India’s comprehensive approach to data protection is intrinsically intertwined within the Digital Personal Data Protection Act, 2023 (DPDP Act). The framework establishes the landscape of processing personal data within India’s growing digital economy.

While the DPDP Act provides for detailed provisions on consent management and provides for principles of data protection and rights of data principals, it remains conspicuously silent on one of the most ubiquitous aspects of digital interaction: cookie consent management. This creates opportunities as well as challenges for organisations which are operating within India’s digital landscape, particularly when compared to more comprehensive and conventional regulatory frameworks of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The silence on the specific cookie consent provisions within the DPDP Act does not diminish the importance of efficient cookie management. Instead, it necessitates a nuanced understanding of how general data protection principles apply to cookie consent mechanisms. Organisations must navigate through this regulatory framework while ensuring compliance with the broader consent and transparency requirements within the DPDP Act.

Cookie consent management is a critical bridge between the expectations of user privacy and organisational data collection needs. As per the framework of the DPDP Act, while cookies themselves are not explicitly addressed, the personal data collected and processed falls within the purview of the legislation. This creates a crucial imperative for organisations to implement robust cookie consent mechanisms which align with the consent principles of the DPDP Act.

The purpose of cookie consent management extends beyond mere regulatory compliance as it encompasses ensuring users - referred to as data principals under the DPDP Act - are comprehensively informed about cookies and tracking technologies deployed on websites and applications.

Effective cookie consent management under any and most data privacy regime must recognise that consent as per the DPDP Act must be free, specific, informed and unconditional. This translates to cookie management systems that provide clear information about cookie purposes, enable granular control over different cookie categories and ensure that consent can be withdrawn as easily as it is given.

The Business Requirements Document for Consent Management System (BRDCMS) was issued by the National e-Governance Division, Ministry of Electronics and Information Technology (MeITY), on the April 15, 2025. The BRDCMS, while seemingly only advisory in nature, outlines how the industry must approach consent management for compliance with the DPDP Act. The objectives of these guidelines enable comprehensive consent lifecycle management, explaining the “how” of consent under the DPDP Act and Rules. While the DPDP Act and draft DPDP Rules have never expressly mentioned “cookies” or defined them, the BRDCMS clears the air around cookie compliance.

Granular consent options

According to the BRDCMS, effective cookie management hinges upon granular consent options. Users must be empowered to consent to specific categories of cookies rather than being presented with an all or nothing choice. This granular approach aligns with the specific consent within the DPDP Act, ensuring that users understand exactly what they are consenting to and can make informed choices about different aspects of their data processing.

Real-time updates and user control

Effective cookie management under the DPDP Act, as detailed in the BRDCMS, requires real time updates to user preferences. Users must have access to a dedicated cookie preferences interface that allows them to modify or revoke their consent without undue complexity or delay. This interface should be easily accessible, typically through privacy settings or a dedicated cookie management dashboard.

The real-time nature of these updates is crucial for maintaining compliance with the principles of consent as enshrined under the DPDP Act. When a user withdraws consent for specific cookie categories, the system must immediately cease the collection and processing of data through those cookies, ensuring that the user’s privacy preferences are respected without delay.

Cookie policy display

Transparency is one of the fundamental pillars of the DPDP Act and extends to cookie usage disclosure. While the DPDP Act itself remains silent on specific cookie policies, the BRDCMS mandates the provision of a clear and accessible cookie policy. Organisations must provide clear and accessible cookie policies which outline the purposes of cookie usage, the data sharing practices and the implications of different consent choices.

The cookie policy serves as a comprehensive resource enabling users to make informed decisions of their consent preferences. Thus, it is crucial for the cookie policy to clearly explain what cookies are, why they are used, what data they collect, how long they remain active and with whom the collected data might be shared.

Inclusive multi-language support

The BRDCMS makes it explicit that the cookie policies, cookie notices and preference interfaces should be offered in multiple languages to enable users from varied linguistic backgrounds to comprehend and effectively exercise their rights, similar to Section 5(3) of the DPDP Act, which states that notices must be in a multitude of languages.

Automated compliance through auto-expiry

In order to align with the data retention principles of the DPDP Act, cookie management systems should implement auto-expiry mechanisms which set appropriate expiration periods for both user preferences and cookies themselves as set out in the BRDCMS. This ensures compliance with the principles of data minimisation and data retention, and prevents the indefinite processing of personal data without valid consent.

Cookie notice banner

The cookie notice banner is the first point of interaction for the users with cookie management systems. It informs them about cookie usage and obtaining consent. It must provide clear, concise information and offer meaningful choices like accepting all, declining non-essential, or customising settings, as outlined in the BRDCMS.

In the absence of specific cookie consent-related provisions in the DPDP Act, businesses must adhere to general data protection principles when managing cookies, ensuring compliance with consent, purpose limitation and transparency requirements.

The General Data Protection Regulation (GDPR) of the European Union is the golden law on comprehensive data protection. However, it mentions cookies directly once in Recital 30, which explains that cookies, if used to identify users, will qualify as personal data and will fall within the scope of the GDPR. However, the EU enacted the ePrivacy Directive in 2002 which has since then become the “cookie law.” Supplementing the GDPR, the cookie law provides that organisations must receive consent of the users before they use any cookies. They are also required to provide accurate and specific information about the data each cookie will track and explain the purpose of the same in simple terms before obtaining the consent of the data subject.

These directives also provide that organisations should document and store consent received and allow users to access the services even when they refuse to allow certain cookies. The GDPR emphasises explicit consent mechanisms, with clear requirements for opt-in consent rather than opt-out approaches. The GDPR framework also requires that consent be as easy to withdraw as it is to give, leading to the development of sophisticated consent management platforms that enable granular control over cookie preferences. Organisations must maintain detailed records of consent and be able to demonstrate compliance with GDPR requirements.

The California Consumer Privacy Act (CCPA) takes a different approach, focusing on consumer rights and disclosure requirements rather than explicit consent mechanisms. Under the CCPA, consumers have the right to know what personal information is collected about them, including through cookies and similar technologies. CCPA emphasises the right to opt-out of the sale of personal information, which can include data collected through cookies for advertising purposes. This creates an opt-out framework rather than the opt-in approach favoured by the GDPR, placing different compliance burdens on organisations.

The choice between opt-in and opt-out default settings represents a fundamental philosophical difference in privacy regulation approaches. The opt-in framework of the GDPR requires organisations to obtain explicit consent before processing personal data through non-essential cookies, placing the burden on organisations to justify their data collection practices.

In contrast, opt-out frameworks under the CCPA allow organisations to collect and process personal data by default, with users required to take active steps to prevent such processing. This approach is generally seen as more business-friendly but potentially less protective of user privacy.

Cookie management under the DPDP Act represents a complex intersection of technical implementation, regulatory compliance and user experience design. This is because it demands real-time consent orchestration across multiple data processing purposes while maintaining seamless user experience and ensuring compliance with the consent and data localisation requirements under the DPDP Act. In other words, there is a need to balance granular user consent requirements with seamless technical functionality while ensuring compliance across various data processing purposes and cross border transfers. While the DPDP Act is silent on specific provisions pertaining to cookie consent management, it also provides flexibility for organisations to develop innovative approaches that align with fundamental privacy principles enshrined in the Act.

The key to successful cookie management under the DPDP Act lies in understanding that compliance extends beyond technical implementation to encompass comprehensive respect for user privacy rights, transparent communication about data practices and genuine commitment to user control over personal data processing. Organisations that embrace these principles while implementing robust technical controls will be best positioned to navigate the evolving privacy landscape while building trust with their users.

Comparing the GDPR, the CCPA and the DPDP Act powered by the BRDCMS, demonstrates that while regulatory approaches may differ, the fundamental goal of protecting user privacy through meaningful consent and transparency remains consistent. The approach of the DPDP Act offers the opportunity to learn from international experiences while developing unique solutions for India that reflect local values and expectations around privacy and data protection.

In the realm of digital privacy, specifically under the purview of the DPDP Act, the management of cookies emerges as a critical consideration. While the intricacies of consent mechanisms warrant their own dedicated analysis, it's important to acknowledge their integral role in this framework.

As the economy continues to be data-driven, cookie management will remain a critical component of comprehensive privacy compliance. Organisations that invest in robust, user–centric cookie management systems today will be better prepared for future regulatory developments and will demonstrate their commitment to respecting user privacy in an increasingly connected digital world.

Kaustubh Shakkarwar is the Founder Counsel of Data>Nuance and Gauri Gupta is an Associate at the company.