Understanding Cookie Consent: What Indian Websites Must Follow

Okay so this is something I’ve been thinking about for a while now, and I suspect you have too — those little pop-ups that show up every time you land on a website asking you to “accept cookies.” Most of us just click accept. Done. Move on. We don’t even read what we’re agreeing to, and honestly, that’s kind of the problem.

But here’s the thing. In India, cookie consent isn’t just some vague courtesy anymore. We’ve got actual law backing this up now, and the rules are changing how websites are supposed to behave. Whether you run a website or just browse one, there’s stuff here you probably should know. I’ll try to walk through what I’ve learned — not as a lawyer, mind you, just someone who’s spent way too many hours reading privacy regulations and staring at cookie banners.

Back in maybe 2018 or so, I remember cookie consent being purely a “European problem.” GDPR had just kicked in, and Indian websites mostly shrugged it off. Fast forward to now, and the Digital Personal Data Protection Act of 2023 has thrown a wrench into that comfortable indifference. Things aren’t the same. They really aren’t.

What’s Actually Happening When You See That Cookie Banner

Let me back up a second. Cookies themselves aren’t evil or anything. They’re just tiny text files a website drops onto your browser, and they stick around so the site can remember things about you. Some of them are genuinely useful — I’d even say necessary. Without certain cookies, you couldn’t stay logged into your bank account while you flip between pages, or keep items in a shopping cart while you browse. Those are what people in the industry call essential cookies, and they’re pretty much harmless from a privacy standpoint. Nobody’s really arguing about those.

Where it gets murky — and this is where I think a lot of people zone out — is everything else. There’s a whole spectrum. Analytics cookies watch what you do on a site. Which pages you visit, how long you stay, where you scroll. Site owners use that data to figure out what’s working and what’s not. And I get it, that’s useful information if you’re running a business. But you, the person being tracked, didn’t exactly sign up for that surveillance when you just wanted to check a recipe or read the news.

Then there are advertising cookies. These are the ones that follow you around the internet like a clingy ex. You look at running shoes once, and suddenly every website you visit is plastered with shoe ads. What’s happening behind the scenes is that ad networks are building a profile of your interests, your browsing habits, sometimes even your approximate location — all stitched together through cookies that talk to each other across different websites. It’s a whole invisible infrastructure, and it runs on your data.

And finally, third-party cookies. These get dropped by domains other than the one you’re actually visiting. That little Facebook Like button on a blog? It’s loading a cookie from Facebook’s servers. Same with embedded YouTube videos, Twitter widgets, analytics scripts from Google. Each one of those is a separate tracker. A single webpage might load cookies from a dozen different companies, and you’d never know unless you dug into your browser’s developer tools.

So when a website shows you a banner that just says “We use cookies to improve your experience” with a single Accept button — well, that’s telling you almost nothing. It’s like a restaurant saying “we use ingredients” on the menu. Sure, technically true. Completely useless.

I was auditing a fairly popular Indian e-commerce site last year using a browser extension that maps cookie activity, and I counted over forty third-party cookies loading before I’d even interacted with the consent banner. Forty. Some from ad networks I’d never heard of, one from a data broker based in Singapore. The banner itself was this tiny strip at the bottom of the page that said “This site uses cookies. OK.” That was the entire consent mechanism. A single word button. No options. No explanation of what any of those forty-plus trackers were doing.

That kind of implementation might’ve flown a few years ago. It probably shouldn’t have, but enforcement was basically nonexistent. Now, though? With the DPDP Act in play and the Data Protection Board getting set up, sites like that are sitting on a ticking clock.

What Indian Law Actually Says — And What Most Sites Get Wrong

Let me try to break down the legal side without making your eyes glaze over. I’ll keep it practical.

The DPDP Act of 2023 doesn’t specifically mention cookies by name. That’s worth noting because people sometimes assume there’s a “cookie law” in India the way the EU has its ePrivacy Directive. There isn’t, not exactly. What the DPDP Act does is define personal data broadly — any data that can identify an individual, or that relates to an identifiable individual. And cookies? They absolutely collect that kind of data. Your IP address, your device fingerprint, your browsing patterns — all of this can be tied back to you, either directly or when combined with other information. So cookies fall under the Act’s umbrella even without being named specifically.

Here’s where the obligations kick in. Under the DPDP Act, if you’re a Data Fiduciary (basically any entity that determines how personal data gets processed — so, any website owner collecting cookies), you’ve got to do a few things right:

Clear notice before collection. You can’t just start dropping tracking cookies the moment someone opens your page. The law says you need to tell people what data you’re collecting and why. That means your cookie banner — if you even have one — needs to actually explain what types of cookies are active and what they do. “We use cookies for a better experience” doesn’t cut it. Better experience for whom? Doing what? Those details matter.

Specific, informed consent. This one’s a big deal. Consent under the DPDP Act has to be freely given. It has to be specific to a stated purpose. And — this is the part most Indian websites are blowing — it has to be informed. Pre-ticked checkboxes? Not valid. Bundling cookie consent into a general Terms of Service agreement? Probably not valid either. The user needs to understand what they’re saying yes to, and they need to actively say yes. Not have yes assumed for them.

I’ve seen some Indian sites adopt the “continued browsing implies consent” approach. You know the type — a banner that says “By continuing to use this site, you agree to our cookies.” That’s a really shaky position under the new Act. Implied consent and informed consent are different things, and the law seems to want the latter. We won’t know exactly how the Data Protection Board interprets these provisions until we see enforcement actions, but the text of the Act is fairly clear on the active consent requirement.

Easy withdrawal. Whatever mechanism you use to collect consent, pulling that consent back should be just as straightforward. If accepting cookies takes one click, rejecting or withdrawing consent later shouldn’t require seven clicks, a scroll through a settings page, and a university degree in web design. Lots of sites — Indian and otherwise — make the “Accept” button huge and green while the “Manage Preferences” link is tiny grey text. That’s a dark pattern. The DPDP Act doesn’t use the phrase “dark pattern” specifically, but the spirit of the consent provisions works against exactly that kind of design.

Now separately, there’s the older Information Technology Act of 2000 and its associated SPDI Rules from 2011 — the Sensitive Personal Data or Information Rules. These have been around for over a decade, and they already required organizations handling personal data to publish a privacy policy. That privacy policy is supposed to disclose what data gets collected and how it gets used. If your website drops analytics and advertising cookies, that information should be in your privacy policy. Tons of Indian sites either don’t have a privacy policy at all, or have one that was copied from a template in 2015 and never updated. Neither scenario is great.

The SPDI Rules also have specific provisions about consent for collecting sensitive personal data — things like financial information, health data, biometric data. If your cookies are tracking any of that (and some health-related or fintech sites absolutely do collect sensitive data through cookies and embedded scripts), the requirements are even stricter. Written consent, clear purpose limitation, the works.

One more thing on the legal side. The DPDP Act introduces the concept of a Consent Manager — a registered entity that helps users manage their consent across different platforms. The rules around Consent Managers are still being finalized as of early 2026, but the framework suggests that eventually, users might be able to centrally manage their cookie and data-sharing preferences rather than dealing with each site individually. That could change the whole game. Or it could get bogged down in implementation delays. Hard to predict right now.

I should mention, there’s some ambiguity I’m honestly not sure about. The DPDP Act has provisions about “deemed consent” for certain situations — where consent can be inferred based on context. Could a website argue that essential cookies fall under deemed consent since the user is voluntarily using the site and those cookies are necessary for it to function? Maybe. Probably, even. But extending that argument to advertising and third-party tracking cookies would be a stretch. The purpose limitation principle in the Act would likely prevent that interpretation from holding up.

Practical Steps — For Site Owners and For Everyone Else

Alright, enough with the legal text. Let’s talk about what should actually happen in practice.

If you run an Indian website — or any website targeting Indian users — here’s what I’d suggest you do. And I want to be clear, this isn’t legal advice. Talk to an actual lawyer for that. But from a best-practices standpoint, based on what the law says and where enforcement seems to be heading, these steps make sense.

First, get a real cookie banner. Not a notification bar. Not a “we use cookies, deal with it” strip. An actual consent interface that lists cookie categories — essential, analytics, advertising, third-party — and lets the user toggle each one independently. Yes, this is more work to implement. There are open-source solutions and paid cookie management platforms that handle it, though. Cookiebot, Osano, even some self-hosted options. The investment is small compared to the reputational and legal risk of getting this wrong.

Second — and this is the one that trips up most sites — don’t fire non-essential cookies before the user consents. I can’t stress this enough. If your Google Analytics script loads the instant the page opens, before the user has touched the consent banner, you’ve already violated the principle. The technical implementation matters here. Your tag manager needs to be configured to wait for consent signals before loading tracking scripts. Google Tag Manager has a consent mode for exactly this purpose. Use it.

Third, maintain a dedicated cookie policy page. This is separate from your privacy policy, though it should be linked from there. A good cookie policy should list every cookie your site sets, what it does, who sets it (first-party or third-party), and how long it lasts. I know that sounds tedious. It is tedious. But it’s also the kind of transparency the law is pushing toward, and it’s genuinely useful for the handful of users who actually want to understand what’s happening on your site.

Fourth, build a clear consent revocation mechanism. If someone accepted cookies last week but now wants to change their mind, they should be able to find a “Cookie Settings” link — maybe in the footer, maybe as a floating icon — and adjust their preferences. When they withdraw consent for a category, those cookies should be deleted, and the corresponding scripts should stop loading on subsequent pages. This is technically doable. Not all cookie management platforms handle the deletion part gracefully, so test it.

Fifth, audit regularly. Cookie environments change. You install a new WordPress plugin, it loads three new third-party scripts. You add a social sharing widget, suddenly there are Facebook and Twitter cookies on every page. Run a cookie scanner — there are free ones like Cookiebot’s free tier or the ICO’s cookie checker — at least once a quarter to see what’s actually being set on your site. You might be surprised.

If you’re a regular user — someone who just wants to browse the internet without being tracked by forty invisible companies — there are things you can do too, and most of them take about five minutes.

Start with your browser choice. Firefox has Enhanced Tracking Protection turned on by default, which blocks known third-party trackers and cookies from identified tracking domains. It’s not perfect, but it’s a solid baseline. Brave goes further, blocking ads and trackers heavily out of the box. Chrome, on the other hand, is made by the world’s largest advertising company, and while Google has made noise about phasing out third-party cookies, they’ve also delayed that move repeatedly. Draw your own conclusions there.

Install a tracker blocker. uBlock Origin is free, open-source, and widely considered the best in class. It blocks not just ads but also tracking scripts, analytics beacons, and other invisible requests that cookies depend on. Privacy Badger, made by the Electronic Frontier Foundation, is another good option that learns which trackers to block based on their behavior rather than relying on a static list.

When a site gives you a real cookie consent interface with actual options, take two seconds to reject non-essential cookies. I know it’s easier to hit “Accept All,” and that’s exactly what these interfaces are designed to exploit. The accept button is always bigger, always brighter. Rejecting or customizing takes an extra click or two. Do it anyway. It’s a small act, but it limits how much of your browsing data gets shared with ad networks and data brokers.

Clear your cookies periodically. Once a month, once a week, whatever works for you. Every browser has this option in settings. When you clear cookies, you break the tracking chains that ad networks build over time. You’ll have to log back into some sites, which is mildly annoying. Worth it.

And here’s one that people overlook: check what cookies a site actually sets before you accept anything. In Chrome, you can go to Developer Tools, then Application, then Cookies. In Firefox, it’s the Storage Inspector. You’ll see every cookie, its domain, its expiration date, and its value. I started doing this casually about a year ago and it completely changed how I think about “simple” websites. A news article page with nothing but text and a few images was setting seventeen cookies, twelve of them from ad networks. That page didn’t need a single one of those twelve cookies to show me the article.

There’s a broader point here that I keep coming back to. Cookie consent, done right, is actually a pretty decent litmus test for whether a company respects your privacy. If a site gives you a clear, honest consent interface — real choices, no dark patterns, easy to revoke — that tells you something about how they think about user data in general. And if a site buries the reject option, loads trackers before consent, and makes withdrawal nearly impossible? That tells you something too.

India’s regulatory framework is catching up. The DPDP Act’s provisions on consent are legitimately strong on paper. Whether enforcement follows through — whether the Data Protection Board actually penalizes sites that ignore these rules — remains an open question. I’m cautiously optimistic, but I’ve also watched enough regulatory bodies get captured or defunded to know that good law doesn’t always mean good outcomes.

What I do think is that awareness matters independently of enforcement. When enough users start rejecting non-essential cookies, when enough site owners realize that proper consent management isn’t optional, the ecosystem shifts. Maybe slowly. But it shifts.

So the next time a cookie banner pops up and your finger hovers over “Accept All” — maybe pause for a second. Read what it actually says. Click through to the settings. See what’s really going on behind that friendly little pop-up. You might not love what you find, but at least you’ll know. And knowing is where any real privacy protection starts, isn’t it?