Consent Management

Consent Management Under the DPDP Act: What Indian Businesses Must Implement

The DPDP Act 2023 makes consent the legal foundation for data processing. This is what valid consent requires, how withdrawal works, and what your systems must support.

7 min read

The DPDP Act 2023 establishes consent as the primary lawful basis for processing personal data in India. Section 6 of the Act mandates that no Data Fiduciary may process the personal data of a Data Principal without obtaining valid consent, except in specific circumstances defined by law.

This is not a suggestion. It is a statutory requirement with penalties reaching ₹250 crore for violations. Every Indian business that collects customer data must build consent management into its operational infrastructure.

The Act defines consent with precision. A consent request must satisfy all of the following conditions to be legally valid:

  • Free: The Data Principal must not be coerced, pressured, or denied a service for refusing consent. Bundled consent (accept all or get nothing) does not meet this standard.
  • Specific: Consent must be tied to a defined purpose. Blanket consent covering “all future uses” is not valid.
  • Informed: The Data Principal must be told what data will be collected, why it will be processed, and who will process it. Vague descriptions do not qualify.
  • Unconditional: Consent cannot be tied to conditions unrelated to the data processing purpose.
  • Clear and plain language: The consent notice must be written in language the Data Principal can reasonably understand. Legal jargon buried in a terms-of-service document does not satisfy this requirement.

Section 6(1) of the DPDP Act states: “The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose.”

If your current consent mechanism fails any of these criteria, it is non-compliant. The Data Protection Board will not distinguish between absent consent and defective consent.

The Act does not mandate a specific technical implementation. It mandates outcomes. Your consent collection system must:

  1. Present a clear consent notice before or at the point of data collection. The notice must state the categories of data being collected and the purpose for each category.
  2. Capture an affirmative action from the Data Principal. Pre-ticked boxes, silence, and inactivity do not constitute consent. The individual must actively agree.
  3. Separate consent by purpose. If you collect data for order fulfilment and for marketing, those are two distinct purposes requiring two distinct consent actions.
  4. Support multiple languages. India’s linguistic diversity means consent notices may need to be available in the languages specified by the Central Government through rules under the Act.

The Act applies retroactively to data collected before its enforcement date. If you hold personal data collected under previous consent mechanisms (or no mechanism at all), you must obtain fresh consent that meets the DPDP standard. The Act provides a transitional window, but the obligation is absolute.

Section 6(4) of the Act grants every Data Principal the right to withdraw consent at any time. The withdrawal process must be as straightforward as the consent process itself.

This means:

  • If consent was given through a single click, withdrawal must be achievable through a comparable action. A withdrawal process that requires sending a physical letter or navigating five support screens is non-compliant.
  • Withdrawal must be honoured immediately. Once consent is withdrawn, all processing based on that consent must stop. Data collected under the withdrawn consent must be deleted unless retention is required by another law.
  • Consequences must be communicated. Before processing the withdrawal, you must inform the Data Principal of any consequences (for example, loss of access to a personalised service). But you may not use those consequences to discourage withdrawal.

Businesses that make consent easy to give and difficult to withdraw will face enforcement action. The Act is explicit on this point.

Record-Keeping Requirements

The Act requires Data Fiduciaries to maintain demonstrable proof of consent. This includes:

  • What consent was given for (the specific purpose)
  • When consent was obtained (timestamp)
  • How consent was captured (the mechanism and notice presented)
  • Whether consent has been withdrawn, and when

These records form the foundation of your compliance posture. When the Data Protection Board investigates a complaint, the first question will be: “Show us the consent record.” If you cannot produce it, you are presumed non-compliant.

Consent records must be tamper-proof. A database entry that can be edited after the fact does not constitute a reliable audit trail. Timestamped, immutable records are the operational standard.

The DPDP Act introduces the concept of a Consent Manager, a registered intermediary that helps Data Principals manage their consent across multiple Data Fiduciaries. Consent Managers must be registered with the Data Protection Board and meet technical and operational standards set by the government.

For businesses, this means your consent infrastructure must eventually support interoperability with registered Consent Managers. Your consent APIs must be capable of receiving and processing consent instructions from authorised third parties, not just from your own interfaces.

What Your Systems Must Support

Based on the Act’s requirements, every Data Fiduciary needs infrastructure that handles:

  1. Consent capture with purpose-specific granularity
  2. Consent storage with cryptographic integrity and timestamps
  3. Consent withdrawal with immediate effect on data processing
  4. Audit trail generation for regulatory inspection
  5. Rights fulfilment triggered by consent state changes (deletion on withdrawal)

Building this from scratch for every application is expensive and error-prone. The compliance window closes in November 2026. The DPDP compliance checklist provides a structured approach to identifying gaps before the deadline.

ConsentOS provides the operational framework for DPDP-compliant consent management. Start with the free DPDP Gap Assessment to understand where your current consent processes fall short, and receive a prioritised action plan for closing those gaps.