Executive Summary
Consent is the cornerstone of India's Digital Personal Data Protection Act, 2023. Understanding consent requirements is essential for all organizations processing personal data:
- Consent standard: Free, specific, informed, unconditional, unambiguous
- Notice requirement: Mandatory before or at time of consent collection
- Withdrawal right: Data Principal can withdraw consent anytime
- Deemed consent: Limited situations where explicit consent not required
- Consent Manager: New intermediary for consent management
This guide provides a comprehensive analysis of consent requirements under DPDP Act.
1. Statutory Framework
Section 6 - Consent for Processing
DPDP Act Section 6 establishes:
"A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose—(a) for which the Data Principal has given her consent."
Consent Characteristics
| Characteristic |
Meaning |
| Free |
No coercion, pressure, or conditioning |
| Specific |
For defined, particular purposes |
| Informed |
With full knowledge via notice |
| Unconditional |
Not tied to unrelated services |
| Unambiguous |
Clear affirmative action |
2. Notice Requirements
Pre-Consent Notice
Before seeking consent, Data Fiduciary must provide notice containing:
| Element |
Detail |
| Personal data |
Categories being collected |
| Purpose |
Specific purposes for processing |
| Rights |
Data Principal rights |
| Grievance mechanism |
How to raise complaints |
| Cross-border |
If data transferred outside India |
| Requirement |
Specification |
| Language |
Clear, plain language |
| Accessibility |
Easy to understand |
| Standalone |
Not buried in terms |
| Visibility |
Prominent presentation |
| Languages |
Including scheduled languages |
3. Valid Consent Mechanisms
Affirmative Actions
| Valid |
Invalid |
| Active checkbox ticking |
Pre-ticked checkboxes |
| Written signature |
Silence or inactivity |
| Digital signature |
Implied consent |
| Explicit verbal confirmation |
Bundled consents |
| Click-through acceptance |
Take-it-or-leave-it |
Granular Consent
| Principle |
Application |
| Purpose-specific |
Separate consent for each purpose |
| Unbundled |
Not tied to service provision |
| Modular |
Can accept some, reject others |
| Recorded |
Evidence of what was consented |
4. Withdrawal of Consent
Right to Withdraw
| Aspect |
Requirement |
| Availability |
Must be provided |
| Ease |
As easy as giving consent |
| Effect |
Processing must stop |
| Timeline |
Within reasonable time |
| Past processing |
Remains lawful |
Withdrawal Mechanism
| Element |
Specification |
| Clear option |
Visible withdrawal mechanism |
| No penalty |
No adverse consequences |
| Confirmation |
Acknowledge withdrawal |
| Data handling |
Erasure unless retention required |
5. Deemed Consent (Legitimate Uses)
Section 7 - Certain Legitimate Uses
Consent deemed given for specific purposes:
| Category |
Examples |
| Voluntary provision |
Data given for specified purpose |
| State functions |
Government services, permits, licenses |
| Court/legal obligation |
Compliance with judgments, laws |
| Medical emergency |
Life-threatening situations |
| Employment |
Employee data processing |
| Public interest |
As notified by Government |
State Functions
Processing permitted without explicit consent for:
- Subsidies, benefits delivery
- Licenses, permits, certificates
- Government services
- Regulatory functions
Employment Context
| Permitted |
Conditions |
| Employee records |
Related to employment |
| Payroll processing |
Employment purpose |
| Background checks |
At commencement |
| Performance data |
Employment-related |
6. Consent for Children's Data
Special Requirements
| Requirement |
Specification |
| Age threshold |
Below 18 years |
| Parental consent |
Verifiable parental/guardian consent |
| Prohibited processing |
Behavioral monitoring, tracking |
| Verification |
Age and guardian verification |
Verifiable Parental Consent
| Method |
Validity |
| Parent's registered account |
Verified |
| Credit card verification |
Potentially valid |
| Knowledge-based verification |
May be insufficient |
| Video verification |
High assurance |
7. Consent Managers
| Aspect |
Specification |
| Role |
Single point for consent management |
| Function |
Give, manage, review, withdraw consent |
| Registration |
With Data Protection Board |
| Accountability |
To Data Principal |
Consent Manager Services
| Service |
Description |
| Consent aggregation |
Central consent dashboard |
| Consent history |
Records of consents given |
| Easy withdrawal |
Single-click withdrawal |
| Audit trail |
Complete consent history |
8. Re-Consent Requirements
When Re-Consent Needed
| Situation |
Action Required |
| New purpose |
Fresh consent for new use |
| Material change |
Re-consent after notice |
| Expanded processing |
Consent for additional activities |
| Third-party sharing |
Consent for new recipient |
Consent Refresh
| Trigger |
Approach |
| Significant time gap |
Consider refreshing consent |
| Changed circumstances |
Update consent |
| Regulatory change |
Review compliance |
9. Consent Records
Documentation Requirements
| Element |
Retention |
| Consent given |
Date, time, method |
| Notice provided |
Version presented |
| Scope consented |
Purposes accepted |
| Withdrawal |
Date, scope of withdrawal |
Record Keeping
| Best Practice |
Implementation |
| Immutable logs |
Blockchain or secure database |
| Version control |
Track notice versions |
| Audit capability |
Demonstrate compliance |
| Retention period |
As per processing duration |
10. Common Consent Pitfalls
Invalid Consent Practices
| Practice |
Issue |
| Pre-ticked boxes |
Not affirmative action |
| Bundled consent |
Not specific/granular |
| Complex notices |
Not informed |
| No withdrawal option |
Violates right |
| Consent walls |
Not free/unconditional |
Compliance Risks
| Risk |
Consequence |
| Invalid consent |
Processing unlawful |
| Missing records |
Cannot demonstrate compliance |
| Difficult withdrawal |
Regulatory penalty |
| Inadequate notice |
Consent vitiated |
11. Compliance Checklist
Consent Collection
Consent Management
Children's Data
12. Key Takeaways for Practitioners
Affirmative Action Required: Pre-ticked boxes and silence are not valid consent mechanisms.
Notice is Prerequisite: Consent without proper notice is invalid.
Granularity Matters: Bundled, all-or-nothing consent likely invalid.
Withdrawal Must Be Easy: At least as easy as giving consent.
Deemed Consent is Limited: Only specific statutory situations qualify.
Children Need Special Care: Verifiable parental consent is mandatory.
Records Are Essential: Document consent for regulatory defense.
Conclusion
Consent under DPDP Act requires organizations to fundamentally rethink data collection practices. The emphasis on informed, specific, and freely-given consent means that traditional approaches—bundled consents, pre-ticked boxes, and complex notices—will not suffice. Organizations must implement robust consent management systems, maintain comprehensive records, and provide easy withdrawal mechanisms. The introduction of Consent Managers offers a new solution for simplifying consent management for Data Principals while creating compliance infrastructure for Data Fiduciaries.
