India’s top websites falling short on cookie consent, reveals ASCI

Cookies—those tiny data packets nestled in our browsers—have long been the invisible workhorses of the internet. They quietly keep track of your preferences, remember what’s in your shopping cart, and ensure that the ads stalking you across websites remain eerily relevant. But with India’s Digital Personal Data Protection Act (DPDPA) tightening the noose on how personal data is collected, cookies are now facing their moment of reckoning. The Advertising Standards Council of India (ASCI), in partnership with PSA Legal and Tsaaro Consulting, has launched an in-depth white paper titled ‘Navigating Cookies.’ The report aims to provide comprehensive insights into the complexities surrounding cookies and their role in digital advertising.

For years, businesses enjoyed free rein in using cookies to profile users, delivering convenience and targeted ads without much oversight. However the DPDPA has turned up the heat, demanding transparency, explicit consent, and respect for user autonomy. No more sneaky pre-ticked boxes or labyrinthine settings to opt out of tracking. As per the report, if companies don’t shape up, the penalties are eye-watering: fines ranging from Rs 10,000 to Rs 250 crore.

So, how are Indian businesses coping with this crackdown? Not very well, as it turns out.

A wake-up call for Indian websites

ASCI’s analysis of India’s top 50 websites paints a grim picture. Only 6% have implemented cookie banners, and even these half-hearted efforts leave much to be desired. Most banners lack the option to reject cookies or give users granular control over which data gets collected. Instead, users are presented with a bright, friendly ‘Accept All’ button, while the ‘No, thanks’ option—if it even exists—is buried in fine print.

It’s an embarrassing performance, especially for sectors like media and healthcare, which handle vast amounts of sensitive user data. Even the relatively compliant e-commerce and banking sectors have a long way to go before their practices align with global standards.

The DPDPA doesn’t just stop at cookies; it mandates that businesses provide consent notices in English and all 22 recognised Indian languages. This requirement alone is enough to send tech teams scrambling, but it’s just the tip of the iceberg. Companies must also obtain verifiable parental consent for users under 18, set up mechanisms for consent withdrawal, and periodically review their data practices.

Lessons from the global stage

If Indian businesses want a survival guide, they need only look west. Europe’s General Data Protection Regulation (GDPR) has been laying down the law on cookies for years, with fines that make headlines. Amazon France was slapped with a €35 million penalty for failing to inform users about cookie usage, while Meta faced scrutiny in Denmark for forcing users to accept all cookies under a single consent banner.

California’s Consumer Privacy Act (CCPA) and regulations in countries like Spain and Italy also offer a sobering lesson: there’s no room for cookie walls or coercive consent models. Users must have the freedom to say ‘no’ without being locked out of content.

Dark patterns and the ‘consent or pay’ dilemma

One of the most insidious challenges in cookie compliance is the rise of dark patterns—deceptive interface designs that nudge users into making choices against their best interests. Ever noticed how the ‘Accept All’ button is bold, colorful, and inviting, while the ‘Manage Preferences’ option is hidden in dull text? That’s no accident.

Then there’s the contentious ‘Consent or Pay’ model, where users must either accept all cookies or fork over cash to access the website. Critics argue this creates a ‘cookie wall,’ effectively holding free content hostage unless users agree to be tracked.

The DPDPA explicitly frowns upon such tactics, and rightly so. Consent, as the law reminds us, must be free, specific, informed, and revocable at any time. Anything less is a direct assault on user autonomy.

The price of non-compliance

The stakes are high, and the risks of non-compliance extend beyond hefty fines. Trust is a fragile currency in the digital age, and businesses that fail to respect user privacy will quickly find themselves out of favour. Consumers are no longer passive participants; they are waking up to their rights and demanding transparency.

For advertisers and website owners, this means investing in user-friendly cookie banners that offer clear choices. Automation tools can help streamline consent tracking and ensure compliance across jurisdictions. But let’s not sugarcoat it—compliance comes with its own set of challenges, especially for smaller businesses with limited resources.

Can Indian businesses adapt?

The short answer is: they don’t have a choice. The DPDPA is here, and with it, a new era of accountability. For too long, cookies have been the silent operators of the digital world, doing their job without asking for permission. That era is over.

Businesses that embrace transparency and prioritise user control will not only avoid penalties but also position themselves as leaders in a privacy-conscious marketplace. The rest? They’ll either learn the hard way or fade into irrelevance.

As cookies crumble under the weight of regulation, the question isn’t whether businesses can afford to comply. It’s whether they can afford not to.