How to Build a DPDP‑Compliant Cookie Banner: A Step‑by‑Step Guide for Indian Websites

With the DPDP Act 2023 now in force and the DPDP Rules 2025 operational, every Indian website that processes user data must rethink how cookies and tracking technologies are handled. Even though the Act doesn’t mention “cookies” explicitly, any cookie or tracker that touches personal data falls under its purview which means you need valid, informed, and revocable consent before placing non‑essential cookies.  

A cookie banner is no longer just a design element it’s a legal requirement and a trust signal. This guide walks you through how to build a truly DPDP‑compliant cookie banner, covering purpose‑specific consent, transparency, user rights, and technical implementation.

Why DPDP Requires a Cookie Banner (and What “Compliant” Actually Means)

Consent must be explicit, informed and purpose‑specific

Under DPDP, any processing of personal data including via cookies requires valid consent. Consent must be free, informed, specific, unambiguous, and given via a clear affirmative action. Pre‑ticked boxes or implied consent don’t cut it.  

Because cookies often track behavioural data, analytics, ad preferences or identifiers, non-essential cookies require explicit opt‑in from users.  

Notice must be clear, stand‑alone, and understandable

The DPDP Rules 2025 require that consent notices be standalone (“presented independently”) and clearly explain: what personal data is collected; for what purpose; the option to withdraw consent; and contact or grievance‑redressal information.  

This means your cookie notice/banners shouldn’t be buried within a long privacy policy or terms they must be visible and easy to understand at first glance.

Consent withdrawal must be as easy as consent granting

DPDP mandates that users can withdraw consent at any time. The mechanism to withdraw must be as effortless as granting consent.  

This means a persistent “Manage Cookies / Consent Preferences” link or panel should be accessible to users at all times.

How to Build a DPDP‑Compliant Cookie Banner: Step by Step

Here’s a practical checklist to build your compliant cookie banner:

1. Run a cookie and tracker audit
   Identify all cookies and third‑party scripts analytics, marketing pixels, chat widgets, ad trackers, etc. Classify them by purpose: essential/performance (core features), analytics, marketing, personalization, etc.

2. Draft a clear consent notice
   Write a short, plain‑language notice describing:

• What cookies you use

• Why you use them (analytics, marketing, essential features)

• What data is processed

• How users can accept, reject, or manage preferences

• Link to your full privacy/cookie policy + grievance/contact info

3. Design a banner with equal Accept/Reject prominence

• Show “Accept” and “Reject” options equally (no dark patterns)

• Provide granular toggles if possible (e.g. “Analytics”, “Marketing”, “Essential only”)

• Block non‑essential cookies until the user consents don’t load them by default

4. Ensure consent is logged with audit trail

• Store consent records: timestamp, user ID (if any), version of consent notice, consent status

• Enable withdrawal: Provide a “Manage Cookies / Preferences” panel where user can change consent

5. Make privacy notice and cookie policy accessible

• Provide link(s) to your privacy notice or cookie policy in the banner

• Ensure policy explains data categories, purpose, retention, third‑party sharing, and user rights

6. Implement technical safeguards & cookie blocking until consent

• Delay non‑essential scripts analytics, ads, tracking frameworks until consent

• Use script loaders or tag managers that respect consent status

7. Support ongoing compliance & adaptability

• If you add new cookies/third‑party tools, rerun audit and update banner & notice

• Log updates and re‑obtain consent if purposes change

What DPDP Act & Rules Say (Relevant Clauses)

• The DPDP Act requires consent for any personal data processing, including data collected via cookies.  

• The DPDP Rules 2025 mandate that consent notices be clear, standalone and purpose‑specific.  

• Consent must be freely given, unambiguous and via affirmative action. Pre‑ticked accept boxes or default opt-ins are not valid under DPDP.  

• Users must be able to withdraw consent easily and revoke permission at any time.  

Why This Matters Not Just for Compliance, but for Trust & Conversion

• Avoid Heavy Penalties: Non‑compliance can lead to enforcement by the Data Protection Board of India under DPDP, along with fines and reputational damage.  

• Gain User Trust: Transparent data practices build respect and improve conversion users are more likely to consent when they understand explicitly what data is being used.

• Future‑Proof Your Website: As DPDP enforcement scales up in 2026 and beyond, having a compliant consent system avoids future overhauls.

• Better Analytics & Ad‑Tech Hygiene: By blocking non‑consented cookies, you reduce compliance risk in ad networks and maintain cleaner, privacy‑safe data streams.

Tools like consent managers and cookie‑management platforms can make this implementation far easier especially for businesses with limited legal or engineering bandwidth.

Compliance Starts with the First Click

A cookie banner might seem like a minor UX element, but under India’s DPDP Act, it’s your front door to user trust. Ensuring that banner is clear, equal, purpose-specific, and verifiable is no longer optional, it’s the law.

As enforcement begins to scale in 2026, more businesses are looking at modular compliance tools that plug into existing stacks without legal or engineering overload. Solutions like Blutic are helping Indian websites get ahead by offering DPDP-ready consent layers, cookie scanning, and withdrawal workflows all backed by the evolving compliance framework.

‍