DPDP 2023 Compliance for Indian Analytics Teams: What Your Tags Must Do Now

What the DPDP Act Requires for Analytics Tags

India’s Digital Personal Data Protection Act, 2023 (DPDP) became law on 11 August 2023. The Act applies to any organisation that processes digital personal data of individuals in India. For analytics and marketing teams, the relevant provisions are in Sections 4, 5, 6, and 9.

Section 4 defines personal data as any data that identifies or relates to an identifiable individual. This includes cookie IDs, device fingerprints, IP addresses, and client IDs — all of which are generated by GA4, Meta Pixel, and every other analytics tag.

Section 6 requires consent before processing personal data. The consent must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” This means: no pre-checked boxes, no implied consent from continued browsing, no bundled consent. The user must actively opt in before any analytics tag fires.

Section 9 grants data principals (users) the right to withdraw consent at any time. Withdrawal must be as easy as granting consent. Once withdrawn, processing must stop — which means analytics tags must stop firing for that user immediately.

Why Most Indian Sites Are Non-Compliant

The majority of Indian websites run GTM containers that were set up in 2020–2022, before the DPDP Act. These containers load every tag on every page load with no consent gating. There is no CMP banner, no consent state management, and no mechanism to honour withdrawal.

Even sites that have added a cookie banner are often non-compliant because:

• The banner uses pre-selected “Accept All” as the default action
• Tags fire before the user interacts with the banner
• The “Reject” button does not actually block tag firing
• Consent state is not persisted across sessions (the banner reappears, but tags fired in the previous session without renewed consent)
• There is no mechanism to withdraw consent after it is granted

The DPDP Act specifies penalties up to ₹250 crore for significant data breaches and ₹200 crore for non-compliance with consent obligations. The Data Protection Board of India (DPBI) has enforcement authority, and while enforcement activity is still ramping up, the legal exposure is real and growing.

Technical Requirements for DPDP-Compliant Tag Management

To bring a GTM container into DPDP compliance, you need four things:

1. Consent Management Platform (CMP)

Deploy a CMP that presents a clear consent banner with separate “Accept” and “Reject” options. The banner must load before any analytics tags fire. The CMP must record consent with a timestamp and provide a mechanism for users to change their preference later.

For Indian sites, there is no IAB TCF equivalent mandated (TCF is a European framework). But the CMP must still meet the DPDP’s “free, specific, informed” requirements. This means no dark patterns, no pre-checked boxes, and no “Accept All or leave” binary choices.

2. Default-Denied Tag Configuration

Every tag in GTM must have a consent-based trigger exception. Before consent is granted, no tag that processes personal data should fire. In GTM, this means:

• Using Consent Initialization triggers to set the default consent state to denied
• Configuring Google tags to respect Consent Mode v2
• Configuring non-Google tags with trigger exceptions that check a consent variable
• Testing that zero tracking requests leave the browser before consent is granted

3. Consent Withdrawal Mechanism

Section 9 requires that users can withdraw consent. Technically, this means: the CMP must provide a persistent link or button (typically in the footer or privacy settings) that allows users to revoke consent. When revoked, the CMP must update the consent state, and all analytics tags must stop firing immediately — not on the next page load, but on the current page.

4. Consent Records

You must maintain records of consent: who consented, when, to what, and through what mechanism. The DPBI can request these records during an audit. Your CMP should log consent events with timestamps, IP addresses (hashed), and the version of the consent notice the user saw.

Continuous Compliance Verification

Setting up consent gating once is not enough. Compliance is not a deployment — it is a continuous state. Tags can drift out of compliance when:

• A new GTM version is published that adds a tag without consent gating
• A CMP update changes the consent group configuration
• A website redesign removes the consent banner from specific page templates
• A third-party tag updates its JavaScript and begins setting cookies before the consent check

Automated tag monitoring verifies consent compliance on every page load. It checks whether any tag fires before consent is granted, whether non-Google tags respect the consent state, and whether consent withdrawal actually stops tag firing. Violations trigger alerts within minutes, not months.