DPDP Rules 2025 are now in effect. How ready is your business? Most Indian companies don't know yet.Find out in 10 minutes — free →
SaralPrivacy emblem
DPDPA Guide

Consent Under DPDPA

What valid consent looks like and how to collect it correctly.

Consent is the primary legal basis for processing personal data under the DPDPA. Getting consent right is one of the most urgent and practical compliance tasks for Indian businesses.

What Makes Consent Valid?

Under Section 6 of the DPDPA, consent must be:

  • Free — Not coerced, manipulated, or made a condition of service where the service is unrelated to the data processing
  • Specific — Tied to a defined, stated purpose
  • Informed — Accompanied by a clear notice explaining what data is being collected and why
  • Unconditional — Not bundled with consent for other unrelated purposes
  • Unambiguous — A clear affirmative action (like checking a box), not silence or inaction

What Does NOT Count as Valid Consent?

  • Pre-ticked checkboxes
  • "By using this website, you agree to our Privacy Policy"
  • Buried consent in Terms and Conditions
  • A single checkbox for multiple unrelated purposes
  • Implied consent from a past transaction

The Notice Requirement

Every consent must be preceded or accompanied by a notice that specifies:

  • What personal data is being collected
  • The purpose for which it will be processed
  • How the Data Principal can exercise their rights
  • How to withdraw consent

One Purpose, One Consent

Each distinct processing purpose requires separate, specific consent. For example:

  • Consent to process an order ≠ consent to send marketing emails
  • Consent to deliver a service ≠ consent to share data with partners
  • Consent to contact about an enquiry ≠ consent to call about products

Withdrawal of Consent

Individuals can withdraw consent at any time. When consent is withdrawn:

  • You must stop processing the data for that purpose
  • Withdrawal should be as easy as giving consent
  • You must honour withdrawal requests promptly (within the prescribed period)

Practical Design Principles

  • Use separate, unchecked checkboxes for each consent purpose
  • Place consent notices immediately next to each checkbox
  • Write in plain language — not legalese
  • Link to your full Privacy Notice
  • Record and timestamp each consent given
  • Store the version of consent text shown to the user
  • Test your withdrawal mechanism regularly

When Is Consent Not Required?

The DPDPA allows processing without consent for specific purposes including:

  • State functions and legal obligations
  • Employer-employee data in certain circumstances (limited)
  • Medical emergencies and certain public interest purposes

However, for most commercial data processing, consent is the primary and safest legal basis.

Last reviewed: March 2026

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.

Educational content only. This guide is for educational purposes and does not constitute legal advice. Please consult a qualified data protection lawyer for formal legal opinions specific to your business situation.
Key TermsNotice Requirements