Last Updated: 2025-06-23 ~ DPDP Consultants
Cookie Management Under the DPDP Act, 2023: A Compliance Imperative for Indian Organisations
India’s digital economy is expanding at a breakneck pace—and with it, the complexities of data privacy and protection. The Digital Personal Data Protection Act, 2023 (DPDP Act), heralds a new chapter in India’s data protection regime. However, one area remains curiously undefined in the Act: cookie management.
Despite being a cornerstone of digital interaction and user tracking, “cookies” are not explicitly mentioned in the DPDP Act or its draft rules. But this silence does not equate to exclusion. With the release of the Business Requirements Document for Consent Management System (BRDCMS) by the Ministry of Electronics and Information Technology (MeitY), India’s position on cookie compliance has become clearer.
In this blog, we explore the implications of cookie management under the DPDP Act, the expectations set by BRDCMS, and how Indian organisations can design privacy-first, compliant systems that align with global standards.
Bridging the Gap: The Role of the BRDCMS
Although the DPDP Act provides a robust framework for consent, purpose limitation, and transparency, it remains silent on cookies—a gap filled by the BRDCMS, released on April 15, 2025. This document sets out detailed expectations for managing user consent and indirectly addresses cookies by requiring mechanisms that offer:
-
Granular consent options
-
Real-time consent updates
-
Multi-language support
-
Auto-expiry for data and preferences
-
Transparent cookie notices and banners
This guidance effectively brings cookies into the purview of DPDP compliance, even without explicit statutory language.
What DPDP Compliance Looks Like for Cookie Management
1. Granular Consent Options
Instead of binary "Accept All" or "Reject All" choices, users must be empowered to manage specific categories of cookies. This respects the “free, specific, informed, and unconditional” consent standard outlined in the Act.
2. Real-Time Consent Management
Consent must be as easy to revoke as it is to provide. The BRDCMS mandates user-friendly dashboards that allow users to modify or withdraw consent instantly, with backend systems immediately halting associated data collection.
3. Transparent Cookie Policies
Organisations must publish clear, accessible cookie policies that detail:
-
What data cookies collect
-
Why they collect it
-
How long they remain active
-
Whom the data is shared with
These policies must be written in simple language and reflect full transparency.
4. Inclusive Multi-Language Support
As per Section 5(3) of the DPDP Act, users must receive notices in languages they understand. This extends to cookie banners and policies as well.
5. Automated Compliance via Auto-Expiry
Cookies and user consent preferences must automatically expire after a defined period, preventing indefinite personal data processing—thus aligning with the data minimisation and retention principles.
6. Intelligent Cookie Notice Banners
First interactions with users must be impactful. Cookie banners should:
-
Be concise but informative
-
Offer options to accept, decline non-essentials, or customise preferences
-
Be accessible and non-obstructive
DPDP vs GDPR vs CCPA: A Comparative Outlook
| Aspect | DPDP (India) | GDPR (EU) | CCPA (California) |
|---|---|---|---|
| Consent Type | Opt-in (Implied for cookies via BRDCMS) | Explicit opt-in for non-essential cookies | Opt-out for cookie-related data sharing |
| Cookie Mention | Not mentioned in Act; clarified in BRDCMS | Mentioned once; governed by ePrivacy Directive | Mentioned indirectly under “sale” of data |
| Language Requirements | Multi-language mandated | Not explicitly required | Not explicitly required |
| Granular Controls | Required under BRDCMS | Mandated | Not necessary |
| Revocation Mechanism | Real-time via dashboard | Required | Not always mandated |
This comparison shows that India’s DPDP Act—powered by the BRDCMS—aligns more closely with GDPR in spirit, while offering scope for localised, innovative implementation.
What Should Businesses Do Now?
Even in the absence of a dedicated “cookie law,” the onus lies on businesses to build DPDP-aligned systems. This involves:
-
Conducting cookie audits
-
Implementing dynamic consent managers
-
Updating privacy and cookie policies
-
Ensuring multilingual support and real-time revocation pathways
Most importantly, organisations should focus not just on technical deployment but on embedding privacy as a culture.
Conclusion: Trust Through Transparency
Cookie management under the DPDP Act is more than a compliance obligation—it’s a trust-building exercise. The BRDCMS makes it evident that consent, control, and clarity must be at the heart of digital engagement.
As global and local privacy laws evolve, forward-looking organisations that invest in user-centric cookie governance today will not only stay ahead of regulation but also position themselves as privacy-respecting, trustworthy brands in India’s digital future.
Similar Read
