Cookie Consent Laws in India 2026: DPDPA Requirements Explained
Do Indian websites need cookie consent? Yes — under DPDPA 2023 and DPDP Rules 2025. This guide explains exactly what cookie consent you need, which cookies require consent, what the consent notice must say, and the penalties for non-compliance.
Do Indian Websites Need Cookie Consent?
Yes. Under India's Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules 2025 (notified November 13, 2025), Indian websites and apps that use cookies or trackers to collect personal data must obtain valid consent from users before doing so.
Full enforcement begins on May 13, 2027. Businesses that are not compliant by then face penalties of up to ₹250 Crores.
What is Cookie Consent Under DPDPA?
Under DPDPA, consent must be:
- Free: Not bundled with terms of service or forced as a condition of access
- Specific: Separate for each purpose (analytics, marketing, personalisation, etc.)
- Informed: User must understand what data is collected and why
- Unconditional: No coercion or deceptive design
- Unambiguous: A clear affirmative action — pre-ticked boxes do not count
This standard is tougher than many older Indian practices (implicit consent, buried notices) and aligns closely with the EU's GDPR standard.
Which Cookies Require Consent in India?
| Cookie Category | Consent Required? | Examples |
|---|---|---|
| Strictly Necessary | No — but must be disclosed | Login sessions, shopping cart, CSRF tokens |
| Functional / Preference | Yes | Language preference, saved settings |
| Analytics / Performance | Yes | Google Analytics, Mixpanel, Hotjar |
| Marketing / Advertising | Yes | Google Ads, Meta Pixel, LinkedIn Insight Tag |
| Third-Party Trackers | Yes | Social media embeds, chatbots, retargeting pixels |
Note: "Strictly Necessary" cookies do not require consent but must be documented and disclosed in your Privacy Notice.
What Must a Cookie Consent Notice Include?
Under DPDPA Section 5 (Notice) and Section 6 (Consent), your cookie consent banner must include:
- Identity of the Data Fiduciary: Your company name and contact
- Purpose of processing: Clearly stated for each cookie category
- Data collected: What personal data each cookie type collects
- Right to withdraw: How and when the user can withdraw consent
- Data retention: How long data is stored
- Third-party sharing: Which third parties receive the data
- Language: In a language the user understands (supports Indian languages)
The DPDPA Cookie Consent Timeline
- August 11, 2023: DPDPA enacted by Parliament
- January 3, 2025: Draft DPDP Rules released for public consultation
- November 13, 2025: DPDP Rules 2025 officially notified — law is now operational
- November 13, 2026: Consent Manager registration opens
- May 13, 2027: Full enforcement — consent and privacy notice requirements become legally binding
Action now: Businesses that begin implementation today benefit from 14+ months of compliant operation before enforcement — and avoid the compliance rush of early 2027.
Penalties for Non-Compliance
| Violation | Maximum Penalty |
|---|---|
| Failure to implement adequate security measures | ₹250 Crores |
| Failure to notify data breach | ₹200 Crores |
| Non-compliance with children's data provisions | ₹200 Crores |
| Non-compliance with Data Fiduciary obligations | ₹150 Crores |
| General violations | ₹50 Crores |
Cookie Consent vs DPDPA Consent: Are They the Same?
Cookie consent is a subset of DPDPA consent. DPDPA governs the processing of all personal data — cookies are one mechanism for data collection. Full DPDPA compliance requires:
- Cookie Consent: Managing cookies and trackers on your website
- DPDPA Purpose Consent: Consent for all data processing activities (forms, transactions, CRM, etc.)
- Privacy Notice: A comprehensive notice per Section 5 of DPDPA
- Data Principal Rights: Systems to handle access, correction, and erasure requests
Frequently Asked Questions
Is cookie consent mandatory in India?
Yes. Under DPDPA 2023 and DPDP Rules 2025, any website using cookies that collect personal data must obtain valid, specific, informed consent from users before setting non-essential cookies. Full enforcement is from May 13, 2027, but businesses are advised to comply now.
Does DPDPA apply to my website if I am outside India?
Yes. DPDPA has extra-territorial scope — it applies to any organisation that processes personal data of individuals located in India, regardless of where the organisation is based.
Are there exemptions from cookie consent under DPDPA?
Strictly necessary cookies (essential for the website to function) are exempt from consent requirements but must still be disclosed. Personal data processed for national security, law enforcement, and certain government functions is also exempt.
How do I implement cookie consent on my Indian website?
You need a Cookie Consent Management Platform (CMP) that: (1) scans your site to detect all cookies and trackers, (2) categorises them by purpose, (3) presents a compliant consent banner in the user's language, (4) records consent with a timestamped audit trail, and (5) blocks non-essential cookies until consent is given.
Implement Cookie Consent with Consently
Consently.in is India's only DPDPA-native cookie consent platform. Our cookie module:
- Auto-scans your website to detect all cookies and trackers
- Classifies cookies by category (necessary, functional, analytics, marketing)
- Displays a multilingual consent banner in 22 Indian languages
- Blocks non-essential cookies until consent is received
- Records consent with a Zero-PII Consent ID (no PII stored)
- Provides downloadable audit trails for regulatory inspection
Free tier available — up to 5,000 consents/month at ₹0.
Start for free → | Learn more about our Cookie Consent module →