Skip to main content

DPDP Act 2023 Cookie Consent

The cookie consent banner the DPDP Act requires

A cookie consent banner is where most Indian websites first meet the DPDP Act 2023. It governs the trackers that process personal data. The banner must obtain consent before a non-essential tracker fires, request it per purpose, allow withdrawal, and record the choice. This page covers what that requires, and where the obligation runs deeper than the banner.

Four conditions, each governed to statute

A DPDP-compliant cookie consent banner is judged on the obligations it discharges. ConsentOS maps each to the section of the DPDP Act 2023 that governs it.

Section 6(1)

Consent before the tracker fires

Non-essential cookies and trackers may set only after the visitor grants consent. No pre-ticked boxes, no implied consent from continued browsing, no loading before the choice is made.

Section 5, Section 6(1)

Granular, purpose-bound categories

Consent is requested per purpose: analytics, advertising, personalisation. A single accept-all that bundles unrelated purposes does not meet the specificity the DPDP Act requires.

Section 6(4) to 6(6)

Withdrawal as easy as the grant

A visitor must be able to withdraw cookie consent through an interface no harder to reach than the one that granted it. Reject must sit beside accept, not three menus deep.

Section 8(2)

A consent record you can produce

Every grant and withdrawal is logged against the notice version shown, the timestamp, and the categories chosen. The record is the evidence a data fiduciary produces on inspection.

The banner is the start, not the obligation

A cookie consent banner governs one input: the trackers on a website. The DPDP Act 2023 governs every collection point. Consent records across forms and sign-ups, data principal access and erasure requests, breach notification within 72 hours, and audit evidence on inspection. A banner that handles cookies cleanly still leaves the rest of the obligation set open. The consent management platform covers the full set. For an online retailer, the e-commerce obligations page sets cookie consent in the wider sector picture.

For a regulated business, the harder obligation is underneath

A bank, NBFC, or insurer carries the website cookie obligation like any business. Underneath it sits the conflict a banner cannot touch: the DPDP erasure right against RBI and PMLA retention mandates on the same customer record. That is resolved at field level, with a denial register an inspector accepts. The Compliance Vault handles the retention conflict; the cookie banner sits at the top of the same funnel.

Cookie consent under the DPDP Act, answered.

Does the DPDP Act 2023 require a cookie consent banner?

The DPDP Act 2023 does not name cookies, but it governs personal data processed through them. Cookies and trackers that identify a visitor or build a profile process personal data, and that processing needs a lawful basis. For non-essential cookies, the basis is consent under Section 6. In practice this means a cookie consent banner that obtains prior, purpose-bound consent, allows withdrawal, and records the choice. Strictly necessary cookies that are required to deliver a service the user requested do not need consent.

What makes a cookie consent banner DPDP-compliant in India?

Four conditions. The banner must obtain consent before non-essential trackers fire, not after. It must request consent per purpose rather than bundling analytics, advertising, and personalisation into one accept-all. It must let a visitor withdraw consent as readily as they gave it, with reject as prominent as accept. And it must keep a consent record against the notice version, timestamp, and categories chosen. A banner that only blocks until a single click does not meet the DPDP Act 2023 specificity and withdrawal requirements.

Is a cookie consent banner enough for DPDP compliance?

No. A cookie consent banner governs one input: tracking technologies on a website. The DPDP Act 2023 obligation set is wider. It covers consent records across every collection point, data principal access and erasure requests, breach notification within 72 hours, retention limits, and audit evidence. A cookie banner is necessary for a site that runs trackers, but it is one part of a data fiduciary's obligations. The full set is what a consent management platform discharges.

Do banks and regulated businesses need more than a cookie banner?

Yes. A bank, NBFC, or insurer carries the website cookie obligation like any business, and a harder one underneath it: the conflict between the DPDP erasure right and RBI or PMLA retention mandates on the same customer record. A cookie consent banner does not touch that. Regulated entities need field-level retention mapping and a denial register for refused erasure requests. The cookie banner sits at the top of the funnel; the retention conflict is the obligation that decides the platform.

When does cookie consent enforcement begin in India?

The DPDP Rules were gazetted on 13 November 2025. Penalty enforcement is expected from around May 2027, and the Consent Manager registration window is expected to open around November 2026. The dates have moved before, so treat them as the current expectation rather than a fixed schedule. The procurement and remediation window is the period before enforcement, not after it.

Cookies are one obligation. Score them all.

The Gap Assessment scores your position across the DPDP obligation set and returns a PDF report in minutes. No account required.

Run the Gap Assessment