IT Brief India - Technology news for CIOs & IT decision-makers
India
Editorial india cookies tracking flows into buildings flat illustration
#
Data Protection
#
Risk & Compliance
#
Data Privacy

Indian websites fail to seek consent for tracking data

Tue, 24th Mar 2026
Author image
By Kaleah Salmon, News Editor

ComplyZero Research found that 95.9% of Indian websites collect user data without any consent mechanism. The study covered more than 6,000 websites across 24 sectors.

It examined more than 84,000 tracking cookies and found that only 249 websites presented users with any form of consent request. On the rest, tracking technologies were placed on users' devices without disclosure or any option to refuse.

The findings highlight a significant gap between current website practices and the requirements of India's Digital Personal Data Protection Act, which requires informed, specific consent before personal data is collected. The law applies to private companies and public bodies alike, and compliance was especially low among government websites.

Of the 1,154 government websites analysed, only two displayed any consent notice. That translates to a compliance rate of 0.2%, making the public sector the weakest performer in the survey.

Tracking Patterns

The problem extended beyond the absence of consent banners. Among the small number of websites that did request consent, nearly 80% began tracking users before they had a chance to respond, while almost two-thirds offered only an "Accept" button without a clear option to decline.

The study also found that 82% of the tracking technologies identified served non-essential purposes, mainly marketing and advertising. Just 18% were classified as functional or essential to site operations.

Media websites recorded the heaviest use of trackers, averaging 30 tracking technologies per page. E-commerce and retail websites followed, with an average of 24 cookies per visit.

The figures suggest that extensive user monitoring remains routine across some of India's most visible consumer-facing sectors. They also indicate that many websites may need to redesign how they handle consent to meet the law's requirements.

Legal Risk

Under the DPDP framework, organisations that collect personal data can face penalties of up to ₹250 crore for each violation. The rules cover data gathered through website tracking as well as information such as names, phone numbers, email addresses and payment details.

The law's scope extends beyond large internet groups. Healthcare providers, gyms, retailers and other businesses that collect personal information from customers are also treated as data fiduciaries. They must secure consent, protect the data they hold, and provide ways for individuals to access, correct or erase their records.

Dr Pavan Duggal, advocate at the Supreme Court of India, commented on the findings.

"The DPDP Act is a game-changing legislation that applies to all data fiduciaries and the cookies deployed by them for notice and consent requirement purposes. Non-compliance can pose an existential threat to data fiduciaries in the form of exposure to unprecedented fines up to ₹250 crores, payable to the government," Duggal said.

His remarks underline the financial stakes for organisations that have yet to change their data collection practices. The study noted that the Data Protection Board of India is already operational, adding to pressure on businesses to review how they manage digital consent.

Compliance Gap

The research aimed to assess how prepared Indian websites are for the consent rules under the DPDP regime. The results suggest that many have yet to begin even basic compliance work, despite the law's broad reach.

That gap may reflect a lack of legal awareness rather than a lack of software tools. Consent management systems are already common in other markets with privacy regulations, but the findings indicate they have not been widely adopted across India.

"We set out to answer a simple question: how prepared are Indian websites for the DPDP Act? The answer, based on 6,000+ websites across 24 sectors, is that the vast majority have not started," said Virat Shah, founder of ComplyZero. "This is not a technology problem. The tools to implement consent exist and are accessible. What is missing is awareness that this is now a legal requirement, not a best practice."

Related stories
Accounting software faces AI rivals in bookkeeping shift
Supporting service providers with their global ambitions
Sinch named leader in IDC communications platform study
Databricks names Simon Davies to lead APJ expansion
Proof beats promise: The trust crisis AI is creating

Top stories

Adobe launches CX Enterprise to unify AI customer workflows
Adobe expands AI partner network for customer experience
BlackLine launches AI financial ops model for CFOs
Sysdig report says cloud security shifts to machine speed
Rithum launches SupplyExplorer to speed supplier discovery