What is the DPDPA Act & What It Means for Your Website
India finally has its own data privacy law. The Digital Personal Data Protection Act (DPDPA), 2023 was signed into law last year, and enforcement is coming faster than most website owners expect. If your site gets any traffic from India — or if you're an Indian business — you need to understand what this law requires and whether your website is ready.
The short version: DPDPA gives Indian citizens rights over their personal data and puts the responsibility on website owners to ask for clear, informed consent before collecting it. That includes cookies. Yes, even the basic analytics cookie you added three years ago and forgot about.
Don't panic. Getting compliant isn't complicated, but you do need to actually do it. This post breaks down what DPDPA requires, who it applies to, what's at stake if you ignore it, and how to fix it fast.
What Does DPDPA Say About Cookies?
The DPDPA doesn't single out cookies by name, but it covers any collection of personal data — and cookies that track behaviour, store user IDs, or link activity to a person absolutely fall under that umbrella.
Here's what the law requires:
Consent must be free, specific, informed, and unambiguous. That means no pre-ticked boxes, no "by using this site you agree to..." buried in a footer. Users must actively say yes.
You must tell users what you're collecting and why. Vague statements like "we use cookies to improve your experience" aren't enough. You need to list the categories of cookies (analytics, marketing, functional), who has access to the data, and what it's used for.
Users can withdraw consent anytime. If someone said yes to analytics cookies last month and wants to opt out today, your site must respect that. The opt-out should be as easy as the opt-in.
Data of children (under 18) requires parental consent. If your site could be accessed by minors, you need an age gate or parental consent flow.
In practice, this means you need a proper cookie consent banner — not just a notification bar that says "we use cookies." The banner must offer real choices: accept all, reject all, or manage preferences by category.
Is Your Website Affected?
Almost certainly, yes — if any of these apply to you:
- Your website has Indian users (even a small percentage)
- You run an Indian business with a website
- You collect email addresses, run contact forms, or have user accounts
- You use Google Analytics, Facebook Pixel, or any third-party tracking
- You run an e-commerce store targeting Indian customers
- You have a WordPress, Wix, Shopify, or any CMS-based site
The DPDPA applies to data fiduciaries — which is the legal term for anyone who decides how and why personal data is processed. If you run a website that collects any data from Indian residents, that's you.
Small businesses aren't exempt. Sole proprietors aren't exempt. The law doesn't have a carve-out for "we only have 500 visitors a month." If you collect data, you're in scope.
The only exception is for purely personal or household purposes — so your personal diary blog with no analytics has nothing to worry about. But if you're running a business site, an agency, a SaaS product, a portfolio with a contact form, or an e-commerce store, you need to comply.
What Happens If You Don't Comply?
The DPDPA sets out penalties that should get your attention.
Up to ₹250 crore (approximately $30 million USD) for failing to take reasonable security safeguards to prevent personal data breaches.
Up to ₹200 crore for failing to notify the Data Protection Board and affected users in the event of a breach.
Up to ₹50 crore for failing to comply with consent requirements — which is exactly the cookie and data collection issue most websites face.
These aren't just theoretical numbers. India's Data Protection Board is being set up with enforcement powers. And unlike some privacy laws that took years to enforce, India's government has signalled it wants this moving quickly.
Beyond fines, there's the reputational angle. Users are becoming more privacy-aware. A dark pattern cookie banner that tricks people into consenting is exactly the kind of thing that goes viral for the wrong reasons.
The safer, smarter move: just fix it now. It takes less than an hour.
How to Make Your Website DPDPA Compliant in Minutes
Here's what DPDPA compliance actually looks like for your website:
Step 1 — Audit your cookies. Know what cookies your site is setting and why. Most websites are surprised by how many third-party cookies load from embedded widgets, chat tools, and ad networks.
Step 2 — Block cookies before consent. Non-essential cookies (analytics, marketing, tracking) must not fire until the user has explicitly consented. This is a technical requirement, not just a policy one.
Step 3 — Display a compliant consent banner. It needs to:
- Appear before any tracking cookies load
- Offer accept all / reject all / manage preferences options
- Explain clearly what each category of cookie does
- Allow users to withdraw consent later
Step 4 — Log and store consent records. If the Data Protection Board asks whether a user consented, you need to be able to prove it. Consent logs should include the timestamp, user identifier, and what they agreed to.
Step 5 — Link your Cookie Policy and Privacy Policy from the banner. These documents need to be accurate and up to date.
The technical part — especially blocking cookies before consent and logging consent records — is where most DIY attempts fall apart. It's also where a tool purpose-built for this makes the difference between compliant and not.
CookieSeal makes DPDPA compliance simple. Add a compliant cookie banner to your site in under 5 minutes — with automatic cookie scanning, pre-consent blocking, consent logging, and customizable banners that match your brand.
No credit card required. Works with WordPress, Shopify, custom sites, and any platform where you can add a script tag.