Cookie Consent Management Under DPDP Act India: Complete Guide 2025 | KavachOne

🍪 Cookie Consent & DPDP

Cookie Consent
Under India's
DPDP Act —
What Changes

Cookies that collect personal data are subject to India's DPDP Act 2023. Your old "Accept All" banner with no reject option is no longer compliant. The Act requires freely given, informed, purpose-specific, and easily withdrawable consent — with granular control for every non-essential cookie category. Here is everything you need to know.

🍃 Deploy ConsentiQo CMP See Cookie Categories ↓

yourwebsite.in

🍪 Your Privacy Choices

We use cookies to enhance your experience. You can accept all, reject non-essential, or manage your preferences below. You can change your choices at any time.

✅ Strictly Necessary

Always On

📊 Analytics

🎯 Marketing

🤝 Personalisation

4Cookie Categories Requiring Different Treatment

0Pre-Ticked Consent Boxes Permitted

₹200 CrMax Penalty for Consent Violations

1-ClickConsent Withdrawal Must Be as Easy as Giving

AlwaysStrictly Necessary Cookies: No Consent Required

Compliance Requirements

6 DPDP Consent Requirements for Cookie Banners

A generic "We use cookies" notice with an Accept button no longer meets DPDP standards. Your cookie consent implementation must meet all six of these requirements.

📋

Granular, Purpose-Specific Consent

Consent must be obtained separately for each cookie purpose — analytics, marketing, personalisation — not as a single bundled "accept all" consent. Users must be able to consent to some categories and reject others.

✓ Required: Separate toggle or checkbox for each cookie category, with clear description of each purpose before consent is sought.

🤚

No Pre-Ticked Boxes or Defaults

Non-essential cookies must default to OFF. Pre-ticked boxes, default-on toggles, or implied consent from scrolling / continued browsing do not meet the DPDP "freely given and unambiguous" consent standard.

✓ Required: All non-essential cookie toggles start in the OFF position. Accept requires explicit positive action from the user.

🚫

Reject Must Be As Easy As Accept

The DPDP Act requires that refusing consent is no harder than giving it. A clearly visible "Reject All" button must be present at the same level as "Accept All" — not buried behind multiple layers of settings.

✓ Required: "Reject All" button visible in the initial banner view, not hidden in preferences. Equal visual prominence with "Accept All."

📖

Clear, Accessible Cookie Information

Before consent is sought, users must be informed about: what cookies are set, what personal data they collect, the purpose, and who has access to the data (including third-party cookie operators). Plain, accessible language required.

✓ Required: Per-category descriptions, third-party cookie operator names, and link to full cookie policy — accessible before consent is given.

🔄

Easy Consent Withdrawal

Users must be able to withdraw cookie consent at any time — as easily as they gave it. A persistent privacy settings link (footer or floating icon) must allow users to re-open the consent panel and change their preferences.

✓ Required: Persistent "Cookie Preferences" link in every page footer. Consent panel re-openable at any time without re-visiting the site.

🗃️

Consent Record & Audit Log

Every consent decision — accept, reject, category-level preferences, and withdrawal — must be logged with a timestamp, user identifier (anonymised if appropriate), and the version of the banner shown. This log must be producible to the DPB on request.

✓ Required: ConsentiQo maintains a tamper-evident consent audit log — every cookie consent event recorded and DPB-ready.

Banner Design

Anatomy of a DPDP-Compliant Cookie Banner

Every element of your cookie consent banner has a specific DPDP compliance function. Here is what a compliant banner must contain — and why each element matters.

Your Privacy Choices

Manage how we use cookies on this site

We use cookies to improve your experience, analyse traffic, and personalise content. You can accept all, reject non-essential cookies, or manage your preferences. You can change your choices at any time via the Cookie Preferences link in our footer.

✅

Strictly Necessary

Always On

📊

Analytics

Page views, user journeys

🎯

Marketing

Targeted ads, interest profiling

🤝

Personalisation

Preferences, saved settings

Clear Headline + Purpose Statement

Plain language title and brief description. Explains what cookies are used for, not just that "we use cookies." Includes the right to change preferences at any time.

Per-Category Toggles — Off by Default

Separate, independently controlled toggle for each non-essential category. All non-essential toggles start in the OFF position — users must actively switch them on.

Strictly Necessary: Always On (Locked)

Essential cookies are clearly distinguished with an "Always On" indicator — not a toggle, which correctly conveys that these cannot be disabled. Users understand they are not choosing to accept these.

Accept / Reject / Preferences — Equal Prominence

Three equal-level action buttons. "Reject All" is as visible and accessible as "Accept All." No dark patterns — no grey-out on reject, no shrinking the reject button.

Preferences Panel for Detailed Control

The Preferences option opens a detailed panel showing every cookie name, its operator, purpose, duration, and whether it is first or third party — giving users full informed consent.

Consent Logged — DPB-Admissible Record

Every interaction with this banner — including the exact preferences chosen, timestamp, banner version, and user identifier — is logged in ConsentiQo's consent audit log. Producible to DPB on request.

Common Mistakes

DPDP-Compliant vs Non-Compliant Banners

Most Indian websites today have cookie banners that violate the DPDP Act. Here is exactly what separates a compliant implementation from one that risks ₹200 crore in penalties.

✗ Non-Compliant Banner

Single "Accept All Cookies" button — no ability to reject or customise

Continued browsing implies consent — no explicit action required

All non-essential toggles pre-ticked as "on" by default

"Reject" option buried 3 clicks deep in Cookie Settings

Cookies already set before any consent is given

No ability to withdraw consent after the fact

Banner disappears when user scrolls — treated as consent

No record kept of what users consented to or when

Purpose descriptions are vague: "we use cookies to improve your experience"

Third-party cookie operators not disclosed to users

✓ DPDP-Compliant Banner

Granular per-category consent with separate toggle for each purpose

All non-essential cookie toggles default to OFF until explicitly enabled

"Reject All" button at same visual level as "Accept All" — one click

No cookies set until user makes an active consent choice

Consent can be withdrawn at any time via persistent footer link

Clear, specific purpose description for every cookie category

All third-party cookie operators named with links to their privacy policies

Consent log maintained — timestamp, preferences, banner version recorded

Cookie policy linked from banner before consent is sought

Banner re-shown if cookie policy materially changes

ConsentiQo CMP

How ConsentiQo Automates Cookie Compliance

KavachOne's ConsentiQo is India's most complete DPDP-native Consent Management Platform — handling cookie consent, record-keeping, withdrawal, and audit log out of the box.

🍃

Auto Cookie Scanner

ConsentiQo automatically scans your website to detect and categorise every cookie and tracker — first-party, third-party, session, persistent — and generates your compliant cookie inventory without manual effort.

🎨

Customisable DPDP-Compliant Banner

Deploy a fully branded cookie consent banner in minutes — matching your website's design, in any language, with all DPDP-required elements (granular toggles, reject button, preferences panel) pre-configured correctly.

🔒

Cookie Blocking Until Consent

ConsentiQo blocks all non-essential scripts and cookies from loading until the user has actively consented to each category — ensuring no cookies are set before consent, as required by the DPDP Act.

🗃️

DPB-Ready Consent Audit Log

Every consent event is logged in a tamper-evident audit trail — consent given, preferences selected, withdrawals, and the exact banner version shown. Producible to the Data Protection Board within minutes.

🔄

One-Click Consent Withdrawal

A persistent Cookie Preferences link in every page footer lets users re-open their consent panel at any time, change their preferences, or withdraw all non-essential cookie consent with a single click.

📊

Consent Rate Analytics

Real-time dashboard showing consent rates by category, banner version performance, withdrawal rates, and geographic breakdowns — giving privacy and marketing teams the data they need to optimise both compliance and conversion.

Deploy a DPDP-Compliant
Cookie Banner Today

ConsentiQo deploys in under 30 minutes — a single JavaScript snippet on your website, and you have a fully DPDP-compliant cookie consent management system with auto-scanning, granular consent, withdrawal, and a DPB-ready audit log. No legal ambiguity, no penalty risk.

🍃 Deploy ConsentiQo Free Talk to a Privacy Expert →

FAQs

Common Questions About Cookie Consent & DPDP

Does the DPDP Act explicitly mention cookies — or does it apply indirectly? ▾

The DPDP Act does not use the word "cookie" — but it applies directly to any collection and processing of personal data, regardless of the technical mechanism. Cookies that collect identifiable personal data — including pseudonymous identifiers like device IDs, IP addresses tied to profiles, and browsing behaviour — are processing personal data under the Act's definition. This means any non-essential cookie that processes personal data requires DPDP-compliant consent under §6, making cookie consent management a direct DPDP obligation for all Indian websites collecting such data.

Can we use our existing GDPR-compliant cookie banner for Indian users? ▾

A well-implemented GDPR cookie banner may be substantially compliant with DPDP requirements — since GDPR imposes similar or stricter standards in most areas (granular consent, reject button, withdrawal). However, there are nuances: DPDP's consent language requirements are India-specific and must reflect DPDP legal bases, not GDPR legal bases. ConsentiQo is recommended over generic GDPR CMPs for Indian websites because it generates consent records in the format expected by India's DPB, uses DPDP-specific legal basis language, and integrates with the broader KavachOne DPDP compliance ecosystem.

What happens to existing cookie consents already collected before DPDP implementation? ▾

Consents collected before your DPDP-compliant banner is deployed may not meet the Act's standards — particularly if they were collected through implied consent (continued browsing) or pre-ticked boxes. Best practice is to re-obtain consent from existing users by displaying the new DPDP-compliant banner to returning users who have not yet given compliant consent. ConsentiQo handles this automatically — it detects whether a returning user has a valid DPDP-compliant consent record and re-presents the banner if needed, without disrupting users who have already given compliant consent.

Do mobile apps need cookie consent under DPDP — or only websites? ▾

Mobile apps do not use cookies in the traditional browser sense — but they use functionally equivalent tracking mechanisms: advertising identifiers (IDFA on iOS, GAID on Android), SDKs that collect usage analytics, in-app event tracking, and cross-app tracking via fingerprinting. All of these that process personal data are subject to DPDP consent requirements. Mobile apps must obtain consent for each tracking SDK or advertising ID usage through in-app consent flows — which ConsentiQo supports via its SDK integration for iOS and Android apps.

How should we handle users who consistently reject all non-essential cookies? ▾

Users who reject all non-essential cookies must receive the same quality of core service as users who accept. Under the DPDP Act, consent must be freely given — which means conditioning core service access on cookie acceptance (known as a "consent wall") is a violation. You may not refuse access to your website, degrade the service, or present content differently to users who reject cookies. The only permissible consequence of rejecting non-essential cookies is that the features those cookies enable — personalised recommendations, targeted ads, analytics dashboards — simply do not function for that user.

Cookie Consent India DPDP DPDP Cookie Compliance Cookie Banner India DPDP Consent Management Platform India DPDP Act Cookies 2025 ConsentiQo Cookie Consent Website Consent India Analytics Cookies Consent India KavachOne Cookie Compliance DPDP Cookie Withdrawal Cookie Policy India DPDP Tracking Cookies DPDP India First Party Cookies DPDP Third Party Cookies India DPDP Act 2023

4 Types of Cookies — Which Need DPDP Consent?