Consent is the cornerstone of the DPDPA. Building it wrong is the fastest route to regulatory exposure.
The Digital Personal Data Protection Act, 2023 establishes consent as the primary lawful basis for processing personal data. Section 6 prescribes that consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. The DPDP Rules, 2025 operationalise this through Rule 3 (notice and consent format) and Rule 4 (Consent Manager registration). Organisations that treat consent as a checkbox exercise will find their compliance programmes structurally deficient.
Why Consent Architecture Demands Strategic Investment
The DPDPA does not merely require that you obtain consent. It mandates a demonstrable, auditable, and operationally coherent system for managing it.
Under the DPDPA, consent is not a one-time event. It is a continuous obligation. Every processing purpose requires distinct consent. Every consent must be withdrawable with the same ease with which it was given. And every consent artifact must be verifiable under audit. This means that organisations cannot rely on bundled terms, pre-checked boxes, or implied acceptance.
The introduction of registered Consent Managers under Rule 4 creates a new intermediary layer in the consent lifecycle. These entities, registered with the Data Protection Board, act as single points of accountability for consent collection, storage, and withdrawal. Organisations processing data at scale will need to evaluate whether to build in-house consent infrastructure or integrate with registered Consent Managers.
Core Consent Requirements
Six architectural pillars that every Data Fiduciary must address to achieve consent compliance under the DPDPA.
Informed Notice
Section 5 | Rule 3Before or at the time of requesting consent, the Data Fiduciary must provide a clear notice identifying itself, the personal data to be processed, the purpose of processing, and the manner in which the Data Principal may exercise rights.
Granular Purpose Specification
Section 6(1)Consent must be specific to each processing purpose. Bundled consent covering multiple unrelated purposes is not valid. Each purpose must be separately identified and separately consented to.
Affirmative Action
Section 6(2)Consent requires a clear affirmative action. Pre-ticked boxes, silence, or inactivity do not constitute valid consent. The burden of demonstrating valid consent rests with the Data Fiduciary.
Withdrawal Mechanism
Section 6(4)The Data Principal must be able to withdraw consent with the same ease as it was given. Withdrawal must result in cessation of processing and erasure of data, unless retention is required by law.
Consent Manager Integration
Rule 4Registered Consent Managers serve as accountable intermediaries. They maintain verifiable consent records and enable Data Principals to manage consent across multiple Data Fiduciaries through a single interface.
Audit Trail Integrity
Section 8 | Rule 6Consent records must be maintained with sufficient integrity to withstand regulatory audit. This includes timestamps, purpose identifiers, the version of the notice presented, and the method of consent collection.
Building a Defensible Consent Architecture
Consent architecture is not a front-end problem. It is a system-wide design challenge that touches user interfaces, backend data pipelines, vendor contracts, and regulatory reporting. Organisations that approach consent as a UI widget will discover, under audit or incident, that their consent records do not map to their actual processing activities.
"The DPDPA tests not whether consent was obtained, but whether it was obtained correctly, recorded accurately, and can be demonstrated on demand."
Frequently Asked Questions
Concise, statutory-referenced answers to the most common compliance questions on this topic.
What constitutes valid consent under the DPDPA?
Under Section 6, valid consent must be free, specific, informed, unconditional, and unambiguous. It requires a clear affirmative action by the Data Principal. Pre-checked boxes, bundled consent for multiple purposes, or consent obtained through deceptive design patterns do not meet the statutory threshold.
Is a Consent Manager mandatory under the DPDPA?
Consent Managers are not mandatory for all organisations. However, Rule 4 establishes a registration framework for entities that wish to operate as Consent Managers. Organisations processing data at scale may find it operationally advantageous to integrate with registered Consent Managers for centralised consent lifecycle management.
What happens when a Data Principal withdraws consent?
Under Section 6(4), withdrawal of consent must result in cessation of processing for the purposes to which consent related. The Data Fiduciary must also ensure erasure of the personal data, unless retention is required under any other law. The consequences of withdrawal must not affect the lawfulness of processing conducted prior to withdrawal.
How should organisations document consent for DPDPA compliance?
Organisations should maintain consent artifacts that record the identity of the Data Principal, the specific purposes consented to, the timestamp, the version of the privacy notice presented, and the method of consent collection. These records must be auditable and capable of demonstrating compliance during a regulatory inquiry.
Get the Consent Management Implementation Brief
This brief provides a structured approach to designing, deploying, and maintaining consent architecture that meets the requirements of Section 6 and the DPDP Rules, 2025.
From Awareness to Implementation
Understanding the requirement is the first step. Building the operational infrastructure to meet it, under scrutiny, is the work that follows.