Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.
Last Updated: 2026-02-09 ~ DPDP Consultants
Introduction
Cookies have quietly powered the modern internet for years.
From remembering login details to personalizing content and analysing website
traffic, cookies play a crucial role in shaping how users interact with
websites. Before the introduction of India’s Digital Personal Data Protection
(DPDP) Act, 2023, cookies were largely treated as a technical feature used to
enhance user experience and support business insights, with minimal legal
scrutiny around data protection.
The regulatory landscape has now changed. With the DPDP Act
coming into force, cookies are no longer just a background technology; they are
now recognized as a key mechanism through which digital personal data may be
collected and processed. Since cookies can store unique identifiers, device and
browser information, IP addresses, and browsing behaviour, they have the
potential to identify individuals directly or indirectly, bringing them
squarely within the scope of the DPDP Act.
This blog aims to demystify cookies from both a technical
and legal perspective. It begins by explaining what cookies are and how they
work, followed by a detailed overview of the different types of cookies based
on duration, source, and purpose. The blog then explores how cookies collect
personal data and why these matters under the DPDP Act, including obligations
around consent, transparency, data minimisation, and user rights.
By the end of this blog, one will have a clear understanding
of how the perception and regulation of cookies in India has evolved from a
simple website functionality tool before DPDP, to a regulated personal data
processing activity after DPDP and what this shift means for organizations and
users alike.
The Cookie is a small message from a web server passed to
the user's browser when you visit a website. In other words, Cookies are small
text files of information created/updated when visiting a website and stored on
the user's web browser. Cookies are commonly used for information about user
sections, user preferences and other data on the website. Cookies help websites
remember users and track their activities to provide a personalised
experience.
When someone visits a website or interacts with it, a small
text file (i.e. cookie) is sent from the site and saved in the visitor's web
browser. On subsequent visits, the server can access this cookie to retrieve
information about the visitor, including their past browsing activities on the
site. To further simplify, it’s like when your Web-browser (Client Machine:
Endpoint Device) visits any website for the first time the Web Server where the
website is hosted sends back the requested data alongside these Cookies which
get stored on your endpoint device. Now, whenever you subsequently browse the
same website, these Cookies are retrieved and the previous information stored
are resurrected for usage.
Now that we have a fundamental understanding of what cookies
are and how they work, let’s look at the various classification of
cookies.
Session cookies: These are temporary in nature and expire when you close your browser or end your current session.
Persistent
cookies: These cookies remain on your hard
drive until you delete them, or your browser does so based on the cookie's
expiration date. Each persistent cookie has an expiration date coded into it,
but the duration can differ.
First-party
cookies: These are directly placed on
your device by the website you are currently visiting.
Third-party
cookies: Third-party cookies are set on
your device by entities other than the website you are visiting, such as
advertisers or analytics providers.
Strictly
necessary cookies: These are vital for navigating the
website in using its features, such as accessing secure areas. For example,
cookies that keep items in your cart while shopping online fall into this
category. These are typically first-party session cookies. Although consent
isn't required for these cookies, their purpose and necessity should be
explained to users.
Preferences
cookies: These cookies, also known as
"functionality cookies," enable a website to remember your past
choices, such as preferred language, desired region for weather reports, or
login details for automatic sign-in.
Statistics
cookies: Also called as "performance
cookies," these cookies gather information on how you use a website, the
pages you visit and the links you click. This data is aggregated and
anonymized, solely to enhance website functionality. This category includes
cookies from third-party analytics services used exclusively by the website
owner.
Marketing
cookies: These monitor your online activity to help advertisers
deliver more relevant ads or limit ad frequency. These cookies can share
information with other organizations or advertisers and are usually persistent
and third-party in origin.
Why Cookies Are Important Under the DPDP Act?
Many website cookies store information such as unique
identifiers (cookie IDs or user IDs), IP addresses, device and browser details,
and browsing behaviour. Individually, these data elements may not directly
reveal a person’s name or contact details. However, when combined or linked
over time, they can directly or indirectly identify an individual by
distinguishing one user from another.
Under the Digital Personal Data Protection (DPDP) Act, 2023,
digital personal data includes any data in digital form that relates to
an identifiable individual. Since cookie-based identifiers and tracking data
enable the recognition, profiling, or tracking of a user across sessions or
websites, they fall within the scope of Digital Personal Data.
As a result, the collection and processing of such cookie
data must comply with DPDP requirements, including lawful purpose, user
consent, transparency, data minimisation, and protection of the data
principal’s rights.
DPDP Requirements Applicable to Cookie-Based Personal Data
Since cookies can collect and process Digital Personal Data, organizations must comply with the following key obligations under the DPDP Act, 2023:
1. Lawful Purpose
Personal data collected through cookies must be processed
for a clear, specific, and lawful purpose.
Websites should use cookies only for purposes such as website security,
functionality, analytics, or marketing, and not for undefined or excessive
tracking.
2. User Consent
For non-essential cookies (such as analytics and marketing
cookies), organizations must obtain freely given, informed, and explicit
consent from the user before placing such cookies on their device.
3.
Transparency
Websites must clearly inform users about:
This information should be provided through a Cookie Policy
or Privacy Notice in clear and simple language.
How to Delete and Block Cookies?
Users have full control over how cookies are stored on their
devices. Most web browsers allow you to delete existing cookies and block new
cookies through their settings.
1. Delete Cookies from Your Browser
You can remove cookies already stored on your device by
clearing your browser data.
General steps (may vary slightly by browser):
This will remove cookies stored by websites on your device.
2. Block Cookies
Browsers also allow you to block cookies either partially or
completely.
Options available:
Blocking cookies may affect certain website features such as login, shopping carts, or saved preferences.
3. Manage Cookie Preferences on Websites
Many websites provide a cookie consent banner or preference
centre where you can:
4. Browser-Specific Controls
Most popular browsers provide built-in cookie controls:
Users can access cookie settings directly within these
browsers to manage storage and permissions.
5. Impact of Blocking Cookies
While blocking or deleting cookies enhances privacy, it may:
Essential cookies are usually required for basic website
functionality.
Cookies have evolved from being a simple technical tool that
improves website functionality to a significant data collection mechanism with
legal and privacy implications. While they continue to play an important role
in enabling seamless navigation, personalization, and analytics, their ability
to collect identifiers, device details, and browsing behaviour means they can
also process digital personal data.
With the enforcement of the Digital Personal Data Protection
(DPDP) Act, 2023, the use of cookies in India is now subject to clear data
protection obligations. Organizations must ensure that cookie-based data
collection is carried out for a lawful purpose, supported by informed user
consent where required, and governed by transparency. At the same time, users
are empowered with greater control over their personal data through consent
mechanisms and browser-level cookie controls.
Understanding how cookies work, the different types of
cookies, and their implications under the DPDP Act helps both organizations and
individuals make informed and responsible choices. For organizations, it
reinforces the need to treat cookies as part of their data protection
compliance framework. For users, it highlights the importance of actively
managing cookie preferences to protect privacy while enjoying a functional and
personalized web experience.
In a post-DPDP landscape, cookies are no longer
just about convenience they are about accountability, transparency, and trust
in the digital ecosystem
Contact
us for a free consultation at info@dpdpconsulants.com or visit our website DPDP
Consultants
