DPDPA Shield — Knowledge BaseAll Articles

DPDPA Consent Requirements — Complete Guide for Indian Businesses

Consent is the primary lawful basis for processing personal data under DPDPA 2023. Unlike GDPR, which provides six lawful bases, DPDPA is built around consent as the default mechanism, with "deemed consent" (Section 7) covering limited scenarios. This means most Indian businesses must obtain valid consent before processing any personal data.

What Consent Must Be Under Section 6(1)

Section 6(1) of DPDPA 2023 prescribes that consent must meet all five requirements simultaneously:

  • Free — Consent must not be obtained through coercion, undue influence, or making a service conditional on consent for unrelated purposes. If access to a service is denied solely because the user refuses consent for data processing unrelated to that service, the consent is not free.
  • Specific — Consent must be obtained for each distinct purpose of processing. A blanket consent covering multiple unrelated purposes is invalid. Each purpose must be separately and clearly identified.
  • Informed — The Data Principal must understand what they are consenting to. This requires that a proper notice (under Section 5 and Rule 3) has been provided before consent is sought. Consent without adequate notice is not informed consent.
  • Unconditional — Consent must not be tied to conditions, benefits, or threats. Offering discounts only if the user consents to marketing data use may render the consent conditional and therefore invalid.
  • Unambiguous with a clear affirmative action — Consent requires a positive opt-in action. Silence, pre-ticked boxes, inactivity, or implied consent from continued use of a service do not constitute valid consent under DPDPA.

What Makes Consent Invalid

The following consent collection practices are invalid under DPDPA:

  • Pre-ticked checkboxes — Any consent mechanism where the default state is "consented" and the user must take action to opt out is invalid. The user must actively opt in.
  • Bundled consent — A single consent request that covers multiple unrelated purposes (e.g., "I agree to receive marketing emails and share my data with third parties") is invalid. Each purpose must be separately consented to.
  • Vague or broad purposes — Purposes described as "improving services," "business purposes," or "as described in our privacy policy" without specific identification of what data is used for what purpose are invalid.
  • Consent walls — Denying access to a service entirely because the user refuses consent for processing unrelated to that service renders the consent unfree.
  • Buried consent — Consent embedded deep within terms of service or privacy policies without clear, separate presentation is likely invalid as it is not unambiguous.
  • Consent obtained from children without parental verification — Any consent from a person under 18 without verifiable parental consent is invalid (Section 9, Rule 10).

Consent vs Cookie Consent — Why They Are Different

Many businesses confuse DPDPA consent with cookie consent banners common under ePrivacy/GDPR. Under DPDPA, the distinction is critical:

  • DPDPA consent covers all processing of personal data — not just cookies. It applies to data collected through forms, APIs, phone calls, in-person interactions, and any other channel.
  • Cookie-specific consent (as required under EU ePrivacy Directive) is about device storage access. India does not have a separate ePrivacy regulation, but cookies that collect personal data fall under DPDPA's consent requirements.
  • Scope difference — A DPDPA consent notice must cover all personal data collected for all purposes. A cookie banner typically only addresses website tracking. Businesses need both a DPDPA-compliant consent mechanism for all data processing AND appropriate notice for any website cookies that constitute personal data.
  • Legal basis difference — Under GDPR, cookies can rely on "legitimate interest" in some jurisdictions. DPDPA has no legitimate interest basis — cookies processing personal data require consent unless a Section 7 deemed consent exception applies.

What a Consent Notice Must Contain (Rule 3)

Rule 3 of the DPDPA Rules 2025 prescribes the mandatory contents of a consent notice. Before or at the time of seeking consent, the Data Fiduciary must provide a notice containing:

  1. Itemised description of personal data — Each category of personal data being collected must be separately identified (e.g., "full name," "email address," "device identifier") rather than vague categories.
  2. Purpose of processing — Each specific purpose for which data will be used must be clearly stated and linked to the data items being collected for that purpose.
  3. Contact details — The contact information of the Data Fiduciary or a designated representative for communication regarding data processing.
  4. How to exercise rights — Clear information on how the Data Principal can exercise their rights under Sections 11-14 (access, correction, erasure, nomination).
  5. How to file a complaint — Information on how to file a complaint with the Data Protection Board if the Data Principal is not satisfied with the Data Fiduciary's response to a grievance.
  6. How to withdraw consent — A clear mechanism for withdrawing consent, which must be as easy as giving consent.
  7. Language — The notice must be available in English or any of the 22 languages specified in the Eighth Schedule of the Constitution of India.

Withdrawal of Consent (Section 6(4))

Section 6(4) establishes that a Data Principal may withdraw consent at any time. Key rules for withdrawal:

  • Ease of withdrawal — The mechanism for withdrawing consent must be as easy as the mechanism for giving consent. If consent was given with one click, withdrawal must also be achievable with one click.
  • Effect of withdrawal — The Data Fiduciary must cease processing personal data for the withdrawn purpose within a reasonable period. Processing done before withdrawal remains lawful.
  • Partial withdrawal — A Data Principal may withdraw consent for specific purposes while maintaining consent for others. The system must support granular withdrawal.
  • Consequences disclosure — The Data Fiduciary must inform the Data Principal of the consequences of withdrawal before it takes effect (e.g., loss of service functionality).
  • No retaliation — A Data Fiduciary must not deny core service access or impose penalties because a Data Principal withdrew consent for non-essential processing.

What Consent Records to Store and For How Long

DPDPA places the burden of proof on the Data Fiduciary — Section 6(10) states that the Data Fiduciary must be able to prove that notice was given and consent was obtained. This requires maintaining detailed records:

  • What to record — Timestamp of consent, the exact notice version shown, the specific purposes consented to, the mechanism used (widget, form, in-person), the identity of the Data Principal (hashed for security), and the version of the consent notice.
  • Duration — Consent records must be retained for as long as the processing continues AND for a reasonable period after processing ceases, to defend against complaints. Given that the limitation period for filing complaints with the Board is not yet specified, retaining records for at least 3 years after the relationship ends is prudent.
  • Immutability — Consent records should be append-only. Once a consent record is created, it must not be modified or deleted. Any withdrawal creates a new record; it does not modify the original consent record.
  • Withdrawal records — Every withdrawal must also be recorded with the same level of detail: timestamp, purposes withdrawn, mechanism used, and the identity of the requester.

Children's Consent (Section 9, Rule 10)

DPDPA sets the age of consent for data processing at 18 years (higher than GDPR's 16 years or the US COPPA threshold of 13 years). Key requirements:

  • Verifiable parental consent — Any processing of personal data of a child (under 18) requires verifiable consent from the parent or lawful guardian. The Data Fiduciary must make reasonable efforts to verify that consent is actually given by the parent.
  • No tracking or behavioural monitoring — Processing that involves tracking, behavioural monitoring, or targeted advertising directed at children is prohibited unless specifically exempted by rules.
  • No detrimental processing — Processing that is likely to cause significant harm to a child is prohibited regardless of parental consent.
  • Identity verification — Rule 10 requires that the Data Fiduciary implement an appropriate mechanism to verify the identity of the parent or guardian providing consent.
  • Disability considerations (Rule 11) — For persons with disabilities who have a lawful guardian, consent must be obtained from the guardian. The guardian's consent remains in effect even after the person turns 18 if the disability persists.

Deemed Consent (Section 7)

Section 7 provides ten scenarios where consent is "deemed" to have been given, meaning explicit consent is not required. These include:

  1. Processing for a purpose which the Data Principal has voluntarily provided data for and would reasonably expect
  2. Processing by the State for permits, licenses, benefits, or services
  3. Processing in compliance with a judgment or order of a court or tribunal
  4. Processing for medical emergencies or health services during epidemics
  5. Processing for safety and assistance during disasters
  6. Processing for employment purposes (employer processing employee data for salary, benefits, compliance)
  7. Processing in the public interest (aggregated data for research, public health monitoring)
  8. Processing for fair and reasonable purposes as may be prescribed
  9. Processing for recovery of debt owed to the State
  10. Processing by a Consent Manager on behalf of the Data Principal

Businesses should not over-rely on deemed consent. Most commercial data processing (marketing, analytics, profiling, sharing with third parties) does not fall within these exceptions and requires explicit consent.

Consent Manager Role (Rule 4)

A Consent Manager is a new intermediary role created by DPDPA. Key facts:

  • Must be registered with the Data Protection Board
  • Must be incorporated in India with a minimum net worth of Rs. 2 crore
  • Acts as a single point of contact for Data Principals to manage all their consent relationships
  • Enables Data Principals to view, give, and withdraw consent across multiple Data Fiduciaries through one interface
  • As of May 2026, no Consent Managers have been formally registered by the Board
  • Data Fiduciaries must integrate with registered Consent Managers once they become operational

How DPDPA Shield Handles Consent

DPDPA Shield is a purpose-built compliance platform that automates consent collection, storage, and management for Indian businesses. It provides a consent notice builder that generates Rule 3-compliant notices in all 22 scheduled languages, an embeddable SDK widget for website consent collection with purpose-level granularity, immutable consent records with SHA-256 proof hashes stored in a write-once vault, automated withdrawal mechanisms accessible through the same widget, version-tracked notices with re-consent campaign automation when material changes are detected, and children's data consent with verifiable parental verification via OTP.

Need help implementing DPDPA consent compliance? Book a free demo of DPDPA Shield →