India's Digital Personal Data Protection Act, 2023 (DPDPA) is the country's first standalone data protection law. Passed by Parliament in August 2023 and partially enforced from 13 November 2025, it governs how organisations collect, store, and process digital personal data - with direct implications for every website that sets cookies for visitors in India.
The law replaced the older Information Technology Rules of 2011, which offered only a thin patchwork of protections. The DPDPA brings India closer to the global data protection standards set by the GDPR, though with a distinctly Indian approach to enforcement, terminology, and scope.
Background and Implementation Timeline
The DPDPA's roots trace back to 2017, when the Supreme Court of India ruled unanimously in Puttaswamy v. Union of India that privacy is a fundamental right under Article 21 of the Constitution. After multiple draft Bills and a withdrawal in 2022, the final version was passed in August 2023 and received Presidential assent on 11 August 2023.
The DPDP Rules, 2025 were published on 13 November 2025 by the Ministry of Electronics and Information Technology (MeitY). The rollout is phased: the Data Protection Board was established on 13 November 2025, Consent Manager registration opens in November 2026, and all remaining provisions - including consent and security requirements - take full effect on 13 May 2027.
Who Does the DPDPA Apply To?
The DPDPA covers digital personal data - collected digitally or collected offline and later digitised. It applies to processing within India and has extraterritorial reach: if your organisation processes data outside India in connection with offering goods or services to Indian individuals, the law applies to you. Outsourcing companies processing data collected abroad that does not relate to Indian data principals fall outside its scope.
Key Terminology
| DPDPA Term | GDPR Equivalent | Definition |
|---|---|---|
| Data Principal | Data Subject | The individual whose personal data is processed |
| Data Fiduciary | Data Controller | Determines purpose and means of processing |
| Data Processor | Data Processor | Processes data on behalf of the Fiduciary |
| Significant Data Fiduciary | No equivalent | Classified by government based on data volume and national impact |
| Consent Manager | No equivalent | Registered intermediary for managing consent |
The Consent Manager concept is unique to India - similar to account aggregators in the financial sector. Consent Managers must register with the Data Protection Board and act as intermediaries between individuals and organisations.
Consent Under the DPDPA
Consent is the primary legal basis for processing personal data. For cookies, it is the only basis available. The law follows an opt-in model: explicit consent must be obtained before setting any cookies that collect personal data.
Valid consent must be free (no coercion or bundling with terms), specific (relating to a defined purpose), informed (the Data Principal knows what data is collected and why), unambiguous (an affirmative action - browsing alone does not count), and unconditional (access to public parts of your site cannot depend on consent).
Withdrawal must be as easy as giving consent. The DPDPA defines narrow "legitimate uses" under Section 7 where consent is not required - legal obligations, medical emergencies, employment purposes - but notably excludes "contractual necessity" and "legitimate interest", both available under the GDPR.
Cookie Consent Requirements
The DPDPA does not mention cookies by name. But cookies storing identifiers - cookie IDs, device fingerprints, behavioural data - clearly fall within personal data processing. Analytics cookies like _ga, advertising cookies like _fbp, and most third-party tracking scripts trigger the consent requirement.
In June 2025, MeitY released the Business Requirements Document for Consent Management Systems (BRDCMS). Although not legally binding, it recommends cookie banners with "Accept", "Reject", and "Customise" options, real-time consent dashboards, and automatic expiry of preferences.
One difference from the GDPR's granular consent model: the DPDPA does not currently require purpose-specific consent for each cookie category. Under the ePrivacy Directive, EU users can accept analytics but reject marketing cookies individually. General consent for cookie use is technically sufficient under the DPDPA, though the BRDCMS and best practice both point towards category-level controls.
Privacy notices must be available in English and any of the 22 languages in the Eighth Schedule of the Indian Constitution. Your cookie consent banner should support Hindi, Tamil, Telugu, Bengali, or other relevant regional languages.
Data Principal Rights and Fiduciary Obligations
Individuals have rights under Chapter III that mirror those in the GDPR and LGPD: access to a summary of processed data, correction and erasure, grievance redressal, and the right to nominate someone to exercise rights in case of death or incapacity. Under Rule 14, Data Fiduciaries must respond within 7 days. The DPDPA notably omits a right to data portability.
Data Fiduciaries must provide itemised privacy notices before or at the time of collection, implement reasonable security safeguards (encryption, access controls, logging), and report every personal data breach to the Board and affected individuals - regardless of severity. This contrasts with the GDPR's risk-based approach to breach notification.
Organisations designated as Significant Data Fiduciaries face additional obligations: appointing a DPO based in India, periodic Data Protection Impact Assessments, independent audits, and potential data localisation requirements.
Children's Data and Cross-Border Transfers
The DPDPA sets the child age threshold at 18 - higher than the GDPR's default of 16 (or as low as 13 under Article 8). Processing children's data requires verifiable parental consent, and the law prohibits tracking, behavioural monitoring, and targeted advertising directed at children.
Cross-border transfers follow a permissive model: data can go to any country unless the Indian government specifically restricts it. No restricted list has been published as of early 2026 - a sharp contrast to the GDPR's adequacy decisions and SCCs framework.
Penalties
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | INR 250 crore (~USD 30 million) |
| Failure to notify breach | INR 200 crore (~USD 24 million) |
| Children's data violations | INR 200 crore (~USD 24 million) |
| Significant Data Fiduciary non-compliance | INR 150 crore (~USD 18 million) |
| General breach of Act provisions | INR 50 crore (~USD 6 million) |
| Individual false claims or impersonation | INR 10,000 (~USD 120) |
Penalties are absolute amounts, not revenue-based - a structural difference from the GDPR's percentage-of-turnover model. The Board may adjust amounts by up to 2x based on severity, remediation efforts, and other factors. All penalties are civil; appeals go to the TDSAT.
Practical Steps for Website Owners
Audit your cookies. Use a free cookie scanner to identify every tracker on your site and classify by purpose.
Implement opt-in consent. Block non-essential cookies until visitors give explicit consent. Offer Accept, Reject, and Customise options.
Keep consent records. Log what the user saw, what they chose, and when. If you already use a consent management platform for GDPR, check whether it covers the DPDPA's requirements as well.
Update your privacy notice. It must be itemised, specific, and in plain language - vague boilerplate will not satisfy the DPDP Rules.
Frequently Asked Questions
Does the DPDPA apply to websites outside India?
Yes. If your website processes digital personal data in connection with offering goods or services to individuals in India, the DPDPA applies regardless of where your business is located.
Do I need cookie consent for Indian visitors under the DPDPA?
Yes. The DPDPA follows an opt-in model. You must obtain explicit, informed consent before setting any cookies that collect personal data from visitors in India.
Is the DPDPA the same as the GDPR?
No. While both laws share principles like consent and purpose limitation, the DPDPA covers only digital personal data, does not define sensitive data categories, lacks a legitimate interest basis, and uses fixed monetary penalties rather than revenue-based fines.
What are the maximum fines under the DPDPA?
The highest penalty is INR 250 crore (approximately USD 30 million) for failure to implement reasonable security safeguards. Breach notification failures and children's data violations carry penalties of up to INR 200 crore each.
What is a Consent Manager under the DPDPA?
A Consent Manager is a registered intermediary allowing individuals to grant, manage, and withdraw consent through a single platform. Registration opens in November 2026.
Does the DPDPA require cookie banners in Indian languages?
Privacy notices must be available in English and any of the 22 languages in the Eighth Schedule of the Indian Constitution. If your website targets regional audiences, your consent mechanism should support the relevant languages.
When does the DPDPA come into full effect?
The Data Protection Board was established on 13 November 2025. All remaining provisions take full effect on 13 May 2027.
Get Your Website Ready for the DPDPA
India's data protection law adds another jurisdiction to the global compliance map. If your site collects cookies from Indian visitors, you need an opt-in consent mechanism that blocks non-essential tracking until consent is given. Kukie.io detects cookies, classifies them by purpose, and presents a geo-targeted consent banner - so your Indian visitors see the right controls and your consent logs are audit-ready.
