Skip to content
checkDPDP

Guide

12 cookie-control mistakes Indian websites make — and the one-hour fix for each

We've scanned thousands of Indian websites. The same twelve cookie-control mistakes show up over and over — most of them attractive to enforcement because they're visible from the public web. Here's each one, why it's risky under DPDP, and the under-60-minute fix.

10 Jun 2026 · 10 min read

The DPDP Act treats cookies that identify a user as personal data. That means almost every analytics, advertising or session cookie on your site is in scope. Scanners — including the Data Protection Board's eventual ones — will spot these without logging in or asking questions. Here are the twelve most common findings, ordered by how often we see them.

**1. No banner at all.** The site fires Google Analytics, Meta pixel and 6+ other trackers on first load. Fix: ship a basic DPDP banner via the checkDPDP banner builder — 30 minutes including ownership verification. **2. Pre-ticked checkboxes.** The preference centre opens with everything ON. DPDP requires unambiguous consent — pre-tick = no consent. Fix: default all non-essential categories to OFF in your banner config.

**3. 'Accept' more prominent than 'Reject'.** Big green Accept button, small grey 'Manage' link. DPDP requires the choices to be balanced. Fix: same visual weight; the checkDPDP banner enforces this by default. **4. Reject hidden behind a sub-menu.** User has to click 'Manage' → uncheck each box → 'Save'. Fix: add a top-level 'Reject non-essential' button equal in prominence to 'Accept all'.

**5. Cookies fire before consent.** Trackers load on the very first request. Fix: gate every non-essential SDK behind the 'checkdpdp:consent' event your banner emits — your dev can wire this in under an hour. **6. Banner blocks site without giving choice.** Modal with only 'Accept'. Fix: every banner must offer three options — Accept / Reject / Manage. **7. Persistent cookies without expiry disclosure.** Banner doesn't say _2 years_ for `_ga`. Fix: declare expiry per cookie in the banner config; the checkDPDP UI does this for you.

**8. No withdraw path.** Once consented, no way to change preferences. Fix: persistent 'Manage cookies' link in footer that re-opens the banner. **9. Country-blind banner.** Same banner for India and EU; ends up confusing both. Fix: at minimum, add an India-specific copy variant noting the DPDP Act 2023. **10. Untracked third-party iframes.** YouTube embeds, Calendly widgets fire trackers your CMP doesn't know about. Fix: lazy-load these behind a click-to-load placeholder until the user consents.

**11. No grievance contact on banner or notice.** Section 5 requires a contact for rights. Fix: add a Grievance Officer email to both the banner footer and the privacy notice. **12. Banner not tested on mobile.** Reject button cut off, modal blocks the whole screen. Fix: shadow-DOM banners can't be styled away by mobile CSS — use one. Test on a real device.

Fix every twelve and you've moved from 'fail' to 'pass' on the cookie-consent category of the checkDPDP scanner — which mirrors the test the Board is most likely to run first.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts