The Indian economy is expanding at an unmatched pace, and along with it arises the complexities of data privacy and protection. The Digital Personal Data Protection (DPDP) rules show a new chapter in India’s data protection space. However, one of the areas that ignites curiosity among Indian enterprises in the Act is cookie consent management.
Despite cookies being a cornerstone of digital interaction and tracking of user data, it is not explicitly mentioned in the DPDP Act or its draft rules. But this silence does not mean exclusion. Ministry of Electronics and Information Technology (MeitY) has released the Business Requirements Document for Consent Management System (BRDCMS), which is playing an important role in making India’s position on cookie compliance clearer.
In this article, we will explore the various implications of cookie consent management as per the DPDP Act, what the expectations set by BRDCMS and how Indian enterprises can design privacy-first compliant systems that are in line with the global standards.
Also Read : The DPDP Compliance Checklist (2025): Step-by-Step Guide for Indian Businesses
The Role of BRDCMS in Bridging the Gap
Although the DPDP Act comes with quite a robust framework for purpose, consent, transparency, and limitation, it is quite silent when it comes to cookies, which is the gap being filled by BRDCMS, which was released on April 15, 2025. A detailed expectation setting has been done through this document to manage user consent and address cookies indirectly that require mechanisms offering:
Multi-language support
Real-time consent updates
Auto-expiry for preferences and data
Granular consent options
Transparent banners and cookie notices
This guidance has effectively brought cookies into the purview of the DPDP rules even when it doesn’t have an explicit statutory language.
Also Read : Principles of Data Privacy and Protection Explained | Core Principles of DPDP
DPDP Compliance & Cookie Consent Management
- Real-Time Consent Management
- Granular Consent Options
- Inclusive Multi-Language Support
- Transparent cookie policies
- What data is being collected
- The reason for the collection
- The time duration for which they stay active
- The parties with whom the data is being shared
- Intelligent Cookie Notice Banners
- Concise and informative
- Provide options to customise preferences, accept or decline non-essentials
- Be non-obstructive as well as accessible
- Automated Compliance via Auto-Expiry
It should be as easy to revoke the consent as it is to provide. The BRDCMS mandates dashboards that are user-friendly and allow users to withdraw or modify their consent instantly, with the backend systems immediately halting the collection of the data associated with the same.
Instead of just two options of “Reject All” and “Accept All” choices, users must be given several choices with specific categories of cookies. The “specific, informed, unconditional, and free” consent standard that is outlined in the Act can be respected through this.
According to Section 5(3) of the DPDP Act, there should be multiple languages in which the notices should be generated for users. This extends to cookie policies and banners as well.
Enterprises should publish accessible and clear cookie policies that outline:
These policies should be written in simple language and also help in complete transparency.
The first interaction with users should be impactful. Cookie banners must be:
The user consent preferences and the cookies should automatically expire once the defined period is over. This prevents indefinite processing and storage of personal data, thereby aligning with the data minimisation and retention principles.
Also Read: Top 5 Cookie Consent Management Platforms in India 2025
What Should Indian Enterprises Do Now
There might not be any dedicated cookie law; however, the onus lies on the businesses to build systems that are DPDP aligned and involve implementing dynamic consent managers, conducting cookie auditing, updating cookie and privacy policies, and ensuring multilingual support with real-time revocation pathways.
Overall, it’s more important for organisations to not just focus on technical deployment but embed privacy as a culture.
Privy by IDfy,India’s first full-stack data privacy and governance platform, helps you become DPDP compliant in days. It is one of the top contributors to the implementation of DPDP rules across enterprises in India.
Summing It Up
Cookie consent management under the DPDP Rules is not just a compliance obligation, but it's more of a trust-building activity. The BRDCMS has made it very evident that control, clarity, and consent must be at the core of digital engagement. With the evolution of global and local privacy laws, forward-looking enterprises are investing heavily in user-centric cookie governance platforms to stay ahead of the curve and position themselves as trustworthy and privacy-respecting brands of the new Bharat.
Also Read : Penalties Under DPDP: Fines, Breach Scenarios, and How to Reduce
The enterprises that will adopt these frameworks faster will have an edge in global competitiveness. Privacy is no longer a necessity; it has become a competitive edge both domestically and internationally. Privy by IDfy exactly helps you solve this and get ahead of the curve.
Get in touch with us at shivani@idfy.com so that we can help you streamline your DPDP compliance journey.