From Implied Permission to Explicit Consent: India’s Data Law Tightens the Reins
While the DPDP Act, 2023, does not mention the word “cookies” explicitly, its implications on cookie consent are crystal clear — especially in light of the Bharat Rules for Digital Consent Management Systems (BRDCMS). At Narendra Madhu Associates, we break down what this means for businesses, developers, and data fiduciaries operating in India.
Introduction: The Cookie Crux in India’s Digital Law
Cookies are more than crumbs of code — they track, remember, and inform every click, scroll, and session across the internet. For businesses, cookies enable pwersonalization, analytics, and advertising. But for users, they quietly log behaviour, sometimes without awareness or permission.
With the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act), India takes its first major step towards codifying digital consent and protecting personal data. However, the Act curiously omits the word “cookies” entirely.
So, does this mean cookies escape the scope of India’s data law?
Absolutely not.
Thanks to the evolving Bharat Rules for Digital Consent Management Systems (BRDCMS) — the operational layer that gives teeth to the DPDP Act — cookie compliance is no longer a soft suggestion. It’s a statutory necessity, especially when cookies are involved in the collection or processing of personal data.
At Narendra Madhu Associates, we examine how cookies now intersect with the Indian legal landscape, and what every business — from e-commerce to EdTech — must implement to remain compliant.
Understanding Cookie Consent Management
Cookies fall broadly into the following categories:
- Essential (strictly necessary): Used for core functionalities like logins or cart management.
- Functional: Enhance site performance or user experience.
- Performance (analytics): Track site usage and behaviour for improvement.
- Targeting/Advertising: Collect data to deliver customised ads.
The issue arises when cookies — especially analytics and advertising ones — begin to collect personally identifiable information (PII), such as IP addresses, location data, behaviour trails, and device identifiers.
Under the DPDP Act, this kind of data qualifies as personal data. Therefore, the use of such cookies requires prior, informed, and voluntary consent from the user.
Key Features of Cookie Consent Under the DPDP Act and BRDCMS
1. Granular Consent Options
Gone are the days of blanket “Accept All Cookies” prompts. The BRDCMS framework mandates that users must be allowed to selectively consent to each category of cookie.
Legal Relevance:
- Section 6 & 7 of the DPDP Act define valid consent as “specific to the purpose.”
- Cookie consent must be categorised (Essential, Analytics, Marketing, etc.) with toggles or checkboxes.
Practical Tip from NMA:
Deploy category-specific toggles in your consent banner. Avoid pre-checked boxes.
2. Real-Time Consent Updates & Withdrawal Rights
Consent under the DPDP is not a one-time checkbox. Users must be able to modify or withdraw their consent at any time, and systems must instantly implement these changes.
Legal Backbone:
- Section 6(3) of the DPDP Act empowers data principals to withdraw consent at will.
- BRDCMS will mandate real-time consent withdrawal capabilities through APIs or in-browser UI.
Implementation Insight:
Maintain a visible “Manage Cookie Preferences” link in the footer or settings area. The system must auto-adjust tracking behaviour based on updates.
3. Transparent and Accessible Cookie Policy
A detailed Cookie Policy is a compliance necessity. It must explicitly state:
- Types of cookies used
- Data collected and purposes
- Duration of storage (expiry)
- Third parties with whom data is shared
- Legal basis for each cookie (consent vs necessity)
Legal Context:
The Act requires transparency (Section 6(1)(b)) and lawful purpose for all data processing. Cookie policies bridge this legal requirement and UX communication.
From the Desk of NMA:
Keep the policy simple, avoid legalese, and hyperlink it in your cookie notice.
4. Multi-Language & Inclusive Consent Mechanisms
Consent is valid only if the user understands it. The BRDCMS mandates multi-language interfaces, ensuring inclusivity for India’s linguistically diverse population.
Legal Implication:
Consent not given in a comprehensible language violates the “informed consent” requirement (Section 6).
Best Practice:
Use at least English + 1 regional language based on your user geography. For pan-India platforms, offer drop-down for Hindi, Gujarati, Tamil, Bengali, etc.
5. Auto-Expiry of Non-Essential Cookies
Non-essential cookies, especially marketing or analytics ones, should have defined lifespans. Systems must enforce automatic expiry or prompt renewed consent after a set duration (e.g., 6 or 12 months).
Legal Reference:
- Data Minimisation (Section 8) requires storage for “only as long as necessary.”
- BRDCMS is expected to mandate cookie lifespan declarations and automated expiration mechanisms.
What NMA Recommends:
Audit all third-party cookies. Set expiry timelines based on function. Avoid “forever” cookies.
6. Cookie Notice Banner Requirements
A clear, non-intrusive, but unavoidable banner must appear on first visit and upon data policy changes. This banner should include:
- Brief purpose of cookies
- Link to full cookie policy
- Separate “Accept All”, “Reject All”, and “Manage Preferences” buttons
- No pre-selected checkboxes
- No nudging or “dark patterns”
Legal Rationale:
Only active, unambiguous consent is valid under Indian law. Passive browsing or auto-consent models will no longer stand legal scrutiny.
Comparing with Global Privacy Laws
| Criteria | DPDP Act | GDPR (EU) | CCPA (USA) |
| Consent Required for Cookies | ✅ Yes | ✅ Yes | 🚫 Not always |
| Granular Cookie Control | ✅ Mandatory | ✅ Mandatory | ❌ Optional |
| Legitimate Interest as a Basis | ❌ No | ✅ Yes | ✅ Yes |
| Revocation of Consent | ✅ Real-time | ✅ Real-time | ❌ Not mandatory |
| Multi-Language Consent | ✅ Recommended | ❌ Not mandated | ❌ Not required |
Inference by NMA:
India’s DPDP is stricter than GDPR in one crucial way — consent is the only legal basis for non-essential cookies (no “legitimate interest” loophole). Businesses must ensure airtight, category-wise opt-in systems.
NMA’s Legal Perspective: What We Advise
At Narendra Madhu Associates, our data compliance team works closely with companies in EdTech, FinTech, Hospitality, E-Commerce, and SaaS to implement future-proof cookie systems.
Our Compliance Checklist:
- Conduct a cookie audit
- Draft and publish a granular Cookie Policy
- Deploy a Consent Management Platform (CMP) aligned with BRDCMS
- Localize consent interface in regional languages
- Enable real-time consent updates & auto-expiry
- Maintain consent logs for audits (Data Auditor compliance readiness)
- Ensure all 3rd-party trackers are disclosed and compliant
Conclusion: Cookies Are Code — But Now Also Law
The DPDP Act is reshaping India’s digital data environment. Cookie management, while technical on the surface, is legally significant. Businesses must align their cookie policies and banners with the principles of consent, transparency, accountability, and user autonomy.
Failure to do so may result not only in regulatory penalties but also in a loss of user trust.
🔍 Need help with cookie audits, consent platform vetting, or DPDP compliance training?
📨 Connect with Narendra Madhu Associates — your digital law experts in an evolving India.
