Only 3 out of the top 50 websites in India comply with the consent norms under India’s data protection law, as per a white paper released by the Advertising Standards Council of India (ASCI).
Written in collaboration with PSA Legal and Tsaaro Consulting, the paper assesses the compliance of Indian companies’ cookie consent practices with the Digital Personal Data Protection (DPDP) Act, 2023 and its draft Rules. Cookies are small text files that collect and store information, including personal details of a user visiting a website. The digital advertising industry particularly relies on cookies to deliver targeted ads based on users’ browsing and purchasing histories.
“Businesses will need to ensure that users are informed about the purpose of cookies and provide mechanisms for obtaining specific consent. Users will have the right to withdraw consent at any time [as per the law], requiring companies to adapt their practices while maintaining compliance. This will play a significant role in shaping the industry’s approach to targeted advertising,” said the report.
However, as per its own analysis, the report found that only 6 per cent of India’s top websites ask visitors for their consent before using cookies. These websites garnered 30 billion visits in December 2024 alone. Even among those, most fall short of best practices such as providing clear opt-out options or enabling granular consent to users for different types of cookies.
“A key challenge observed in current practices is the lack of user-friendly design and transparency in cookie consent banners [pop-up messages]. Many websites fail to provide clear, easy-to-understand options for users to manage their cookie preferences, often presenting only a basic “accept all” option without offering sufficient control over individual cookie categories. This complicates the user experience and increases the risk of non-compliance with data protection regulations,” said the report, adding that companies that fail to comply to the DPDP Act are liable for fines ranging from ₹10,000 to ₹ 250 crore.
User-centric cookie practices required
To navigate these issues, the report asked companies to consider user-centric practices, where visitors can manage their consent settings. It argued that this can help advertisers turn compliance into a competitive advantage, building consumer trust in a privacy-conscious marketplace. The Cookie Preference Center tool can be used in this regard, where users can give or withdraw consent while choosing specific cookie categories. It also suggested replacing the traditional consent model with a new cookie consent policy that provides more transparency, such as explaining which cookie will be used and for what purpose.
“Compliance, if done effectively, will empower advertisers will be able to position themselves as privacy-conscious brands. The overarching objective is to empower users with informed choices, and the experiences of jurisdictions like the EU provide valuable insights into avoiding pitfalls and embracing effective strategies. Ultimately, the path forward demands a proactive approach from advertisers; one that prioritizes transparency, user autonomy, and ethical data usage,” said the report.