Does DPDPA require cookie consent banners?

Yes. Under DPDPA, websites must display a cookie consent banner that includes: concise purpose summary, accept all button, reject all button or link, manage preferences button, and more. The banner must be shown before any non-essential cookies are set.

What records must I keep for DPDPA cookie consent?

DPDPA requires maintaining consent records that include: timestamp iso, user choices by purpose, policy version.

What Are the DPDPA Cookie Consent Requirements?

Q: What is DPDPA and how does it affect cookie consent?

India (DPDPA) is a privacy regulation applicable in India. Cookies fall under DPDPA scope as they collect data 'in relation to' identifiable individuals (Section 2(t)). Affirmative opt-in consent required for non-essential cookies that process personal data. It requires websites to obtain explicit user consent before placing non-essential cookies (opt-in model).

Q: Is DPDPA opt-in or opt-out for cookies?

DPDPA follows an opt-in consent model. This means websites must obtain explicit user consent BEFORE placing any non-essential cookies or tracking technologies.

Everything you need to know about DPDPA cookie consent compliance in 2026. Complete guide covering opt-in consent requirements, cookie banner elements, consent records, and technical implementation for India.

Opt-in Translation Required Children's Privacy Rules

Summary

This guide provides comprehensive technical implementation requirements for India (DPDPA). Cookies fall under DPDPA scope as they collect data 'in relation to' identifiable individuals (Section 2(t)). Affirmative opt-in consent required for non-essential cookies that process personal data.

This jurisdiction requires an opt-in consent model (prior consent), meaning websites must obtain explicit user consent before placing non-essential cookies or similar tracking technologies. Users must actively accept cookies through clear consent mechanisms.

Additional requirements for this jurisdiction include: providing consent banners and privacy information in all required languages, and special protections and consent mechanisms for children's personal data.

Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.

Key Requirements Overview

Consent Model

Opt-in (Prior Consent)

Default State

Off (Non-Essential Cookies)

Cookie Walls

Discouraged

Technical Requirements

Prior consent for non-essential cookies

Purpose granularity required

Equal prominence for accept/reject buttons

No pre-checked boxes allowed

Dark patterns prohibited

Proof of consent required

Local storage covered by regulation

Implementation Guidance

Cookies are not mentioned in the DPDP Act but fall under its scope because they collect data 'in relation to' an identifiable individual (Section 2(t)). Per Section 6 and Draft Rule 3, consent must be free, specific, informed, unconditional, and obtained through affirmative action — pre-ticked boxes do not count. Vague language like 'we use cookies to improve your experience' is not sufficient. Users must be able to accept or reject different categories of cookies independently (granular opt-in per NeGD Business Requirements Document on Consent Management Systems, 2025). The banner must clearly state what data is being collected, for what purpose, and by whom. Consent withdrawal must be available persistently, not just on first visit. You must store an auditable record of what the user consented to, when, and how — this is your proof in case of disputes or regulatory scrutiny. Notices must be provided in English and other scheduled Indian languages as notified. The ASCI Academy whitepaper 'Navigating Cookies' (2025) flags the need to avoid dark patterns in cookie consent flows. The NeGD document also specifies auto-expiry requirements for consent, though no specific duration is mandated in law. Processing without consent is permitted for: legal obligations, state functions, employment purposes, and medical emergencies. Data minimisation and purpose limitation are required. Users (Data Principals) have rights to access, correction, erasure, and grievance redressal. Penalties for non-compliance can reach up to INR 250 crore (approx. USD 30 million).

Special Protections

Children's Privacy

Parental or lawful guardian consent required for children under 18. Processing must not cause harm to a child. Behavioral monitoring and targeted advertising directed at children is prohibited.

Sensitive Data

Explicit consent required. The Act does not create a separate category of sensitive data but the government may notify additional obligations for certain data types.

Record Keeping Requirements

Required Consent Record Fields

For each consent action, you must maintain records containing:

Timestamp ISO
User Choices By Purpose
Policy Version

Re-consent Trigger: Material Change Or New Purpose

CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management