"Does the DPDP Act require a cookie banner?" is the wrong question. India's Digital Personal Data Protection Act, 2023 never uses the word "cookie" — but it absolutely governs the personal data that cookies and trackers collect. If your tags identify or profile a person, DPDP's consent rules apply. Here is what that means in practice for an Indian website.
What the Act does and doesn't say
The DPDP Act regulates digital personal data and the consent needed to process it. It is technology-neutral: it does not list cookies, pixels, or SDKs. So there is no statutory "cookie law" and no prescribed banner design.
What the Act does say is that processing personal data on the basis of consent requires that consent to be free, specific, informed, unconditional, and unambiguous, signified by a clear affirmative action (§6). When an analytics or advertising cookie ties browsing behaviour to an identifiable person, you are processing their personal data — and that consent standard is what governs it.
What to do: Stop asking whether DPDP "mandates a banner." Ask whether each tracker processes personal data, and if it does, make sure you have §6-grade consent before it fires.
How consent principles map to a banner
A banner is simply the practical mechanism to obtain §6 consent for web tracking. To meet the standard, it should:
- Block non-essential trackers until consent — clear affirmative action means scripts must not fire on page load, before the user chooses.
- Be specific and granular — let users consent per purpose (analytics, advertising, functional) rather than one all-or-nothing button.
- Be informed — a notice that says what data each category collects and why, with a link to your policy (§5; itemised notice under DPDP Rules, 2025, Rule 3).
- Make withdrawal as easy as giving — a persistent way to change or revoke choices later (§6(4)).
What to do: Treat "Reject" and "Accept" as equals. A prominent Accept with a buried Reject undermines the "free" requirement and is the single most common compliance failure.
Strictly necessary cookies don't need consent
Cookies that are genuinely essential — session management, security, load balancing — support a function the user asked for and do not require opt-in consent. Everything else (analytics, advertising, social embeds, non-essential functional cookies) should default to off until the user opts in.
What to do: Classify every cookie honestly. "We decided analytics is essential" is not a defensible classification.
Children change the rules entirely
If your site can be used by under-18s, §9 imposes a hard limit: no tracking, behavioural monitoring, or targeted advertising directed at children — full stop, even with parental consent. Behavioural and advertising cookies cannot lawfully run against a known child. See children's data under the DPDP Act.
What to do: Where a visitor is known or likely to be a minor, suppress analytics and advertising categories regardless of banner choice.
What a compliant banner looks like
Putting it together, a defensible Indian cookie banner:
| Element | Compliant pattern |
|---|---|
| Default state | All non-essential categories OFF |
| Buttons | "Accept all" and "Reject all" equally prominent |
| Granularity | Per-category toggles (functional, analytics, advertising, social) |
| Script behaviour | Tags blocked until the matching category is accepted |
| Notice | Plain-language description, retention, vendors, policy link |
| Withdrawal | A persistent control to change choices anytime |
| Record | Each choice logged with timestamp for audit |
Common mistakes
- Firing scripts before consent. Google Analytics or Meta Pixel loading on page load, before any choice, is the classic violation.
- Pre-ticked categories. "Clear affirmative action" rules out pre-selected toggles.
- No reject option, or a hidden one. Asymmetry between Accept and Reject breaks "free" consent.
- A cookie wall on non-essential tracking. Conditioning access to your whole site on accepting advertising cookies is hard to square with consent being free and unconditional.
- No record. If you cannot show *when* and *to what* a user consented, you cannot prove compliance.
What to do: Open your own site in an incognito window and watch the Network tab. If analytics or ad scripts load before you click anything, you have work to do.
How to audit your own banner in ten minutes
You can sanity-check your site against DPDP's consent principles without any tooling:
- Open your site in a private/incognito window so no prior consent is remembered.
- Open Developer Tools → Network and reload. Before you click anything, filter for known trackers (for example, gtag or fbevents). If analytics or advertising scripts load before you consent, that is a violation in plain sight.
- Look at the banner itself. Is there a Reject option as prominent as Accept? Are non-essential categories off by default, or pre-ticked?
- Open the preferences view. Can you actually decline analytics and advertising and have the site still work?
- Dismiss the banner, then look for a persistent control to change your choice later — withdrawal must be as easy as giving consent (§6(4)).
- Finally, check whether each choice is recorded somewhere you could produce on request.
What to do: Run this audit today. Most banners fail on the very first check — scripts firing before consent — which is also the easiest violation for a regulator or complainant to demonstrate.
Frequently asked questions
Does the DPDP Act actually require a cookie banner?
Not by name — the Act never mentions cookies. It requires §6-grade consent to process personal data, and a banner is simply the practical way to obtain that consent for web trackers that identify or profile a person. No banner is mandated; valid consent is.
Do strictly necessary cookies need consent?
No. Cookies essential to a function the user asked for — session, security, load balancing — do not need opt-in. Everything else should default to off until the user consents.
Can I use a "cookie wall" that blocks the site until users accept?
It is risky. Consent must be free and unconditional (§6), and conditioning access to your whole site on accepting non-essential advertising cookies is hard to defend. Keep essential functionality available regardless of tracking choices.
Is a "Reject all" button legally required?
The Act does not name the button, but asymmetry between a prominent "Accept" and a buried or absent "Reject" undermines the "free" requirement. In practice, make rejecting as easy as accepting.
What about analytics cookies on visitors who might be minors?
Behavioural tracking and targeted advertising directed at children are prohibited (§9). Where a visitor is known or likely to be under 18, suppress analytics and advertising categories regardless of the banner choice.
How Sammati helps
Sammati is a consent management platform (CMP) and Data Processor — not a registered Consent Manager — with a cookie-consent solution built for DPDP:
- A cookie scanner that discovers and categorises trackers automatically
- A banner that blocks analytics and advertising scripts until consent, with all non-essential categories OFF by default and equal Accept/Reject buttons
- Per-choice records written to an immutable, hash-chained ledger for audit
- Banner copy in all 22 Eighth Schedule languages
For implementation detail, this connects directly to DPDP for D2C and e-commerce and the broader consent management platform vs Consent Manager distinction.
Take the free DPDP assessment or talk to us about cookie consent.
Check your DPDP compliance readiness
62 questions · 15 obligation areas · Instant results · No login