India has a new data privacy law. The Digital Personal Data Protection Act — better known as DPDPA — is already in force, and if you run a website that collects data from Indian users, it applies to you.
This isn't a "tech company only" law. It covers e-commerce stores, service businesses, SaaS products, local shops with a contact form — basically any website that collects a name, email, phone number, or tracks users with cookies.
Here's what you need to know.
What Does DPDPA Say About Cookies?
Under the DPDPA, collecting personal data — including data collected through cookies — requires clear user consent. Cookies that track behaviour, target ads, or identify individual users count as personal data processing.
That means your website must:
- Tell users what cookies you use — in plain language, not buried in legal text
- Get their consent before setting non-essential cookies — not after
- Let users withdraw consent as easily as they gave it
- Keep a record of consent — so you can prove compliance if asked
The law places the burden of proof on you, the website owner. "We had a cookie banner" isn't enough. You need documented, time-stamped consent records.
Is Your Website Affected?
If any of the following apply, yes — DPDPA applies to you:
- Your website is accessible to users in India
- You collect personal data (name, email, phone, IP address)
- You use analytics tools like Google Analytics (which tracks users via cookies)
- You run ads through Google Ads, Meta, or similar platforms
- You have a contact form, login page, or checkout process
In short: almost every business website qualifies. The law doesn't set a minimum traffic or revenue threshold. A small business website with a WhatsApp button and a contact form is as affected as a large e-commerce platform.
What Happens If You Don't Comply?
The DPDPA sets out significant penalties for non-compliance:
- Up to ₹250 crore (~$30M USD) for failing to implement reasonable security safeguards
- Up to ₹200 crore for failing to notify a data breach
- Up to ₹50 crore for violations related to children's data
- Smaller but still serious penalties for inadequate consent mechanisms
The Data Protection Board of India has the authority to investigate complaints and impose these fines. Enforcement is ramping up — this isn't a law that will be ignored.
Beyond financial penalties, non-compliance damages customer trust. Users are becoming more aware of their data rights, and businesses that handle privacy poorly lose credibility fast.
How to Make Your Website DPDPA Compliant in Minutes
Compliance doesn't have to be complicated or expensive. Here's what you actually need to do:
1. Audit your cookies Find out what cookies your site sets — first-party (yours) and third-party (Google, Facebook, etc.). Most sites have more than they realise.
2. Add a consent banner Your banner must appear before non-essential cookies are set, offer genuine choices (Accept / Reject / Manage Preferences), and link to your privacy policy.
3. Block cookies until consent is given This is the part most basic cookie banners get wrong. Setting cookies first and asking later is not compliant. Your consent tool must actually block scripts until the user accepts.
4. Log all consent records Every consent decision — accept, reject, or partial — needs to be logged with a timestamp and stored securely. You need to be able to retrieve this if audited.
5. Honour opt-outs If a user withdraws consent later, cookies must be cleared and data processing stopped. This has to be as easy as the original opt-in.
CookieSeal handles all of this automatically. It detects your cookies, generates a compliant banner in your language and brand colours, blocks scripts until consent is given, and logs every consent record securely.
Setup takes under 5 minutes. Paste one line of code into your website and you're done.
No credit card required. Free plan available for small websites.