96% of Indian Websites Collect User Data Without Consent, Reveals Largest DPDP Compliance Study

VMPL

The report, titled “The State of Cookie Compliance in India, 2026,” analysed more than 6,000 websites across 24 industry sectors and evaluated over 84,000 tracking cookies to assess India’s preparedness for the DPDP Act’s consent requirements. The findings suggest that the vast majority of organisations are significantly underprepared for compliance obligations ahead of full enforcement scheduled in May 2027.

Key Findings from the Study

The research highlights a critical compliance gap across industries:

– Only 4.1% of websites (249 out of 6,000+) display any form of user consent mechanism.

– 95.9% of websites deploy tracking cookies without disclosure or consent.

– Government websites showed the lowest compliance, with only 2 out of 1,154 websites providing consent notices.

– Nearly 80% of websites begin tracking users before consent is granted.

– Around 82% of tracking technologies are used for marketing or advertising purposes, rather than essential website functionality.

– Media websites were the most aggressive trackers, averaging 30 tracking technologies per page, followed by e-commerce websites with an average of 24 cookies per visit.

These findings indicate a widespread lack of readiness among Indian businesses, despite the DPDP Act’s requirement for clear notice and informed user consent before collecting personal data.

Legal Perspective on DPDP Compliance

According to Dr. Pavan Duggal, Advocate at the Supreme Court of India and a leading authority on cyber law:

“The DPDP Act is a game-changing legislation that applies to all data fiduciaries. Non-compliance can pose an existential threat to organisations due to potential penalties of up to ₹250 crores per violation.”

The DPDP Act applies not only to digital businesses but to any organisation collecting personal data, including healthcare providers, educational institutions, retailers, and service providers. Organisations must ensure proper consent collection, secure storage of personal data, and provide individuals the ability to access, correct, or erase their data upon request.

Growing Compliance Gap Ahead of 2027 Enforcement

With the Data Protection Board of India (DPBI) already operational, businesses must take proactive steps to ensure compliance before enforcement begins in 2027. Each violation of the DPDP Act can attract penalties of up to ₹250 crore, creating significant legal and financial risk for non-compliant organisations.

Virat Shah, Founder of ComplyZero, emphasised the urgency of awareness and preparedness:

“This is not a technology problem. The tools to implement cookie consent already exist. What is missing is awareness that consent is now a legal requirement, not just a best practice.”

About the Study

The research was conducted in February 2026 by ComplyZero Research, covering over 6,000 websites across sectors including government, banking, healthcare, education, media, and e-commerce. The report represents the most comprehensive analysis of DPDP cookie consent compliance conducted in India to date.

The full report is available at:

https://www.complyzero.com/research/state-of-cookie-compliance-india-2026

About ComplyZero

ComplyZero is India’s first self-serve DPDP compliance platform designed to help businesses implement cookie consent, privacy notices, and data protection compliance within minutes. The platform offers automated cookie scanning, multilingual consent management across 22 Indian languages, and audit-ready compliance records tailored to the requirements of the Digital Personal Data Protection Act, 2023.

Media Contact

Mansi Mehta

Picture Perfect Communication

9833201004

P2communication@gmail.com

(ADVERTORIAL DISCLAIMER: The above press release has been provided by VMPL. ANI will not be responsible in any way for the content of the same.)

This story is auto-generated from a syndicated feed. ThePrint holds no responsibility for its content.