Is Cookie Consent required under DPDPA, 2023?

Why the Law May Be Inconsequential Under Its Current Wording?

The Digital Personal Data Protection Act, 2023 (DPDPA), of India represents a major advancement in the regulation of digital personal data. As companies get ready for compliance, a frequently asked question is, does the DPDPA require cookie consent?

The DPDPA does not currently specifically require cookie consent; cookie banners are now commonplace worldwide, especially in the EU due to the ePrivacy Directive (ePD) and General Data Protection Regulation (GDPR). Here are some reasons why the current wording of the law might make this a less important issue for Indian companies.

1. DPDPA Controls "Processing" and "Personal Data."

The DPDPA governs the management of digital personal data, encompassing any individual's identifiable information. This has a more limited scope than the GDPR, which covers any information that can directly or indirectly identify a person, such as IP addresses, device IDs, and pseudonymous data.

In contrast, only data that reasonably identifies an individual is considered personal data under the DPDPA. Particularly when data is aggregated and stripped of individual-level identifiers, cookies used for functionality, aggregated analytics, or website performance frequently do not contain personally identifiable information (PII).

There is very little chance of identifying a specific individual in aggregated datasets, which are collections of anonymized individual data points. Many common cookie implementations, particularly those used for tracking usage trends or basic analytics, reduce the applicability of DPDPA.

2. No references to cookies or tracking technologies.

The DPDPA's text does not mention cookies, online identifiers, or tracking technologies. This contrasts with the EU's ePrivacy Directive, which regulates the use of cookies and related technologies in particular and demands prior informed consent whether or not personal data is involved.

Because the DPDPA doesn't mention cookies, businesses in India don't have to use cookie banners or get detailed consent for cookies, unless those cookies are gathering identifiable personal data.

3. DPDPA Consent Is Purpose-Driven

According to the DPDPA, consent needs to be

• Free,

• Specific,

• Informed, and

• Unambigous.

However, unlike the GDPR, the law does not require granular consent for different types of cookies or processing purposes. The DPDPA does not require layered consent mechanisms for performance cookies, advertising cookies, or third-party trackers, even though the user must be made aware of the type and intent of the data being processed.

Therefore, specific consent under DPDPA is unlikely to be required if cookies only generate aggregated, anonymized data or do not process identifiable data.

4. Implications for Indian Companies

Cookie banners are not mandatory under DPDPA for Indian businesses that are not subject to foreign data protection regimes, unless identifiable personal data is involved. Even in that case, a general consent notice or a clear privacy policy might be adequate.

However, companies operating in the EU, UK, California, or other jurisdictions are subject to additional regulations, such as the ePrivacy Directive and GDPR in the EU or the CCPA/CPRA in California, which do require cookie consent mechanisms, sometimes even for pseudonymous data.

5. Looking Ahead: Best Practices and Regulatory Clarifications

The Data Protection Board of India may publish future guidance that explains the law's stance on tracking technologies and aggregated data, even though cookies are not specifically covered by the DPDPA.

Until then, even in cases where stringent consent procedures may not be required by law, companies are urged to adhere to global privacy best practices, which include being transparent about cookie usage. By doing this, companies can prepare for future regulatory developments and foster trust.

Conclusion

Currently, the DPDPA does not specifically require cookie consent. The Act has limited relevance to standard cookie use, particularly for non-identifiable, aggregated analytics, because it only applies to identifiable personal data and avoids mentioning cookies or tracking technologies.

However, companies should remain vigilant. The law may be expanded to cover specific types of online tracking in future regulatory updates. Transparency, contextual consent, and privacy-forward practices can all act as protections—and competitive advantages—in the interim.

The true question is whether cookies and trackers will be brought to light by India's future digital regulations or if they will continue to be exempt from the consent framework.