Consent Management Under DPDPA

The Digital Personal Data Protection Act, 2023 fundamentally transforms how organisations must approach consent. Unlike previous regulatory frameworks that accepted passive or implied consent, DPDPA demands affirmative action demonstrating genuine choice. This article examines the seven elements of valid consent and provides implementation guidance for digital platforms.

Section 6 establishes consent that must be free from coercion, specific to stated purposes, informed through adequate notice, unconditional and unbundled from service provision, unambiguous in meaning, obtained through clear affirmative action, and preceded by itemised notice. Pre-ticked checkboxes, buried consent clauses in lengthy terms, and take-it-or-leave-it bundling are explicitly non-compliant.

Rule 3 mandates notice in clear and plain language, accessible in English and 22 scheduled languages upon request. The notice must itemise: personal data being collected, purpose of processing, manner of exercising withdrawal rights, and grievance redressal mechanism. Technical jargon and legal complexity defeat the informed consent requirement.

Section 6(4) requires withdrawal to be as easy as giving consent. A consent collected through single-click interface cannot require multi-step withdrawal processes involving account settings navigation, confirmation emails, and cooling-off periods. Withdrawal must trigger immediate processing cessation except where retention is legally mandated.

Organisations must maintain auditable records of consent transactions including timestamp, version of notice presented, mechanism used, and identity of consenting individual. These records become critical evidence in enforcement proceedings. The Data Protection Board may audit consent practices and demand production of consent evidence within 72 hours.