Consent Management Under DPDPA: How to Build a Compliant Consent Flow

Under the DPDPA, most processing of personal data rests on consent. Section 6 sets a high bar: consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action. Here is how to build a flow that meets it.

1. Lead with the notice

Before any data is collected, present the Section 5 notice: what data, what purpose, and how to withdraw consent or complain. Keep it itemised and in plain language.

2. Make consent granular

Bundle nothing. Each distinct purpose gets its own opt-in. Pre-ticked boxes and "accept all or leave" patterns do not constitute valid consent.

3. Capture an audit trail

Record the version of the notice shown, the timestamp, the purposes consented to, and the method. If you cannot prove consent, you do not have it.

4. Make withdrawal effortless

Section 6(4) requires withdrawal to be as easy as giving consent. Offer a one-click preference centre, and stop the relevant processing promptly once consent is withdrawn.

5. Honour Consent Managers

The DPDPA introduces Consent Managers — accountable intermediaries, registered with the Board, through which Data Principals can give, manage and withdraw consent. Design your systems to interoperate with them.

6. Re-consent on material change

If the purpose changes, refresh consent. Do not silently repurpose previously collected data.

A purpose-built Consent Management Platform handles versioning, granular purposes, withdrawal and audit logging out of the box — which is exactly what Data Adhikaar's Sammati agent provides. Try the Consent Notice Generator to draft a compliant notice in minutes.