With the release of the Digital Personal Data Protection (DPDP) rules, businesses are now required to obtain explicit consent before using cookies or processing personal data. Enterprises can no longer collect personal data from their websites without the consent of the visitors.
This represents a significant shift in the country's privacy regulations. This rule also introduces strict penalties and requirements for non-compliance with the laws. One of the major changes is the need for explicit cookie consent, which will especially be impactful for businesses that are operating in India. The enterprises need to understand the new obligations to function smoothly in India.
Under the DPDP rules, consent is one of the primary legal bases to process the personal data, which also includes cookies. Website operators who are now termed as data fiduciaries as per the DPDP rules can only use those cookies to process the personal data to which the user has given explicit consent. This law follows an opt-in model, which prohibits the usage of cookies until the visitors explicitly agree to it.
Also Read : The DPDP Compliance Checklist (2025): Step-by-Step Guide for Indian Businesses
What do you understand by cookies?
The small text files sent by websites to the user’s device in order to gather information for processing are called cookies. The DPDP rules come into play when these cookies collect personally identifiable information (PII) data.
Some of the common types of cookies include those used for remembering website preferences, Google Analytics, tracking for advertisement purposes, items in a shopping cart, and more.
Important Aspects of the DPDP Rules:
Data Subject Rights: Individuals are allowed to access, delete, and correct their personal data. They are also provided with the right to question how their data is being processed and can also request their data to be transferred to another organisation.
Consent-based processing: Organisations must seek permission from individuals before the collection or usage of personal data.
Data Protection Authority: The DPDP Act has established a regulatory body called the Data Protection Board (DPB) of India that is responsible for overseeing the enforcement and implementation of the DPDP rules. This body has the authority to impose fines for non-compliance, investigate complaints, and issue directives.
Data Processing Requirements: The enterprises must handle personal data in a completely transparent, accountable, and fair manner, as well as ensure appropriate security measures are put in place to protect the same.
The DPDP rules have also introduced a concept known as “significant data fiduciary”. This refers to the data controllers handling a large amount of personal data, which is similar to a term used in GDPR. The specific companies falling under this category will be designated by the government.
Overall, the DPDP rules pave a major step forward for the data protection rights in India with the sole purpose of enhancing privacy rights and building trust in this digital economy.
Also Read : Principles of Data Privacy and Protection Explained| Core Principles of DPDP
Process to Collect India’s DPDP Consent Properly
These are the steps you need to ensure when collecting consent under India’s DPDP rules.
- Informed: Clear information must be given to the users about the specific reason for which they are consenting. This includes details such as the type of data being processed, the reason behind processing, and the parties with whom this data shall be shared.
- Voluntary: The consent obtained should be without any coercion or pressure. Users cannot be forced to consent by combining the same with other conditions and terms, or making it a requirement to access a product or a service.
- Unconditional: Access to the services or products should not be dependent on consent. As per the cookie consent policy, certain public areas of the website cannot be blocked for the user in case the user does not agree to the use of cookies.
- Unambiguous: The consent provided must have been an affirmative and clear action from the user. A simple assumption of consent just because the user is browsing the website or combining the same with other conditions is absolutely not acceptable.
What Happens After Consent Collection Under DPDP Rules
Once the explicit consent in line with the DPDP rules is obtained from the user, enterprises can use the cookies to process the data accordingly. Data fiduciaries are also advised to keep a record of the consent they have collected to prove their compliance with the law.
Users also have the option to revoke their consent at any point in time. The enterprises must stop processing the personal data immediately once the user's consent is withdrawn.
Difference between Cookie Consent Requirements of DPDP and Other Privacy Laws
Multinational Companies are curious as to how DPDP’s cookie consent requirements are different from other international data protection laws.
Compared to the European Union’s General Data Protection Regulation (GDPR), the main difference exists in the level of consent detail. GDPR requires specific consent for each purpose, letting users decline or accept cookies based on their purpose. However, with DPDP rules, this level of granularity is not required. A general consent for the usage of cookies is sufficient. Although this makes the process of consent simpler in India, it can also lead to users rejecting certain cookies if they do not like certain types.
Also Read: DPDP vs GDPR: A Complete Guide for Indian Businesses
Consequences of not complying with DPDP Rules
The Data Protection Board (DPB) of Indian can impose hefty fines and penalties for non-compliance with DPDP rules. Some of these are:
- INR 10,000 upon the data principals who fail to meet their responsibilities under the act.
- INR 50crore on grounds of breach of the act provisions or implementation of rules where no specific penalty has been mentioned.
- Up to INE 250crore upon failure of implementation of reasonable security measures to prevent breach of personal data.
Also Read: Penalties Under DPDP: Fines, Breach Scenarios, and How to Reduce
How To Meet The Cookie Consent Requirements Under DPDP Act
In order to meet the DPDPA cookie consent requirements, enterprises can deploy consent managers registered with the Data Protection Board (DPB) of India. Privy by IDfy, India’s first full-stack data privacy and governance platform, helps you become DPDP compliant in days. It is one of the top contributors to the implementation of DPDP rules across enterprises in India.
Also Read: Top 5 Consent Management Platforms in India 2025
The enterprises that will adopt these frameworks faster will have an edge in global competitiveness. Cookie consent management is no longer a necessity; it has become a competitive edge both domestically and internationally. Privy by IDfy exactly helps you solve this and get ahead of the curve.
Get in touch with us at shivani@idfy.com so that we can help you streamline your DPDP compliance journey.