Consent (Data Protection) is the free, specific, informed, unconditional, and unambiguous indication of a data principal's wishes, signifying agreement to the processing of their personal data for a specified purpose. Under Indian law, consent is the primary lawful basis for processing personal data, governed by Section 6 of the Digital Personal Data Protection Act, 2023, which mandates that consent be given through a clear affirmative action and be as easy to withdraw as it was to give.
Legal definition
The Digital Personal Data Protection Act, 2023 establishes a detailed consent framework:
Section 6(1): "A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and — (a) for a lawful purpose for which the Data Principal has given her consent; or (b) for certain legitimate uses."
The Act prescribes specific requirements for valid consent:
Section 6(2): "The consent referred to in clause (a) of sub-section (1) shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."
Section 6(3): "A request for consent shall be presented to the Data Principal with an itemised notice in clear and plain language..."
Section 6(5): "The Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given."
The Act also introduces the concept of Consent Managers (Section 6(8)-(10)), registered entities that enable data principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Consent Managers are registered with the Data Protection Board and are accountable to the data principal.
Notice requirements (Section 5): Before requesting consent, the data fiduciary must provide an itemised notice containing: (a) a description of personal data sought and the purpose of processing; (b) the manner in which the data principal may exercise rights under the Act; and (c) the manner of making a complaint to the Data Protection Board.
Exceptions to consent (Section 7): The Act permits processing without consent in specific scenarios termed "certain legitimate uses" — including state functions (provision of subsidies, benefits, services, licences), compliance with court orders or legal obligations, medical emergencies, employment purposes, and public interest.
How courts have interpreted this term
Justice K.S. Puttaswamy (Retd.) v. Union of India [(2017) 10 SCC 1]
The nine-judge bench, while establishing the right to privacy, laid the conceptual foundation for consent in data processing. Justice Chandrachud observed that "informational self-determination" — the ability of individuals to control the disclosure and use of their personal data — is a core component of privacy. The Court held that any restriction on informational privacy must satisfy the three-fold test of legality, necessity, and proportionality, effectively establishing that data processing without meaningful consent or a compelling legal basis violates Article 21.
Common Cause v. Union of India [(2018) 5 SCC 1]
In the context of the right to die with dignity, the Supreme Court examined the nature of "informed consent" in medical decision-making. While not directly addressing data protection, the Court's rigorous analysis of what constitutes truly "informed" consent — requiring comprehension of the nature, consequences, and alternatives — influenced the DPDP Act's requirement that consent be "informed" and accompanied by a clear and plain language notice.
Internet and Mobile Association of India v. Reserve Bank of India [(2020) 10 SCC 274]
The Supreme Court, while striking down the RBI circular prohibiting banks from dealing in virtual currencies, observed that the right to engage in economic activity and to control one's own financial data are facets of personal liberty. The judgment reinforced the principle that individuals must have meaningful choice — not coerced compliance — when it comes to decisions affecting their personal data and financial autonomy.
Why this matters
Consent is the primary gateway through which personal data enters the processing ecosystem under the DPDP Act. For data fiduciaries, the practical implementation of the Act's consent requirements involves significant design and operational changes — consent forms must be in clear and plain language, consent must be specific to each purpose (bundled consent for multiple purposes is not permitted unless each purpose is separately identifiable), and withdrawal mechanisms must be as simple as the consent mechanism itself.
A common misunderstanding is that pre-ticked checkboxes, implied consent from continued use, or buried terms in lengthy privacy policies constitute valid consent under the DPDP Act. The Act requires a "clear affirmative action" — meaning consent must be actively and specifically given, not assumed from silence, inactivity, or pre-selected options. This is a significant departure from the practice followed by many Indian businesses under the earlier IT Rules of 2011.
For practitioners, understanding the exceptions to consent under Section 7 is equally important. The "certain legitimate uses" carve-out allows processing without consent in carefully defined circumstances, but these exceptions are narrow and cannot be used as a blanket workaround. For example, the employment exception (Section 7(i)) applies to processing "for the purpose of employment or those related to safeguarding the employer from loss or liability," but does not extend to employee profiling or monitoring beyond what is necessary for the employment relationship.
The Consent Manager framework introduced by Section 6(8)-(10) is a uniquely Indian innovation. These registered entities will function as intermediaries between data principals and data fiduciaries, enabling individuals to manage consent across multiple platforms through a single interface — analogous to how the Account Aggregator framework operates in the financial sector.
Related terms
Parent framework:
Key actors:
Related concepts:
Frequently asked questions
Is consent always required to process personal data in India?
No. While consent is the primary lawful basis, the DPDP Act provides for "certain legitimate uses" under Section 7 where processing is permitted without consent. These include: the State providing subsidies, benefits, or services; compliance with court orders or judgments; responding to medical emergencies; employment-related processing; and processing in the public interest as prescribed. Outside these narrow exceptions, processing personal data without valid consent is a violation of the Act.
What are the requirements for valid consent under the DPDP Act?
Section 6(2) requires that consent be: (a) free — not obtained through coercion or undue influence; (b) specific — related to a particular purpose; (c) informed — the data principal must understand what data is collected and why; (d) unconditional — consent cannot be made a condition for accessing a service unless the data is necessary for that service; and (e) unambiguous — given through a clear affirmative action, not inferred from silence or pre-ticked boxes.
Can consent be withdrawn after it is given?
Yes. Section 6(5) gives every data principal the right to withdraw consent at any time, with "the ease of doing so being comparable to the ease with which such consent was given." Upon withdrawal, the data fiduciary must cease processing and, where the purpose is no longer necessary, erase the personal data within a reasonable time. Withdrawal does not affect the lawfulness of processing done before withdrawal.
What is a Consent Manager under the DPDP Act?
A Consent Manager is a person registered with the Data Protection Board under Section 6(8) that enables data principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Consent Managers act as a single point of consent management across multiple data fiduciaries. They are accountable to the data principal and must be registered before operating, with the Central Government prescribing the registration and operational requirements.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.