India's Data Protection Law Is No Longer Theoretical
The Digital Personal Data Protection Act, 2023 (DPDP Act) received presidential assent in August 2023. The implementing DPDP Rules, 2025 were notified on November 14, 2025. The Data Protection Board of India (DPBI) appointed its members on June 6, 2026. And the Consent Manager registration window opens in November 2026, with full enforcement arriving May 13, 2027 — no grace period.
If your website serves Indian users and sets cookies that collect personal data, this law applies to you. India has over 900 million internet users, making it the second-largest online population on the planet. Even if India isn't your primary market, if you run analytics or advertising tags on pages visited by Indian users, you're a Data Fiduciary under the DPDP Act — and the obligations that follow are unlike anything in GDPR or CCPA.
This guide covers the practical impact: the phased rollout timeline, the 22-language consent requirement, the new Consent Manager intermediary, how the DPDP Act compares with regulations you already know, and what you should be doing now to prepare.
The Three-Phase Rollout
The DPDP Rules break implementation into three phases, each tied to a hard date counted from the Rules' November 2025 notification:
- Phase 1 (November 13, 2025): Establishment of the Data Protection Board of India. The Board is now operational with appointed members. It handles complaints, investigates breaches, and issues orders.
- Phase 2 (November 13, 2026): Consent Manager registration opens. Rule 4 obligations — covering Consent Manager eligibility, interoperability, audit trails, and conflict-of-interest restrictions — take effect. This is when the consent infrastructure must be in place.
- Phase 3 (May 13, 2027): All substantive Data Fiduciary obligations apply in full. The penalty framework activates immediately. No transition period, no forgiveness window. Maximum penalties reach ₹250 crore (approximately €28 million) per contravention.
The staggered timeline is deliberate. Regulators want the enforcement body and the consent infrastructure standing before obligations land on businesses. But the gap between Phase 2 (November 2026) and Phase 3 (May 2027) is only six months — tight for any organization that hasn't started preparing.
Consent Manager: A New Kind of Intermediary
This is the concept that trips up most people familiar with European privacy law. Under the DPDP Act, a Consent Manager is not a software tool. It's a registered intermediary entity — a company that sits between Data Principals (users) and Data Fiduciaries (your organization), acting as a single point of contact where users can grant, review, and withdraw consent across multiple services from one dashboard.
Think of it less like a CMP plugin and more like a licensed consent broker. The Data Protection Board maintains a registry of approved Consent Managers, and only registered entities can operate in this role.
Registration Requirements
Rule 4 and Schedule I (Part A) of the DPDP Rules set the eligibility bar:
- Incorporation: Must be a company incorporated in India.
- Net worth: Minimum ₹2 crore (₹20 million, roughly USD $240,000).
- Governance: Directors and senior management must demonstrate a credible track record of integrity.
- Technical capacity: Must operate secure infrastructure for consent lifecycle management and interoperability across Data Fiduciaries.
- Independence: Must avoid conflicts of interest with the Data Fiduciaries whose consent they manage.
- Audit trail: Must maintain consent logs for a minimum of 7 years.
The incorporation requirement is the critical detail for global companies. Foreign consent management platforms cannot register as Consent Managers unless they establish an India-incorporated subsidiary that independently meets the net-worth and governance requirements. This effectively excludes most international CMPs from the registered intermediary role, at least for now.
Consent Manager vs. CMP: Don't Confuse Them
A registered Consent Manager under the DPDP Act is a licensed intermediary entity. A consent management platform (CMP) like CookieBeam is a software tool that Data Fiduciaries use to collect and enforce consent on their own websites. These are different things. Your website still needs a consent banner and script-blocking mechanism regardless of whether a registered Consent Manager is involved. The Consent Manager intermediary aggregates consent across services; the CMP enforces it at the point of data collection.
Consent in 22 Languages: What Section 6(3) Actually Requires
Section 6(3) of the DPDP Act states that every request for consent must be presented in "clear and plain language" and that Data Principals must be able to access the consent notice in English or any of the 22 languages listed in the Eighth Schedule of the Indian Constitution. If consent is delivered in a language the user can't reasonably understand, the consent is invalid — and invalid consent means you're processing data without a lawful basis, which carries penalties up to ₹200 crore.
The 22 scheduled languages are: Assamese, Bengali, Bodo, Dogri, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Maithili, Malayalam, Manipuri, Marathi, Nepali, Odia, Punjabi, Sanskrit, Santali, Sindhi, Tamil, Telugu, and Urdu.
For a consent banner, this means your cookie notice and preference controls must be available in every language a visitor might need. You can't default to English and call it done. The language requirement isn't a nice-to-have localization feature — it's a validity condition on the consent itself.
The Technical Challenge: Scripts, Shaping, and One RTL Language
Supporting 22 languages across India's script diversity is a genuine engineering challenge — it's not the same as translating a GDPR banner into French and German.
Complex script rendering. Most of the 22 languages use Brahmic scripts with complex shaping rules. Devanagari, Bengali, Gujarati, Tamil, Telugu, Kannada, Malayalam, and Odia all feature conjunct consonants, ligatures, and vowel signs that reposition around base characters. A consent banner with broken conjuncts or misplaced vowel marks fails the "clear and plain language" test even if the translation is perfect.
Font coverage. The Noto Sans family (Google Fonts) is currently the most reliable option for comprehensive Indian script coverage. Self-hosting these fonts ensures consistent rendering regardless of device. System font stacks vary wildly across Android, iOS, Windows, and Linux for Indian scripts.
Urdu and bidirectional text. Among the 22 languages, Urdu uses a modified Arabic script and renders right-to-left. Kashmiri and Sindhi may also use Perso-Arabic script. Your consent banner needs proper dir="rtl" handling and layout mirroring for the Urdu variant. Hardcoded padding-left or text-align: left will break. Use CSS logical properties (margin-inline-start) and test every language variant.
Dynamic switching. Switching from Hindi to Urdu requires changing text direction, reloading fonts, and reflowing layout. Switching from English to Tamil requires adjusting line heights. The language selector must trigger a full content and layout swap, not just text substitution.
Single-Click Withdrawal: Symmetry as Law
Section 6(4) of the DPDP Act establishes a principle the GDPR hints at but doesn't enforce this strictly: withdrawing consent must be as easy as giving it. If a user consented with one click, withdrawal must also be one click.
This invalidates several common patterns:
- Withdrawal via account settings three menus deep — non-compliant.
- Email confirmation to withdraw — non-compliant. More steps than the original consent.
- "Contact us to manage your preferences" — non-compliant if consent was automated.
The penalty for obstructing withdrawal is up to ₹50 crore (roughly €5.6 million). Dark patterns that nudge users away from withdrawal are explicitly treated as violations.
The solution: a persistent privacy icon or footer link that reopens the preference center with a one-click "Withdraw All" option. If your banner already supports this, you're ahead. If not, solve it before May 2027. Our cookie banner design guide covers the UX mechanics.
DPDP Act vs GDPR vs CCPA: How They Compare
| Aspect | DPDP Act (India) | GDPR (EU) | CCPA/CPRA (California) |
|---|---|---|---|
| Consent model | Opt-in required; specific, informed, unconditional | Opt-in required; freely given, specific, informed | Opt-out for sale/sharing of personal information |
| Language requirements | English + 22 scheduled languages | Language of the member state (practical expectation) | No specific language mandate |
| Consent intermediary | Registered Consent Manager (licensed entity) | No formal intermediary role | No formal intermediary role |
| Maximum penalty | ₹250 crore (~€28M) per contravention | €20M or 4% global turnover | $7,500 per intentional violation |
| Withdrawal symmetry | Explicit: withdrawal must be as easy as giving consent | Implied: must be possible to withdraw at any time | Opt-out links required; no symmetry mandate |
| Enforcement body | Data Protection Board of India (single authority) | Per-member-state DPAs, coordinated by EDPB | California Privacy Protection Agency + AG |
| Extraterritorial reach | Applies to processing of Indian residents' data | Applies to processing of EU/EEA residents' data | Applies to California residents' data |
| Cookie-specific rules | General consent rules apply; no dedicated cookie law | ePrivacy Directive sets explicit cookie-consent requirements | No dedicated cookie rules; general PI definitions apply |
What Makes the DPDP Act Different
Three structural differences change how you architect consent for Indian traffic:
The Consent Manager layer. No other major privacy law creates a registered intermediary between users and businesses. The DPDP Act envisions users managing consent across all services from a single Consent Manager dashboard. Data Fiduciaries will need to support interoperability with these registered entities — likely through standardized APIs that haven't been fully specified yet.
No cookie-specific carve-out. Like Brazil's LGPD, the DPDP Act has no equivalent of the EU's ePrivacy Directive. Cookies are governed by the Act's general consent provisions. The test is whether the cookie processes personal data and whether you have valid consent.
Fixed-cap penalties. GDPR penalties scale with global turnover. DPDP penalties are fixed caps per contravention: ₹250 crore for security failures, ₹200 crore for processing without consent, ₹50 crore for obstructing withdrawal. For smaller companies, these can be proportionally harsher. Appeals require depositing 50% of the penalty amount upfront.
Impact on Global Websites
If you receive Indian traffic — and with 900+ million internet users, most international sites do — the DPDP Act creates practical obligations:
- Opt-in consent for Indian visitors: Analytics and advertising cookies require consent, just as with GDPR. Extending your existing consent banner to Indian traffic is the natural approach.
- 22-language availability: Hindi and English cover the largest user base, but compliance requires all 22 scheduled languages on request.
- Single-click withdrawal: If your banner offers a one-click "Accept," withdrawal must also be one click.
- Interoperability readiness: As registered Consent Managers come online in late 2026, Data Fiduciaries may need to integrate with them via standardized APIs. Building on structured, queryable consent records positions you well.
For companies already running a regional consent setup, India becomes another region with its own rule set. For companies running a single global banner, this is where region-specific logic becomes unavoidable.
DPDP Act Readiness Checklist for Global Websites
Audit your Indian traffic
Use analytics to identify what percentage of visitors come from India. If it's material, the DPDP Act applies to your processing of their data.
Extend consent collection to Indian visitors
If you don't already gate analytics and marketing cookies behind consent for Indian traffic, implement opt-in consent now.
Add Hindi and English consent text at minimum
Full compliance requires all 22 scheduled languages, but Hindi and English cover the widest base for initial rollout.
Test complex script rendering in your banner
Devanagari, Tamil, Bengali, and other Brahmic scripts need font and shaping validation. Broken ligatures are not 'clear and plain language.'
Implement single-click withdrawal
A persistent privacy icon or footer link that reopens the preference center with a one-click revoke option.
Validate Urdu RTL rendering
Test your banner with dir='rtl' for Urdu. Check layout mirroring, text alignment, and bidirectional text isolation.
Build structured consent records
Log consent decisions in a queryable format. Consent Managers will likely require API-based access to consent state.
Monitor the DPBI for registration guidance
Consent Manager registration opens November 2026. Interoperability requirements will shape how your consent data must be structured.
What CookieBeam Is Doing
CookieBeam already supports capabilities that map to DPDP Act requirements:
- Multi-language banners: The banner engine supports dynamic language switching. We're expanding coverage to all 22 Eighth Schedule languages with proper script rendering.
- Regional consent rules: CookieBeam's regional consent architecture adapts behavior per visitor location. India will be configurable as a region with its own consent model and language defaults.
- Single-click withdrawal: The banner supports a persistent preference trigger that reopens the consent interface with one-click category-level control.
- Consent logging: Every decision is logged with timestamps, purposes, and consent state — the foundation for Consent Manager interoperability.
- Script blocking: Non-essential scripts are blocked until consent — the enforcement that makes consent meaningful.
We're monitoring the DPBI's rulemaking closely, particularly the Consent Manager interoperability specs. To be clear: CookieBeam is a consent management tool for Data Fiduciaries, not a registered Consent Manager intermediary. Our job is making sure the consent you collect meets the DPDP Act's standards for validity, language accessibility, and withdrawal ease.
The Bottom Line
India's DPDP Act doesn't reinvent privacy law, but it adds requirements that no other major regulation demands: a registered Consent Manager intermediary, mandatory consent availability in 22 languages spanning 10+ scripts, and an explicit single-click withdrawal mandate backed by fixed-cap penalties. The May 2027 deadline arrives with no grace period. If your website has Indian traffic and you're not already running a consent banner that handles multilingual content and easy withdrawal, now is the time to start — not when the enforcement notices land.
Related Guides
For regional consent architecture, see Regional Consent: One Banner for Global Sites. For multilingual banner implementation, see Multi-Language Cookie Banner Localization. For broader regulatory comparisons, read GDPR vs CCPA vs PECR and LGPD Compliance for Websites. For the technical foundation of consent enforcement, see How to Block Scripts Until Cookie Consent.
For authoritative sources, see the MeitY Data Protection Framework, the full text of the DPDP Act, 2023, and the India Briefing analysis of the DPDP Rules 2025.