPA compliance. Here is what an India-appropriate scanner must do:
| Feature | Why It Matters for DPDPA |
|---|---|
| Scans multiple pages (not just homepage) | Cookies are often loaded on specific pages (checkout, login, product pages) — a homepage-only scan misses them |
| Detects JavaScript-injected trackers | Modern trackers (Meta Pixel, Google Tag Manager) load scripts dynamically — static HTML scanning misses them |
| Auto-classifies into 4 DPDPA-aligned categories | Manual classification is error-prone and becomes outdated when vendors update their cookies |
| Scheduled rescanning | Cookies change when you add new marketing tools or update your site — you need ongoing monitoring |
| Auto-updates your cookie policy | A static cookie policy becomes non-compliant the moment you add a new tracker without updating the policy |
| Indian data residency | Cookie scan data contains user-identifiable session information — storing it outside India may violate DPDPA data localisation requirements |
| Integration with consent banner | Scanning without enforcing pre-consent blocking does not achieve compliance — the scanner and banner must work together |
DPDPA Cookie Compliance: The Technical Implementation
Automating cookie scanning is only the first step. Full DPDPA cookie compliance requires:
1. Pre-Consent Cookie Blocking
Before a user sees your site, your CMP must intercept all non-essential JavaScript. No analytics or marketing cookies should fire until the user explicitly grants consent for those categories.
2. Consent-Based Script Loading
After consent is given, your CMP fires only the scripts the user consented to. If a user consents to analytics but not marketing, only the analytics scripts load. This is called conditional tag firing.
3. Consent Record Storage
Every consent decision must be stored with a timestamp, the user's specific choices per category, their IP address region (not the full IP — data minimisation), the widget version, and the browser/device. This is your DPDPA audit trail.
4. Consent Withdrawal
Users must be able to change their cookie preferences at any time. Your consent management platform must provide a persistent re-open mechanism (e.g., a floating "Privacy" button) so users can revisit their choices.
How Consently Automates Cookie Scanning for DPDPA
Consently is India's DPDPA-native consent management platform that includes automated cookie scanning as part of the integrated compliance suite:
- Free Plan: Quick Scan — homepage cookie detection, instant classification, auto-generated cookie policy
- Premium Plan (₹999/month): Standard Scan — top 10 URLs, deeper detection including dynamically loaded scripts
- Enterprise Plan (₹2,499/month): Deep Crawl — 50+ pages, scheduled rescans, API access for custom integrations
Consently's scanner integrates directly with the consent banner — cookies discovered by the scan are automatically blocked pre-consent and only loaded based on the user's consent category choices. No developer required beyond the initial 5-minute setup.
Frequently Asked Questions: Cookie Scanning and DPDPA
Q: Do I need to scan cookies if I only use Google Analytics?
Yes. Google Analytics (including GA4) sets multiple cookies (_ga, _gid, _gat) that collect personal data (IP addresses are processed even if not stored). Under DPDPA 2023, analytics is a processing purpose requiring explicit consent. You must disclose GA cookies in your cookie policy and block them pre-consent.
Q: How often should I rescan my website for cookies?
Every time you: (1) add a new marketing tool, (2) update your website code, (3) a third-party vendor updates their tracking script. At minimum, run a quarterly rescan. If you use a CMS like WordPress with plugins, scan monthly — plugins routinely add new trackers without your knowledge.
Q: What is the difference between a first-party cookie and a third-party cookie?
A first-party cookie is set by your own domain (e.g., your session cookie). A third-party cookie is set by another domain's script loaded on your site (e.g., Google Analytics, Meta Pixel). Both require disclosure under DPDPA 2023, but third-party cookies have additional implications because data is shared with the third party.
Q: Can I use Google Tag Manager with a DPDPA-compliant setup?
Yes, but it requires proper configuration. Your CMP must integrate with GTM to block tags from firing until consent is received. Consently supports GTM integration — marketing and analytics tags only fire based on Consently's consent signal. This is the recommended approach for most Indian businesses using GTM.
Q: What happens if I set cookies before getting consent?
Under DPDPA 2023, setting non-essential cookies before obtaining valid consent is a violation. The Data Protection Board can investigate complaints and impose penalties. More immediately, major browsers are moving toward blocking pre-consent cookies by default, which will also break your analytics data.