DPDPA Consent Architecture Flowchart

Section 6 of the Digital Personal Data Protection Act, 2023 places consent at the heart of lawful data processing in India. The law requires consent to be free, specific, informed, unconditional, and unambiguous. This means organisations must obtain clear affirmative action from users before processing their data.

The legislation specifically bans pre ticked boxes and bundled consent mechanisms. Any consent obtained through deception or coercion is invalid. Data Fiduciaries need to present consent requests in clear, plain language that explains exactly why personal data will be processed.

This marks a significant shift from the old "deemed consent" approaches that were common in Indian data practices. Organisations now need to completely redesign how they interact with users and collect their consent.

Section 6(4) introduces the principle of withdrawal parity. Simply put, Data Principals must be able to withdraw their consent as easily as they gave it. Organisations cannot add friction, waiting periods, or extra verification steps when someone wants to withdraw consent.

The DPDP Rules 2025 add verification requirements on top of this. Data Fiduciaries must maintain complete audit trails of all consent transactions. These records need to capture when consent was given, for what purpose, and how it was provided.

This creates an evidence base that becomes crucial during regulatory reviews. The verification systems must also work with Consent Managers, which brings in interoperability requirements and standardised consent formats across platforms.