The Digital Personal Data Protection Act, 2023 (DPDP Act) doesn’t directly address this issue that whether online identifiers such as IP address or a cookie would be qualified as “personal data” under the DPDP Act. Therefore, to establish the claim, one must look toward a broader interpretation of the statutory definitions and the functional role these identifiers play in identifying a person, thereby qualifying them as such data.
The Definition of Personal data has been given under Section 2(t) of said Act, as “any data about an individual who is identifiable by or in relation to such data.” Since “any data” is included in the definition, it is reasonable to presume that the term “personal data” should be interpreted as broadly as possible. A close reading of the section further reveals that the given definition focuses on both direct and indirect identifiers that renders an individual identifiable, whether they are read separately or in combination with other information.
Although, Such direct and indirect identifiers are not explicitly defined under the DPDP Act. However, reference may be taken from how they’re ordinarily interpreted under data protection regime.
Information that may uniquely identify people without the need for other data points is known as a direct identifier. Full names and identification numbers (such Social Security numbers or other unique identifiers) are some examples of these. Physical attributes and dates of birth are examples of indirect identifiers (non-unique features) that can still be used to identify an individual, but they must be combined with other pieces of information to do so.
While the Act provides a broad definition for personal data, the specific definition of an ‘identifier’ provides a more granular look at the types of data points that facilitate the identification of individuals (Data Principals).
In clause 5 of Rule 14 under the the Digital Personal Data Protection Rules, 2025, identifier has been defined as “any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID, email address, mobile number or licence number that enables such identification.” Since Section 2(t) covers any data that makes an individual identifiable, and the definition of an identifier explicitly states that it is a sequence of characters used “to identify” and that “enables such identification,” it follows that every identifier is a form of personal data. The identifier is the specific data point by which the individual becomes “identifiable”
Whether Cookies and IP Addresses Qualify as Personal Data
It has since been established that identifiers would be considered personal data under Section 2(t) of the DPDP Act, 2023. However, there is still uncertainty on whether or not online identifiers including IP address or Cookies would be regarded as personal data under the Act or not.
As a result, the Business Requirement Document for Consent Management under the DPDP Act, 2023 (henceforth referred to as BRDCM) has been relied upon in here to support the claim.
The BRDCM under heading 4.2, Cookie Consent, states that The ultimate objective of cookie consent management is to make sure that users (Data Principals) are aware of the tracking technologies and cookies used on websites and applications, giving them the option to provide, change, or revoke consent for their usage.
From the above definition, we can establish that cookies are a type of tracking technology, subject to the condition that their use must only be allowed with the consent of users (referred to as Data Principals under the DPDP Act, 2023), who can withdraw, modify, or grant consent to the websites/applications (Data Fiduciaries).
One of the Features of Cookie as specified in BRDCM is the Granular Consent Options which allow users to consent to specific categories of cookies, such as essential, performance, analytics, and marketing cookies. Herein, four categories of cookies are listed, i. Essential cookies ii. Performance cookies iii. Analytics cookies iv. Marketing cookies.
However, the Default settings under the functional requirements provide that only essential cookies shall be enabled until explicit consent is obtained for the use of any other cookies (“Default Settings-Enable only essential cookies by default until explicit consent is obtained for others.”). This indicates that only Essential cookies operate without explicit consent, whereas, the latter three categories (performance, analytics, and marketing cookies) require explicit approval/consent of the user/Data Principle.
Whenever, the user selects cookie preferences (accept all, decline all, or customize), the system shall thereafter validate the preferences and activate cookies accordingly. Furthermore, the system shall log the preferences, including a timestamp, for auditing purposes, which is referred to as ‘Audit Logs.’
Actions pertaining to consent are documented in audit logs. The object of audit logs is described in paragraph 4.7.1, which states that it guarantees that all activities related to consent are documented in a tamper proof manner. This offers an auditable history of all interactions for compliance with the DPDP Act. This is further followed by the statement, “Each audit log entry must contain the following metadata.” Three of the mentioned metadata are relevant for tracking the user’s personal information:
The first is the Data Principal’s unique identifier, the second is the Initiator, which is the entity that started the action (in this case, the user), and the third is the Source IP, which is also referred to as the IP address of the device that started the action (the user’s device), which may be used to identify the person’s device or location.
The use of the word “must” herein indicates an imperative duty, creating a strict requirement that each audit log contain the unique ID and IP address, which in turn are traceable.
Let’s say a website gathers IP addresses from visitors, and the owner of the website (a data fiduciary) can obtain personally identifiable information (PIIs), such as a person’s name and contact information, by requesting information from the internet service provider. Since IP addresses can be used to identify an individual, this suggests that IP address fall within the concept of “personal data.”
Each such cookie that collects data, as well as an IP address or any other online identifier captured through audit logs, collects information that, by itself or in combination with other information, relates to an identifiable individual. Upon reading definition of personal data, Section 2(t), the expression “by or in relation to” is of determinative significance, as it extends the scope of identifiability beyond direct identification and encompasses relational linkage. Similarly, cookies/IP & other online identifiers also contains data that relates to an identifiable individual, even if that data, on its own, cannot identify them. Therefore, upon a conjoint reading of Section 2(t) of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Business Requirement Document for Consent Management (“BRDCM”), particularly Clauses 4.2 and 4.7.1 it becomes evident that cookies & other online identifiers, when deployed within the prescribed consent management architecture, operate in a manner that satisfies the statutory threshold of “personal data.” Since cookies and IP addresses are precisely such “sequences” used to distinguish one user from another, they are functionally “identifiers” under the The Digital Personal Data Protection Rules, 2025, as well. When combined with other data points, or even on its own in some cases, it can be linked back to an identifiable person.
Conclusion
Therefore, in essence, It is an established fact that although DPDP Act does not specifically address cookies, it does so inadvertently through the provisions with respect to consent for data collection and processing. According to Section 6 of the DPDP Act of 2023, consent must be “free, specific, informed, unconditional, and unambiguous, with a clear affirmative action taken by the data principal and must be obtained beforehand or at the time of processing of personal data. As a result, any digital interface must identify the specific purposes for which it collects data, especially since cookies often act as the primary tool through which a user’s IP address and unique ID become traceable. Under this framework, non-essential cookies require a proactive opt-in from the user. However, essential cookies that are indispensable for a site to work and the IP addresses they may capture for functional purposes, may qualify as a ‘legitimate use’ under Section 7, potentially exempting them from the requirement of explicit consent.
The DPDP Act 2023 has transitioned India toward a “relational” model of privacy. In this regime, cookies and IP addresses are not merely technical strings; they are the digital breadcrumbs that facilitate the “Notice and Consent” framework. By requiring explicit consent for non-essential cookies and mandated metadata in audit logs, the Indian regulatory framework aligns with global standards like the General Data Protection Regulation (GDPR), which recognizes that in a digital-first economy, the “individual” is increasingly defined by their online identifiers.
Keywords: Online identifiers, Personal data, Data Protection
***
Author: Maimuna Siddiqui is a 4th year B.A., LL.B. (Hons.) student at Faculty of Law, Aligarh Muslim University.
