Consent Under DPDPA

Consent is the primary legal basis for processing personal data under the DPDPA. Getting consent right is one of the most urgent and practical compliance tasks for Indian businesses — and the area where most Indian websites and apps are currently non-compliant.

What Makes Consent Valid?

Under Section 6 of the DPDPA, consent must be:

• Free — Not coerced, manipulated, or made a condition of receiving a service that is unrelated to the data processing. You cannot force consent by blocking access to an unrelated service.
• Specific — Tied to a clearly defined, stated purpose. Vague purposes like "improving your experience" are not specific enough.
• Informed — Accompanied by a clear notice explaining what data is being collected, why, and how it will be used.
• Unconditional — Not bundled with consent for other unrelated purposes. Each purpose needs its own consent signal.
• Unambiguous — A clear, affirmative action — like ticking an unchecked box. Silence, inaction, or pre-ticked boxes do not qualify.

What Does NOT Count as Valid Consent?

These are the most common consent failures in Indian businesses today:

• Pre-ticked checkboxes — The user must actively opt in, not opt out
• "By using this website, you agree to our Privacy Policy" — Browsing a website is not an affirmative consent action
• Consent buried in Terms and Conditions — T&C is a contract, not a consent mechanism
• A single checkbox for multiple unrelated purposes — You cannot bundle marketing consent with service delivery consent
• Implied consent from a past transaction — A previous purchase does not authorise future marketing
• Consent obtained under social pressure or as a condition for an unrelated benefit

The Notice Requirement

Every consent request must be preceded or accompanied by a notice that specifies:

• What personal data is being collected (specific categories, not vague descriptions)
• The purpose for which it will be processed
• How the Data Principal can exercise their rights (access, correction, erasure)
• How to withdraw consent and what happens when they do

The notice must be in plain language — understandable by a person with ordinary literacy, not just legal professionals. Under the DPDP Rules, 2025, notices must be provided in English and can also be provided in other languages listed in the Eighth Schedule of the Constitution.

One Purpose, One Consent

Each distinct processing purpose requires a separate, specific consent. This is one of the most operationally significant requirements of DPDPA:

• Consent to process a purchase order ≠ consent to send promotional emails
• Consent to deliver a service ≠ consent to share data with marketing partners
• Consent to contact about an enquiry ≠ consent to add to a newsletter list
• Consent for employee payroll processing ≠ consent for employee data use in HR analytics

On a practical level, this means a website contact form, checkout page, or HR onboarding form may need multiple separate checkboxes — one per distinct purpose.

Deemed Consent — When Consent Is Not Required

The DPDPA recognises that some processing is legitimate without explicit consent. Section 7 lists "certain legitimate uses" (often called deemed consent) including:

• State functions — processing by the government for specified public purposes
• Legal proceedings and compliance — where processing is required by a court or law
• Medical emergencies — where the Data Principal cannot give consent and processing is necessary to protect their life
• Employment contexts — limited processing by employers for purposes directly related to employment
• Publicly available data — data voluntarily made public by the Data Principal themselves

For most commercial businesses, deemed consent covers only narrow, specific situations. Do not treat it as a general bypass for obtaining consent.

Withdrawal of Consent

Individuals can withdraw consent at any time. This is a fundamental right under Section 6(3). When consent is withdrawn:

• You must stop processing the data for that specific purpose
• The withdrawal must be as easy as giving consent — if consent took one click, withdrawal must also take one click
• You must honour withdrawal requests promptly
• Withdrawal does not affect the lawfulness of processing done before the withdrawal

Practically, this means your systems need a working withdrawal mechanism — an unsubscribe link, an account settings page, or a contact channel — and that withdrawal must actually trigger a stop in the relevant processing, not just remove an email from a list.

How to Record and Store Consent

Recording consent is not just good practice under DPDPA — it is your evidence of compliance if a complaint is filed. For every consent collected, record:

• Who gave consent — identifier for the Data Principal
• What they consented to — the specific purpose(s)
• When consent was given — timestamp
• How it was given — the mechanism (checkbox, form, voice recording)
• What notice was shown — version or text of the privacy notice presented at the time

If a Data Principal later disputes that they gave consent, this record is your defence. Store consent logs securely and make them queryable — you may need to produce them in response to a rights request or a Board inquiry.

Consent in Different Business Contexts

Website forms (lead generation, newsletter, contact): Use separate, unchecked checkboxes. Place a brief notice above the form. Include a link to your full Privacy Notice.

E-commerce checkout: Consent to process the order is implicit in completing the purchase. Consent to send marketing emails is separate and must be explicitly obtained.

HR and recruitment: Employee data for payroll, attendance, and contract management may fall under deemed consent for employment purposes. But using employee data for analytics or sharing with third parties requires explicit consent.

WhatsApp and SMS marketing: These are direct marketing channels. Consent must be specific to communications via these channels and cannot be derived from an earlier, unrelated interaction.

Practical Consent Checklist

Before your next form or data collection point goes live, check:

• [ ] Every consent checkbox starts unchecked
• [ ] Each checkbox covers exactly one purpose
• [ ] A plain-language notice is visible near the consent point
• [ ] There is a clear link to the full Privacy Notice
• [ ] A withdrawal mechanism exists and is tested
• [ ] Consent records are being logged with timestamp and notice version
• [ ] No consent is buried in Terms and Conditions