This study investigates Indian internet users’ awareness, attitudes, and concerns regarding cookie banners, online privacy, and key provisions of the Digital Personal Data Protection Act (DPDPA)—notably government exemptions and consent mechanisms—during its initial implementation phase. Employing a mixed-methods design, it administered an anonymous survey to 428 users and conducted thematic coding of 143 open-ended responses. The study provides the first empirical evidence of a pronounced gap between users’ stated privacy concerns and actual behavioral practices, identifying deep public distrust in governmental data powers as a central determinant of privacy stance. It further innovatively reveals how the DPDPA’s accountability exemptions and proceduralized consent framework exacerbate legitimacy anxieties. Based on these findings, the study proposes user-centered policy refinements: enhancing transparency, redesigning consent as a dynamic, context-aware mechanism, and institutionalizing regulatory checks and balances.

With the rapid increase in online interactions, concerns over data privacy and transparency of data processing practices have become more pronounced. While regulations like the GDPR have driven the widespread adoption of cookie banners in the EU, India's Digital Personal Data Protection Act (DPDPA) promises similar changes domestically, aiming to introduce a framework for data protection. However, certain clauses within the DPDPA raise concerns about potential infringements on user privacy, given the exemptions for government accountability and user consent requirements. In this study, for the first time, we explore Indian Internet users' awareness and perceptions of cookie banners, online privacy, and privacy regulations, especially in light of the newly passed DPDPA. We conducted an online anonymous survey with 428 Indian participants, which addressed: (1) users' perspectives on cookie banners, (2) their attitudes towards online privacy and privacy regulations, and (3) their acceptance of 10 contentious DPDPA clauses that favor state authorities and may enable surveillance. Our findings reveal that privacy-conscious users often lack consistent awareness of privacy mechanisms, and their concerns do not always lead to protective actions. Our thematic analysis of 143 open ended responses shows that users' privacy and data protection concerns are rooted in skepticism towards the government, shaping their perceptions of the DPDPA and fueling demands for policy revisions. Our study highlights the need for clearer communication regarding the DPDPA, user-centric consent mechanisms, and policy refinements to enhance data privacy practices in India.