The Most Expensive Misconception in Indian Data Privacy
Go to almost any Indian company's website right now. Within seconds, a banner slides up: *"We use cookies to improve your experience. Accept All / Manage Preferences."*
The legal team approved it. The CTO shipped it. The compliance checkbox got ticked.
And none of it — not a single pixel of it — satisfies India's Digital Personal Data Protection Act, 2023.
This isn't a technicality. It's a fundamental misunderstanding of what two completely different laws require. The cookie banner was built for Europe's ePrivacy Directive. The DPDP Act is an entirely different legal framework with entirely different consent requirements.
Companies that believe their cookie popup covers their DPDP obligations are exposed to up to Rs 250 crore in penalties — with the false confidence that they've already handled it.
Here's exactly why the cookie banner fails, and what DPDP-compliant consent actually looks like.
7 Ways DPDP Consent Requirements Differ From Cookie Consent
Here's where cookie banners fall short of DPDP requirements, point by point:
1. Scope: Cookies vs All Personal Data
Cookie banner: Covers consent for tracking technologies (cookies, pixels, local storage).
DPDP Act: Covers consent for all personal data processing — collection, storage, use, sharing, transfer, and deletion. If you collect a name and email on a signup form, that requires DPDP consent. Your cookie banner doesn't touch it.
2. Specificity: Generic vs Purpose-by-Purpose
Cookie banner: Typically groups purposes into broad categories — "Necessary," "Analytics," "Marketing." One toggle per category.
DPDP Act (Section 6): Requires consent for each specific processing purpose, separately. If you use someone's email for (a) account notifications, (b) marketing campaigns, and (c) sharing with your affiliate partners — those are three separate consents. Bundling them into "Marketing" is non-compliant.
3. Timing: On Page Load vs Before Collection
Cookie banner: Appears when a user lands on your website — often after cookies have already been set by the page load itself.
DPDP Act: Consent must be obtained before processing begins. You cannot collect a user's email in a signup form and then seek consent. The consent request must precede the data collection — not follow it.
4. Withdrawal: Settings Page vs Equal-Friction Withdrawal
Cookie banner: Most implementations let users change cookie preferences via a settings icon buried in the footer.
DPDP Act (Section 6(4)): Withdrawal of consent must be "as easy as giving consent." If a user gave consent in two clicks, withdrawal must be two clicks. No confirmation dialogs, no "tell us why you're leaving" surveys, no multi-step forms. Equal friction is a legal requirement, not a UX recommendation.
5. Language: English-Only vs User's Preferred Language
Cookie banner: Almost always in English. Maybe translated for the EU market.
DPDP Act: The privacy notice — which must accompany every consent request — must be provided in the language the Data Principal (user) requests. India has 22 scheduled languages. A consent banner in English shown to a Hindi-speaking user from UP is legally questionable.
6. Notice Requirements: Brief Description vs Full Disclosure
Cookie banner: A one-line description of each cookie category.
- What personal data is being collected
- The exact purpose of processing
- The rights of the Data Principal (access, correction, erasure, grievance, nomination)
- How to withdraw consent
- The identity and contact details of the Data Fiduciary
- Whether data will be shared with third parties (and who)
A cookie banner cannot contain all of this. It's structurally insufficient.
7. Data Principal Rights: Not Covered At All
Cookie banner: Handles consent. Does not address any other user rights.
- Access what data you hold about them (within a reasonable period)
- Correct inaccurate or outdated data
- Erase data (right to be forgotten, with exceptions)
- Nominate someone to exercise rights on their behalf after death
- Raise a grievance and receive a response within a defined timeline
None of these rights are addressed by a cookie banner. You need a separate Data Rights Portal — a mechanism for users to submit requests and your team to fulfil them within the Act's timelines.
What Genuine DPDP-Compliant Consent Actually Looks Like
DPDP-compliant consent is not a popup. It is a system. Here's what that system must include:
1. A consent collection mechanism — whether a widget on your website or an in-app modal — that presents each processing purpose separately, with equal prominence for "accept" and "decline," no pre-selected checkboxes, and a link to your full privacy notice.
2. A privacy notice that covers every disclosure required by Section 5: data types, purposes, third parties, retention periods, and a full list of Data Principal rights — available in the user's preferred language.
3. A consent record for every consent event — capturing who consented, to what, when, via which interface, which version of the notice was shown, and the user's IP and device details. This record is your evidence if the Data Protection Board ever comes asking.
4. A preference centre — a branded page where users can view all their active consents and withdraw any of them with a single action. Accessible from your app, your emails, and your privacy notice.
5. A data rights portal — a mechanism for users to submit requests for access, correction, or erasure, with a workflow to ensure your team responds within the required timelines.
6. Withdrawal propagation — when a user withdraws consent, your system must automatically stop all processing for that purpose and notify any third-party processors you've shared their data with.
This is why DPDP compliance is an engineering problem, not just a legal one.
What To Do If You Currently Only Have a Cookie Banner
Start with an honest audit. For every type of personal data your company collects — emails, phone numbers, payment details, health records, location data — ask:
1. Do we have explicit, purpose-specific consent for each processing use? 2. Can users withdraw that consent as easily as they gave it? 3. Do our consent records prove what was agreed to and when? 4. Can users access, correct, or request deletion of their data through a self-service portal? 5. Are our privacy notices available in the languages our users speak?
If the answer to any of these is "no" or "we're not sure" — you have a gap.
The DPDP Act compliance deadline is May 13, 2027. The companies that start building compliant consent infrastructure now will be done before the deadline. The ones waiting will be paying Rs 50L+ to consulting firms in 2027 to scramble through it in 90 days.
A cookie banner is a start. It is not an end. And treating it as one is the most common — and most expensive — compliance mistake Indian companies are making right now.
---
Not sure where your company stands? Take our free 3-minute DPDP Readiness Assessment — 12 questions across 6 categories, instant results, no email required.
Check your DPDP readiness in 3 minutes
12 questions, instant score, detailed category breakdown.