DPDP Act Consent Requirements: What Valid Consent Actually Looks Like in Practice

The Foundation of Everything

Every data privacy law rests on a central principle. Under the DPDP Act, 2023, that principle is consent.

Not implied consent. Not assumed consent. Not the kind of consent buried three screens deep in a privacy policy that opens with a request to agree to 47 pages of legalese.

Explicit, informed, specific consent — obtained before you collect a single byte of personal data.

If your consent mechanisms do not meet the standard set by the Act and the DPDP Rules 2025, everything built on top of them — your data collection, your processing, your marketing — rests on an unlawful foundation.

What Valid Consent Requires

The Act sets four conditions. All four must be met. Not three of four.

Free. The individual must have a genuine choice. Consent obtained by making it a condition of using your service — where refusing consent means no access — is not free consent under the Act.

Specific. Consent must be tied to a clearly stated, specific purpose. Collecting data to send order confirmations requires specific consent for that purpose. Using the same data to send marketing communications requires separate, specific consent for that second purpose.

Informed. The person must understand what they are agreeing to before they agree — not by reading a document they were never expected to read, but through a clear, accessible notice presented at the point of collection.

Unambiguous. A positive, affirmative action is required. Pre-ticked boxes do not count. Continuing to browse your website does not count. Silence does not count.

The Notice Requirement — Now Specified in the Rules

Before collecting data, you must give the individual a notice. The Rules specify exactly what this notice must contain.

It must be itemised — each category of data and its corresponding purpose listed separately. Not a general description of your data practices. A specific, itemised list.

It must be in plain, simple language — written for the person reading it, not for a lawyer reviewing it.

It must be available in Eighth Schedule languages. This is now a legal requirement, not a future consideration. If your users operate in regional languages, your notice must be accessible in those languages.

And it must be presented accessibly — not linked from a footer, not collapsed inside an accordion, not attached to a 60-page terms document.

Withdrawing Consent

This is where most businesses are most underprepared — and most exposed.

The Act is explicit: withdrawing consent must be as easy as giving it. One click to opt in, one click to opt out. A user who wants to withdraw consent cannot be required to email a human, wait three business days, or navigate through five menus.

Once consent is withdrawn, you must stop processing that individual's data. Promptly. And before you delete their data, you must notify them — at least 48 hours in advance, as specified in the Rules.

When Consent Is Not Required

The Act recognises limited situations — called legitimate uses — where processing is permitted without consent. These include compliance with legal obligations, medical emergencies, and certain employment-related processing.

These exceptions are narrow. If you run a private business with a direct customer relationship, they are unlikely to apply to your core data operations. Do not design your compliance programme around them.

Children's Data — A Different Standard Entirely

If your platform can reasonably be accessed by anyone under 18, the rules are significantly stricter.

Processing personal data of individuals under 18 requires verifiable consent from a parent or guardian — not the child. The Rules specify that verification cannot rely solely on self-declaration.

You are also prohibited from processing children's data in ways likely to cause harm to their wellbeing, and from any form of behavioural monitoring or tracking of minors.

Some categories are exempt from the parental consent requirement — healthcare professionals, educational institutions, and certain government functions. For everyone else, the standard applies without exception.

The penalty for non-compliance: up to ₹200 crore.

The Mistakes Businesses Are Already Making

Cookie banners that declare consent. A banner that says "by continuing, you agree to our use of cookies" is not a consent mechanism. It is a statement. The Act requires an affirmative action.

Bundled consent. One checkbox covering ten different data uses is not specific consent. Each distinct purpose needs separate consent.

Non-itemised notices. A general privacy policy is not a valid notice under the Rules. The itemisation requirement is new, specific, and non-negotiable.

No withdrawal path. If a user cannot easily find and use an opt-out mechanism, you are non-compliant from the moment they consented.

English-only notices. If your users operate in regional languages and your consent notice exists only in English, you have a language compliance gap that needs to be addressed before March 2027.

What to Do

Go through every point at which your business collects personal data — website forms, checkout flows, app sign-ups, newsletter subscriptions, HR onboarding documents — and ask: is there a clear, itemised notice? Is there an affirmative consent action? Is there a visible, easy withdrawal mechanism?

Then apply the Rules standard: is the notice itemised? Is it available in the relevant scheduled languages for your user base? Is withdrawal genuinely as easy as consent?

Where the answer to any of those is no, rebuild it. The full compliance deadline is March 2027. The time to start is now.

The Bottom Line

Consent is not a compliance checkbox. It is the legal foundation on which your entire data operation rests.

Build it properly and you have a defensible position with the regulator and a trustworthy relationship with your users. Build it poorly and every data collection point in your business is a liability.