ComplianceApr 13, 2026 | FlexyConsent

India's DPDP Act: Cookie Consent for the World's Largest Digital Market

India passed the Digital Personal Data Protection Act (DPDP Act) in 2023, and the rules that operationalize it have now taken effect. With more than 850 million internet users, India is a market no global publisher, advertiser, or SaaS operator can afford to get wrong — and the DPDP Act introduces consent obligations that differ meaningfully from GDPR, CCPA, and other frameworks you may already support.

This guide explains how the DPDP Act treats cookies and tracking identifiers, who it applies to, and what a compliant consent experience looks like for Indian users.

Who the DPDP Act Applies To

The DPDP Act governs the processing of digital personal data within India, as well as processing outside India that relates to offering goods or services to individuals in India. In practice, if your website is accessible to Indian users and you collect personal data through it — including via cookies, SDKs, pixels, or fingerprinting — the Act almost certainly applies to you.

The Act uses two key roles: the Data Fiduciary (equivalent to a GDPR controller) and the Data Processor. A small number of the largest operators may be designated Significant Data Fiduciaries, triggering additional obligations such as Data Protection Impact Assessments and the appointment of a Data Protection Officer resident in India.

How the DPDP Act Treats Cookies and Trackers

Unlike the ePrivacy Directive, the DPDP Act does not single out cookies as a separate category. Instead, it regulates any processing of digital personal data. This means cookies, device identifiers, IP addresses, advertising IDs, and hashed emails all fall within scope when they are linked — directly or indirectly — to an identifiable person.

The implication for publishers is straightforward: if a cookie or tag on your site causes personal data to be collected or shared, you need a valid lawful basis. Under the DPDP Act, that basis is almost always consent, with a narrow set of exceptions for "legitimate uses" defined by the Act.

What Valid Consent Looks Like

The DPDP Act sets a high bar for consent. It must be free, specific, informed, unconditional, and unambiguous, and expressed through a clear affirmative action. Pre-ticked boxes, implied consent from continued browsing, and "cookie wall" designs that condition access on acceptance are not compatible with these requirements.

Two additional DPDP-specific rules matter for consent UX:

Itemised notice: Before or at the time of consent, you must give the user a clear notice identifying the data being collected, the purposes of processing, and how the user can withdraw consent or file a complaint with the Data Protection Board of India.
Plain language and multilingual support: Notices must be available in English and in any of the 22 scheduled languages of India that the user selects. A CMP that cannot render consent content in Hindi, Tamil, Bengali, Marathi, and other major languages will struggle to comply.

Children's Data and Parental Consent

The DPDP Act treats anyone under the age of 18 as a child and requires verifiable parental consent before processing their personal data. It also prohibits behavioural monitoring and targeted advertising directed at children. Any website that is accessible to minors in India — which in practice means almost every site — needs an age-gating or risk-based strategy, and must be able to block tracking scripts when parental consent is absent.

User Rights Your CMP Must Support

Data Principals (users) in India have a set of rights that must be actionable through your consent and preferences layer:

Right to access a summary of their personal data being processed.
Right to correction and erasure of their data.
Right to withdraw consent at any time, with the same ease as giving it.
Right to nominate another individual to exercise rights in the event of death or incapacity.
Right to grievance redressal, first with the Data Fiduciary and then with the Data Protection Board of India.

A compliant CMP should expose a persistent preferences link, support one-click consent withdrawal, and log consent events in a way that can be produced on request during an investigation.

Cross-Border Data Transfers

The DPDP Act takes a "negative list" approach to international transfers: personal data can be transferred outside India unless the destination country is specifically restricted by the Central Government. This is more permissive than GDPR's adequacy regime, but you should still document which third countries receive data from Indian users and monitor the published restriction list.

Penalties and Enforcement

Financial penalties under the DPDP Act are substantial. The Data Protection Board can impose fines of up to ₹250 crore (approximately $30 million USD) for failing to take reasonable security safeguards, and up to ₹200 crore for failing to fulfil obligations toward children. Consent-related failures — including collecting consent through non-compliant banners — are subject to fines up to ₹50 crore per violation.

Implementing DPDP-Compliant Consent in Your CMP

Geo-detect Indian users and apply a DPDP-specific consent template rather than reusing a GDPR banner. The required notice content and language options are different.
Render notices in multiple Indian languages. At minimum, support Hindi and English, and add regional languages based on your traffic distribution.
Block all non-essential trackers by default. Load ad, analytics, and third-party SDKs only after affirmative consent.
Separate purposes clearly. Do not bundle advertising, analytics, and personalization into a single "accept" action if a user could reasonably want to consent to some but not others.
Log consent and withdrawal events with timestamps, the exact notice version shown, and the user's language selection, so you can evidence compliance during regulatory inquiries.
Provide a visible preferences link on every page that allows users to review, update, or withdraw consent at any time.

DPDP vs. GDPR: Practical Differences

No "legitimate interests" basis. The DPDP Act does not recognize legitimate interests as a general lawful basis the way GDPR does. Consent carries more weight, so UX design matters more.
Stricter rules on children. The age of digital consent is 18, not 13 or 16, and targeted advertising to minors is explicitly prohibited.
Multilingual notice requirement is unique to the DPDP Act and cannot be satisfied with an English-only banner.
Significant Data Fiduciary obligations create a second compliance tier for high-risk operators that has no direct GDPR analogue.

Conclusion

The DPDP Act brings India into the modern global data protection landscape with its own distinct flavour — consent-first, multilingual by design, and protective of minors to an unusual degree. Publishers and platforms already operating a GDPR-grade CMP have a head start, but they will still need to adjust banner content, language support, age-handling, and logging to meet DPDP requirements. Treating India as "just another GDPR jurisdiction" is the fastest way to end up in front of the Data Protection Board.