Why Consent Is the Cornerstone of DPDP Act Compliance
The Digital Personal Data Protection Act 2023 makes consent the primary legal basis for processing personal data. Unlike some international frameworks that allow multiple grounds (legitimate interests, contractual necessity, etc.) without much restriction, the DPDP Act is more consent-centric. There are "deemed consent" (or "legitimate use") situations specified in the Act — such as processing by the State, emergencies, employment purposes, and certain public interest activities — but for most commercial data processing by private businesses, consent is the legal basis.
This means that if you are processing a customer's personal data without valid consent — even for something as routine as sending a marketing SMS or storing their order history beyond the immediate transaction — you are in violation. And if you cannot demonstrate that you obtained valid consent, you cannot defend yourself before the Data Protection Board when a complaint is filed.
A consent management framework is the set of policies, procedures, forms, records, and technical mechanisms that your business uses to: obtain valid consent before collecting data, record that consent, manage changes to consent, and process withdrawal of consent when requested.
What "Valid Consent" Means Under the DPDP Act
The DPDP Act 2023 requires consent to have five specific characteristics. Any consent mechanism that lacks even one of these is invalid:
Consent must not be obtained through coercion, undue influence, or as a condition for accessing a service where the data collection is not necessary for that service. For example, refusing to provide a service unless the customer consents to marketing emails — when marketing is not necessary for the service — makes consent not freely given.
Consent must be given for a defined, specific purpose. A blanket consent to "use your data for any purpose" is not valid. Each distinct processing purpose (e.g., order fulfilment, marketing, analytics, sharing with affiliates) requires separate, identified consent.
The Data Principal must receive the required notice — explaining what data is collected, the purpose, how to exercise rights, and how to file a complaint — before consent is sought. Consent obtained before providing the notice is not informed consent.
Consent must not be bundled with acceptance of other terms. For instance, requiring a user to consent to data processing as a condition of accepting terms of use, when the data processing is not necessary for performing the contract, may render the consent invalid. This is the "bundled consent" issue that many businesses currently have.
Consent must be expressed through a clear, affirmative act — checking an unchecked box, clicking a clearly labelled button, or signing a form. Silence, pre-ticked boxes, inaction, or conduct that is ambiguous does not constitute consent. This eliminates most of the "I agree to the Privacy Policy" clauses buried in sign-up forms where checking the box is mandatory to proceed.
How to Obtain Consent Across Different Touchpoints
Website and App Registration
When users sign up for your website or app, the consent mechanism must: (a) show the notice (privacy policy link is not sufficient — key information must be visible) before the consent action, (b) use a separate, unchecked checkbox for each distinct processing purpose (account creation vs. marketing vs. analytics), and (c) allow the user to proceed with core services even if they refuse consent for optional purposes like marketing.
Contact and Lead Generation Forms
When a prospective customer fills a contact form, they are providing personal data. Your form must include a consent notice explaining that you will use their information to respond to their enquiry and, if you intend to follow up with marketing, a separate consent checkbox for that purpose. Pre-ticking the "contact me for offers" box is not valid.
Customer Onboarding (Offline and Online)
When onboarding new customers — whether at a retail outlet, a service centre, or through a paper application — collecting personal data requires a consent notice and a consent record. This means modifying your customer application forms, customer information sheets, and onboarding processes to include compliant consent language and a record of the customer's agreement.
HR and Employee Data
Employee personal data processing falls under "deemed consent" (legitimate use) for employment-related purposes — you do not need separate consent for every routine HR activity. However, for processing beyond what is necessary for the employment relationship (e.g., sharing employee data with third parties for benefits programmes, using biometric data for attendance, sharing salary data with banks), proper consent or a legitimate use basis must be documented.
WhatsApp and SMS Marketing
Sending promotional messages via WhatsApp, SMS, or email requires prior, explicit, and recorded consent. The widespread practice of "WhatsApp blasting" customer numbers collected during transactions — without specific consent for marketing — is non-compliant under the DPDP Act and the TRAI regulations. We help you build a consent capture process for your communication channels.
Consent Records: What to Store and For How Long
Obtaining consent is only half the requirement — you must also be able to prove that you obtained valid consent when challenged. This requires maintaining consent records that capture:
- The identity of the Data Principal (or a pseudonymous identifier linked to them)
- The date and time when consent was given
- The specific purpose(s) for which consent was given
- The version of the consent notice that was shown at the time (since notices get updated)
- The method by which consent was given (online form, paper form, in-person, etc.)
- Any subsequent modifications or withdrawal of consent, with timestamps
Consent records should be retained for the duration of the processing relationship plus a reasonable period thereafter — as a rule of thumb, the processing period plus three years is a defensible approach, absent specific Rules prescribing a period.
Withdrawal of Consent: What It Means Operationally
The DPDP Act gives Data Principals the right to withdraw consent at any time. The Act requires that withdrawal must be "as easy as giving consent." This is a significant operational requirement for many businesses:
- If consent was given via a checkbox on your website, withdrawal must be possible with similar ease — an "unsubscribe" link in emails, a "manage my data" section in your account, or a clear process to request withdrawal.
- Once consent is withdrawn, you must stop processing the personal data covered by that consent promptly. This may require changes to your CRM, marketing lists, database workflows, and communication processes.
- You must erase the personal data upon withdrawal if the Data Principal requests it — subject to legal obligations that require you to retain certain data (tax records, court order obligations, etc.).
- The burden is on you to demonstrate that you have honoured the withdrawal and erased (or stopped processing) the relevant data.
Operationally, this means your business needs documented processes for handling consent withdrawal requests — who receives them, what happens internally, what is communicated back to the Data Principal, and how the record is updated.
What We Draft and Build for You
We provide end-to-end consent management documentation and advisory:
- Consent Notice Templates — Short, plain-language notices for each data collection touchpoint (website, app, offline form, HR), containing the information required by the DPDP Act.
- Consent Forms — Revised versions of your existing customer application forms, registration forms, and marketing opt-in forms with DPDP-compliant consent language and structure.
- Internal Consent Register Template — A structured record-keeping template for logging consents, including all fields required to demonstrate compliance.
- Consent Withdrawal Mechanism Documentation — Written procedure and user-facing instructions for how individuals can withdraw consent, and internal process for handling withdrawal requests.
- Legitimate Use Documentation — For data processing that falls under the Act's "deemed consent" / legitimate use provisions (employment, legal obligations, etc.), we document the basis so you have a clear record that no consent was needed and why.
- Review of Existing Consent Language — If you already have consent checkboxes, privacy notices, or terms of service with consent clauses, we review them against DPDP Act requirements and identify what needs to change.
Frequently Asked Questions
Under the DPDP Act 2023, valid consent must be: (1) free — not obtained by coercion or as a condition for an unrelated service; (2) specific — given for a defined purpose, not a blanket consent; (3) informed — given after the Data Principal has received the required notice; (4) unconditional — not bundled with acceptance of unrelated terms; and (5) unambiguous — given through a clear affirmative action such as checking an unchecked box or clicking a clearly labelled button. Silence, pre-ticked boxes, or passive acceptance do not constitute valid consent. All five elements must be present — consent lacking even one element is invalid under the Act.
No. Pre-ticked checkboxes are not valid consent under the DPDP Act 2023. The Act requires consent to be given through a clear affirmative action — the Data Principal must actively check an empty box, click a specific button, or perform an equivalent unambiguous act. A box that is already checked, requiring the user to untick it to refuse, does not satisfy this requirement. Most current website sign-up forms that use pre-ticked "I agree to the Privacy Policy" or "Send me updates" checkboxes need to be revised.
When a Data Principal withdraws consent, the Data Fiduciary must stop processing the personal data for which consent was the basis — and do so promptly. The withdrawal does not affect the lawfulness of processing that occurred before the withdrawal. The Data Fiduciary must also facilitate the erasure of personal data if requested, subject to any overriding legal retention obligations (like tax records or court orders). Practically, this requires businesses to build operational processes — not just policies — to stop processing and delete or anonymise the relevant data when a withdrawal is received.
The DPDP Act requires the notice provided before obtaining consent to be made available in any language specified in the Eighth Schedule of the Indian Constitution, if the Data Principal requests it. India's Eighth Schedule includes 22 languages — Tamil, Hindi, Telugu, Malayalam, Kannada, and others. Businesses operating in Pondicherry and Tamil Nadu should particularly ensure Tamil language support for their consent notices. The Rules may specify how this requirement is to be implemented technically — likely requiring businesses to provide a mechanism for language selection before the consent is presented.
The DPDP Act does not prescribe a specific retention period for consent records. As a practical and prudent compliance measure, consent records should be retained for as long as you continue processing the personal data covered by that consent, plus a reasonable period thereafter to demonstrate compliance in any inquiry or dispute. A defensible general approach is: retain consent records for the duration of the customer or processing relationship plus at least 3 years. The specific Rules under the DPDP Act, when notified, may prescribe retention periods. Your consent records must capture the identity of the individual, the date, the purpose, the version of the notice shown, and the method of consent.
Build a Consent Framework That Actually Holds Up
Most businesses in Pondicherry and across India are collecting personal data without compliant consent mechanisms. We help you fix this before the Data Protection Board starts taking complaints. Contact us for a consultation.