Most Indian companies believe they have consent. They do not.
They have a checkbox. A pre ticked box on a registration form. A cookie banner that says "By continuing to use this site you agree to our privacy policy." A 14 page privacy policy that no one — including the legal team that approved it — has read end to end.
None of this is consent under the DPDPA.
What the law actually requires
Section 6 of the DPDPA defines consent as "free, specific, informed, unconditional and unambiguous." Rule 3 of the DPDP Rules 2025 prescribes the exact format of the consent notice. It must be in clear and plain language. It must specify each purpose separately. It must provide a withdrawal mechanism that is as easy as the mechanism used to give consent.
Read that last line again. As easy as the mechanism used to give consent.
If your customer gave consent with one click, they must be able to withdraw it with one click. Not by writing an email. Not by calling a helpline. Not by navigating seven screens to find a settings page that may or may not exist.
The Consent Trap defined
The Consent Trap is the gap between obtaining consent and maintaining valid consent. Most organisations focus on collection. The law focuses on the entire lifecycle.
Consent expires. Purposes change. Processing activities evolve. The consent you obtained eighteen months ago for "improving user experience" does not cover the behavioural analytics pipeline your data science team built six months ago.
Every new processing activity requires a fresh assessment: does existing consent cover this? If the answer is "probably" then the answer is no.
The three failure modes
After reviewing consent architectures across 200 organisations in 2024 and 2025, we see the same three failures:
- Bundled consent: one checkbox for twelve processing purposes. The DPDPA requires specific consent for each purpose. Bundled consent is no consent.
- Stale consent: consent obtained under a previous privacy policy that no longer reflects current processing activities. Stale consent is expired consent.
- No withdrawal path: consent was collected but there is no documented, tested mechanism for withdrawal. Without withdrawal, consent is a one way door. The law requires a two way door.
"Consent is not a moment. It is a relationship."
— Anandaday Misshra
Do this now
Pull your current consent form. Read it against Rule 3. Ask four questions: Is each purpose listed separately? Is the language clear and plain? Can the user withdraw with the same ease they gave consent? Do you have a timestamped log of every consent collected?
If any answer is no, your consent architecture needs rebuilding before the first enforcement action makes the lesson expensive.