Enacted to protect individual privacy in the digital age, India’s Digital Personal Data Protection Act (DPDP) emphasizes consent-based data processing and grants individuals rights over their personal information. Is your website ready for compliance?
The Digital Personal Data Protection (DPDP) Act of 2023, is India’s landmark privacy law that governs how organizations collect, process, store, and transfer digital personal data. Under the DPDP, cookies that collect personal data—such as behavioral tracking or user profiling—fall within the scope of regulation. Organizations must obtain clear, informed, and voluntary consent from users before placing such cookies on their devices. This means displaying detailed cookie banners or pop-ups and offering granular choices regarding data collection.
Businesses must implement robust data governance policies, appoint a Data Protection Officer (DPO) if mandated, ensure data is processed only for specified purposes, and maintain accountability through audit trails. The Act requires consent to be revocable and easily accessible, with a strong emphasis on transparency. Cross-border data transfers must comply with conditions prescribed by the central government.
To be in compliance with DPDP India, businesses should:
Data governance:
Implement robust data governance policies and publish and keep up-to-date a comprehensive Privacy Policy
Consent management:
Obtain proper consent for collecting and processing personal data
Consent withdrawal mechanism:
Ensure a method for consumers to withdraw consent
Data audit:
Audit all data collection practices, including consent mechanisms, data security, third-party data sharing
Data minimization:
Adhere to data minimization principles, collecting only what data is required and using it only for the stated purposes
Implement data protection:
Secure data against breaches and unauthorized access
The DPDP applies to any entity—public or private, within or outside India—that processes the personal data of Indian citizens digitally. This includes websites, mobile apps, service providers, and multinational companies offering goods or services to individuals in India.
India’s DPDP gives consumers various data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Having data protects against common issues, such as data breaches
While the DPDP does not explicitly mention cookies and consent management in this context, cookies are central to ensuring data protection. Thus, cookies used for advertising, analytics, or profiling often collect personal data require user consent under the DPDP. Unlike functional or strictly necessary cookies, these must be opt-in rather than opt-out. Non-compliance in how cookies are used and consented to can trigger regulatory scrutiny.
Violations of the DPDP can lead to significant financial penalties. The Data Protection Board of India may impose fines of up to ₹250 crore (~30 million USD) depending on the nature and severity of the breach. Non-compliance can also lead to reputational and brand damage reputation and cause restrictions on data processing activities.
To check your compliance with the DPDP India, businesses should:
Review data practices:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize cookies:
Understand what kinds of data you collect and how it must be treated, e.g., necessary, preference, analytics, marketing cookies
Implement consent management:
Ensure consent banners are implemented correctly and maintain consent logs
Check partner contracts:
Review third-party data-sharing practices
Train employees:
Ensure that employees have training to understand and comply with DPDP
The DPDP law applies to the processing of digital personal data by government and private entities within India, as well as to entities outside India if they process data of individuals located in India.
Personal data refers to any data about an individual who is identifiable, either directly or indirectly, through identifiers like name, address, phone number, or other information.
Sensitive personal data includes information that can significantly impact an individual's privacy, such as financial data, health records, biometric details, caste, religion, sexual orientation, and political opinions.
The Data Protection Board of India is the designated regulatory authority responsible for enforcing and overseeing compliance with the DPDP law.
Certain entities like the government in specific circumstances, data processed for personal or domestic purposes, and data related to national security may be exempt from some provisions of the DPDP law.
You can visit the official website of the Ministry of Electronics and Information Technology (MeitY) or refer to the published DPDP Act and related guidelines for detailed information.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
