With the enforcement of the Digital Personal Data Protection Act, 2023 (DPDP Act), website cookie practices in India are no longer just a best practice borrowed from GDPR they are now a statutory compliance requirement. Any organization operating a website that uses cookies or similar tracking technologies must assess how consent is obtained, managed, and withdrawn.
While the DPDP Act does not explicitly use the word “cookies,” it squarely regulates any processing of personal data, and cookies often collect identifiers, behavioral data, device information, and usage patterns that qualify as personal data.
Cookies are used for purposes such as authentication, analytics, personalization, marketing, and fraud prevention. When these cookies can identify or profile an individual directly or indirectly, they constitute personal data processing under the DPDP Act. As a result, organizations must comply with the Act’s core requirements of notice, consent, purpose limitation, and user control.
This means that silent tracking, pre-enabled analytics cookies, or blanket “by using this site you agree” banners are no longer sufficient.
Under Section 6 of the DPDP Act, personal data processing generally requires free, specific, informed, unconditional, and unambiguous consent. For cookies, this creates a clear distinction between essential and non-essential cookies.
Essential cookies those strictly necessary to deliver the website or service requested by the user may be processed without explicit consent, as they fall under legitimate use. However, analytics, advertising, personalization, and tracking cookies always require explicit consent.
This means:
-
Cookies must not be enabled by default (except essential ones)
-
Users must actively opt in (no pre-checked boxes)
-
Consent must be granular, allowing users to choose cookie categories
-
Continued browsing cannot be treated as consent
A DPDP-compliant cookie mechanism must allow users to make real choices. This includes the ability to:
-
Accept all cookies
-
Reject all non-essential cookies
-
Customize preferences by category
Bundled consent where users must accept all cookies to access the site is inconsistent with DPDP principles and risks invalidating consent.
The goal is not just disclosure, but meaningful user control.
Under Section 6(4) of the DPDP Act, withdrawal of consent must be as easy as giving it. For cookies, this means users must be able to:
-
Revisit cookie preferences at any time
-
Modify or withdraw consent with immediate effect
-
Have non-essential cookies disabled upon withdrawal
A persistent “Cookie Settings” or “Manage Preferences” link is essential to meet this requirement.
The DPDP Act’s storage limitation principle requires that personal data be retained only as long as necessary for the stated purpose. Cookie data cannot be stored indefinitely “just in case.”
Organizations must:
-
Define expiration periods for cookies
-
Periodically review cookie usage
-
Automatically expire or delete cookie data when no longer required
Failure to do so can result in unlawful retention, even if consent was initially obtained.