Digital Personal Data Protection Act (DPDPA) Explained: Cookie Consent & Compliance Guide for India

Editor's note: This is Part 1 of a two-part series on DPDPA compliance. Part 1 covers the foundation of the law, cookie types, and how consent management works in practice. Part 2 covers the technical architecture, legal obligations, breach scenarios, penalties, and your action roadmap.

Introduction

India's data privacy landscape changed forever in August 2023. The Digital Personal Data Protection Act — DPDPA — became law, and with the DPDP Rules finalised in November 2025 and the Data Protection Board of India (DPBI) now fully operational, compliance is no longer a future concern. It is a present obligation.

Yet most businesses in India are still asking the same question: "Where do we even start?"

This guide is our attempt to answer that question clearly, practically, and without legal jargon. At COSGrid, we implemented DPDPA compliance internally before writing a single word of advice on it. What follows is everything we learned — organised into a format that engineers, product managers, compliance leads, and founders can all actually use.

Let us start at the very beginning.

Section 1: What is Personal Data?

Before understanding DPDPA, you need to understand what the law is protecting in the first place.

Personal data is any information that can identify a specific person. That definition is broader than most people realise.

It includes the obvious: a person's name, phone number, email address. But it also includes things that many businesses collect without thinking twice — IP addresses, browsing history, purchase history, passwords and PINs, home and work addresses, and any other identifier that, alone or combined with other data, can point to a specific individual.

Here is why this matters practically: if your website uses Google Analytics, you are collecting IP addresses. If your app tracks which screens a user visits, you are collecting behavioural data. If your CRM stores customer purchase history, you are storing personal data. Under DPDPA, if your business touches any of the above, you are legally obligated to protect it.

The law does not draw a distinction between sensitive data and ordinary personal data for most of its provisions. The moment you collect it, the obligations begin.

Section 2: What is DPDPA?

The Digital Personal Data Protection Act, 2023 is India's landmark data privacy legislation. Think of it as India's answer to Europe's GDPR — a comprehensive legal framework governing how personal data of Indian citizens is collected, stored, used, and shared.

A few things make DPDPA particularly significant:

It applies globally. If your company is based outside India but handles data of Indian citizens — whether through a website, a mobile app, or a SaaS platform — DPDPA applies to you. There is no geographic exemption for foreign companies.

It covers 800 million+ internet users. Every Indian internet user now has legal rights over their personal data. That is not a theoretical number. It represents your customers, your users, and your prospects.

It is already in force. This is not upcoming legislation. The DPBI has been operational since November 2025. Complaints can be filed today. Investigations can be launched today. Penalties can be levied today.

The Enforcement Timeline You Need to Know

Understanding when each phase kicks in is critical for planning:

The most important thing to understand about this timeline is that Phase 1 is not a grace period. The penalties apply from Phase 1 onwards. Waiting until May 2027 to begin is not a strategy — it is a risk.

Section 3: Why Should Your Business Care?

There are three dimensions of risk that DPDPA creates for non-compliant businesses, and all three are serious.

Financial Risk

The maximum penalty for a data security breach under DPDPA is ₹250 Crore per violation. Penalties are cumulative, meaning multiple violations can stack up. The Data Protection Board can also issue cease-and-desist orders that could halt business operations.

This is not a theoretical risk. The DPBI is operational. Enforcement is a matter of when, not if.

Legal Risk

DPDPA gives individuals — your customers — the right to file complaints directly with the Data Protection Board if they believe their data has been mishandled. This is a direct, individual right of action. You do not need a regulator to initiate proceedings. Any customer who believes you have failed to protect their data can trigger an investigation.

Brand and Trust Risk

73% of consumers say they would stop using a service after a data breach. In an era where data breaches are reported publicly and spread rapidly on social media, non-compliance is not just a legal problem — it is a business continuity problem. The organisations that will win customer trust in the next decade are those that can demonstrate, not just claim, that they take data protection seriously.

Section 4: Key Terms — Decoded

DPDPA introduces specific legal terminology that every team member handling data should understand. Here is what the key terms actually mean in plain language:

Data Principal — This is your customer. The person whose data is being collected. Under DPDPA, they own their data and have specific legal rights over it.

Data Fiduciary — This is your business. You are the entity that decides why and how personal data is processed. You bear the legal responsibility for compliance. The word "fiduciary" is significant — it implies a duty of care, not just a contractual obligation.

Data Processor — Any third-party tool or vendor that processes personal data on your behalf. This includes cloud providers like AWS, CRM platforms like Salesforce, analytics tools like Google Analytics, and email marketing platforms. Your Data Processors work under your instruction, but their failures can become your liability.

Consent — A clear, specific, informed "yes" from the user before you collect their data. It must be freely given — not bundled with terms and conditions, not pre-ticked, not required as a condition of service. And critically, consent must be withdrawable at any time, as easily as it was given.

Data Breach — Not just hacking. Any unauthorised access to, leakage of, or loss of personal data constitutes a breach. An employee emailing the wrong person, a misconfigured database made public, a vendor getting compromised — all of these are breaches under DPDPA, and all of them require notification to the DPBI and affected users.

Section 5: Cookies — What They Are and Why They Matter for Compliance

Before we can talk about consent management — which is the operational heart of DPDPA compliance for most businesses — we need to understand cookies.

A cookie is, in simple terms, a small text file that a website stores on your browser when you visit. It is like a sticky note that the website leaves on your device — it remembers who you are, what you clicked, what language you prefer, and what you put in your shopping cart. Some cookies are essential for the website to function. Others are used to track your behaviour across the internet for advertising purposes.

Under DPDPA, cookies that collect personal data require consent before they can be placed. This is where most businesses have significant compliance gaps — and where the consequences are most immediate.

The Four Types of Cookies Your Business Uses

Understanding cookie categories is the foundation of any consent management strategy.

Necessary Cookies are always on. They do not require consent because they are essential for the website to function at all. This category includes session tokens that keep you logged in, shopping cart contents, security tokens (CSRF), and language preferences. If you disabled these, your website would stop working. DPDPA's "legitimate uses" framework exempts these from consent requirements.

Analytics Cookies require explicit user consent before they can fire. Google Analytics, Hotjar, Mixpanel, and similar tools fall into this category. They collect behavioural data — which pages you visited, how long you stayed, where you dropped off in a funnel. This data is personal data under DPDPA because it can be tied to an individual through IP address and device identifiers.

Marketing Cookies carry the strictest consent requirement. Facebook Pixel, Google Ads tracking, retargeting pixels, and ad personalisation tools fall here. These cookies track users across websites — they follow your visitors from your site to other sites across the internet. The consent requirement is explicit opt-in, with a clearly stated purpose. Pre-ticked boxes or assumed consent are not valid.

Functional Cookies exist in a grey zone. A/B testing tools, chat widgets, video player state, and UI customisation tools may or may not require consent, depending on whether they collect or transmit personal data. Each tool needs to be assessed individually. If it sends data to a third-party server and can identify the user — it requires consent.

Section 6: Cookie Consent in Practice — The Three Paths

When a user visits your website and sees a cookie consent banner, they have three choices. Each choice triggers a different technical and legal outcome, and your systems must be built to handle all three correctly.

Path 1: Accept All

When a user clicks "Accept All," they are giving explicit consent for all categories of cookies — necessary, analytics, marketing, and functional. Your Consent Management Platform (CMP) records this decision with a timestamp, and Google Tag Manager can fire all tags configured for consented categories.

From a technical perspective: analytics tracking is active, marketing pixels fire, A/B testing tools run, and full personalisation is enabled. From a business perspective: you have complete visibility into this user's session and behaviour.

Path 2: Essentials Only

This is where most businesses have gaps in their implementation. When a user selects "Essentials Only," only a specific subset of cookies can remain active.

What is still allowed: session and authentication cookies, language and UI preference cookies, and payment security tools like Stripe's fraud detection. These are permitted because they are necessary for the site to function and do not involve tracking.

What must be blocked: Google Analytics, Hotjar, Facebook Pixel, Google Ads, and any other tool that collects behavioural data or tracks across sites. Your Google Tag Manager must be configured to not fire these tags for users in the "Essentials Only" consent state.

What is uncertain and requires case-by-case assessment: A/B testing tools and chat widgets. If Optimizely is only changing which button colour a user sees and stores nothing personally identifiable — it may be acceptable. If it is sending session data to a third-party server — it requires consent. Similarly, if Intercom sets a tracking cookie that persists across sessions — it requires consent.

Path 3: Reject All

When a user clicks "Reject All," the consequences are clear and legally binding. No cookies beyond strictly necessary ones can be stored. No third-party scripts can fire. The browser remains clean.

Technically: Google Analytics and GTM do not fire, Facebook Pixel is blocked, no retargeting audiences can be built, and email and push marketing tools cannot track this user's behaviour.

Legally: You must honour this rejection without workarounds. DPDPA prohibits using browser fingerprinting, canvas fingerprinting, or other tracking mechanisms as substitutes for cookies when a user has rejected consent. Doing so is a direct violation.

Your Consent Management Platform must log this rejection with a timestamp and IP address. This log is your compliance evidence — the proof that you honoured the user's choice if the DPBI ever asks.

There is one more critical point: withdrawing consent must be as easy as giving it. If a user accepted all cookies on Monday and wants to change their mind on Friday, they must be able to find your preference centre easily — typically linked in the website footer — and make that change with the same ease as the original consent. Dark patterns that make withdrawal difficult are explicitly non-compliant.

 

What Happens When a User Chooses Essentials Only or Reject All — Business Impact

It is important to be honest about the business consequences of users exercising their privacy rights, because understanding the trade-offs is the only way to make sensible decisions.

When users restrict cookies, analytics data gaps appear. You lose visibility into their sessions — funnel drop-offs, time on page, scroll depth, conversion paths. Over time, if a significant portion of your user base restricts tracking, your analytics data becomes less representative of actual user behaviour.

Ad costs can rise. Without remarketing audiences — which require marketing cookies — you are forced into more expensive cold targeting. Your customer acquisition cost increases as you lose the efficiency advantage of targeting people who have already shown interest.

These are real consequences. But they are the legal and ethical reality of operating in a consent-first environment. The organisations that adapt — by focusing on first-party data strategies, contextual advertising, and email consent marketing — will be better positioned long-term than those that fight the regulation.

Conclusion

DPDPA is not a bureaucratic inconvenience. It is a structural shift in how Indian businesses must think about data — from a resource to be collected freely to a responsibility to be managed carefully.

The core of that shift, for most businesses, starts with consent. Understanding what personal data you collect, what cookies you use to collect it, and how you handle the three consent choices your users make — Accept All, Essentials Only, Reject All — is the foundation everything else is built on.

In Part 2 of this series, we go deeper into the technical architecture of consent management, the 5 core legal obligations DPDPA places on your business, your customers' rights and how to fulfil them, what a real data breach looks like, the complete penalty structure, and a phased roadmap aligned to the DPDP Rules 2025 enforcement timeline.