ℹ️

Editor's note: This briefing was originally published before the DPDP Rules, 2025 were notified. It has been reviewed and updated in March 2026 to reflect the notified Rules and phased implementation.

Consent ManagementFeatured

DPDPA Consent Notice Requirements: What Your Forms Must Say From Day One

15 March 20255 min read·DPDPA Editorial Team

Recruitment & StaffingCA FirmsTraining InstitutesD2C Brands

Why this matters for your business

Your consent notice is the first place many businesses will fail DPDPA in practice. If your form does not clearly explain what data you collect, why you collect it, and what the person is agreeing to, your consent process is already weak. This briefing explains what your forms must say from day one. Most Indian business websites currently bundle consent into Terms and Conditions, which the DPDPA explicitly prohibits. If your sign-up form, enquiry form, or checkout page uses pre-checked boxes or bundled consent language, you are operating outside the framework of the Act. Rectifying this during the phased implementation window is significantly easier than retrofitting it under active regulatory scrutiny.

What does this mean for YOUR business?

Businesses collecting personal data through websites, apps, or offline forms must redesign their consent flows. This affects customer acquisition, CRM onboarding, newsletter subscriptions, lead generation forms, and employee data collection. Penalties for non-compliant consent can reach up to ₹250 crore per instance of non-compliance.

Plain-English Summary

Under Section 6 of the Digital Personal Data Protection Act, 2023, every Data Fiduciary must provide a 'notice' to the Data Principal before or at the time of collecting personal data. This notice must be itemised, clear, and in plain language. It must specify exactly what data is being collected, the purpose for which it is being processed, and how the individual can exercise their rights. Crucially, consent must be free, specific, informed, unconditional, and unambiguous — meaning each distinct purpose requires a separate consent signal. You cannot combine marketing consent with transaction processing consent in the same checkbox.

Who Is Affected

Any business with an online presence collecting customer or lead data
HR teams processing job applications and candidate information
Educational institutions collecting student and parent contact details
E-commerce brands running email, SMS, or WhatsApp marketing
CA firms processing client data for tax, audit, or payroll services

3 things you can do this week

Audit every form on your website and mobile app for consent language

Remove pre-checked consent boxes immediately

Separate marketing consent from service delivery consent

Add a purpose statement to each consent item

Link to your Privacy Notice from every consent point

Log consent with timestamp, IP, and privacy notice version

Test your consent withdrawal mechanism works end-to-end

Free — takes 3 minutes

Is YOUR business ready for DPDPA?

Answer a few simple questions. Get your free Readiness Score — sent to your email or WhatsApp.

Check My Readiness →

Disclaimer: This briefing is for educational purposes only and does not constitute formal legal advice. Consult a qualified data protection lawyer for formal legal opinions specific to your business.

Free checkCheck your readinessGet your free Readiness Score →Free resourceDownload white paperComplete DPDPA guide — 45 pages →

Related Briefings

Sector Specific

Recruitment Agencies: Your CV Database Is Now a Regulated Data Asset

14 Mar 2025

Regulatory Update

Data Breach Notification Under DPDPA: Timeline, Scope, and What Businesses Must Do

11 Mar 2025

Data Rights

Rights of Data Principals Under DPDPA: What Individuals Can Demand and How Businesses Must Respond

9 Mar 2025

Industries Affected

Recruitment & StaffingCA FirmsTraining InstitutesD2C Brands

Is your business DPDPA-ready?

Take our free 10-minute industry assessment to find out your compliance risk level.

Take Free Assessment →

Get daily briefings by email

2-min reads, plain English, every morning. Free forever.