Consent Management Under the DPDPA: How to Build a Compliant Consent Flow

Consent is the primary basis for processing personal data under India’s Digital Personal Data Protection Act, 2023 (DPDPA). Getting consent right is therefore the foundation of compliance — and the most visible touchpoint between your organisation and every Data Principal. A compliant consent flow is built from two sections working together: the notice in Section 5 and the consent standard in Section 6.

This guide walks through what the notice must say, what valid consent looks like, how withdrawal must work, the role of registered Consent Managers, and the operational details — granular per-purpose consent, audit trails and re-consent — that separate a compliant flow from a pre-ticked checkbox.

What must the Section 5 consent notice contain?

Section 5 requires that, on or before requesting consent, the Data Fiduciary gives the Data Principal a notice. Where consent was obtained before the Act commenced, a notice must be given as soon as reasonably practicable. The notice must be in clear and plain language and must include, as a minimum:

• An itemised description of the personal data to be collected.
• The purpose for which the personal data is proposed to be processed.
• The manner in which the Data Principal may exercise their rights under Section 6(4) (to withdraw consent) and Section 13 (grievance redressal).
• The manner in which the Data Principal may make a complaint to the Data Protection Board of India.

The Data Principal must be given the option to access the notice in English or in any language listed in the Eighth Schedule to the Constitution of India — which lists 22 scheduled languages including Hindi, Bengali, Tamil, Telugu, Marathi, Gujarati and more. The DPDP Rules 2025 reinforce that the notice should be understandable on its own, presented separately from other information, and give an explicit means to withdraw consent as easily as it was given.

What is the Section 6 standard for valid consent?

Section 6(1) sets a strict quality bar. Consent for processing personal data must be:

Free

Given without coercion, pressure or detriment for refusal — and not bundled with the provision of a service where the data is not necessary for it.

Specific

Tied to a clearly stated purpose, not a vague or open-ended permission to use data for anything.

Informed

Preceded by the Section 5 notice so the individual understands what data is collected and why.

Unconditional

Not made a condition for receiving a service unless the personal data is genuinely necessary for that service.

Unambiguous, with clear affirmative action

Signalled by a positive act — such as ticking an unticked box or clicking “I agree” — never by silence, inactivity or a pre-ticked box.

Limited to necessary data

Section 6(1) limits consent to the personal data necessary for the specified purpose; any processing beyond that purpose falls outside the consent.

Section 6(2) makes the consequence explicit: if consent extends to personal data not necessary for the specified purpose, that excess is invalid to the extent it is unnecessary. In short, you cannot collect more than you need and lean on a broad consent to justify it.

How must consent withdrawal work?

Section 6(4) gives the Data Principal the right to withdraw consent at any time. Critically, Section 6(5) requires that the ease of withdrawing consent must be comparable to the ease with which it was given — you cannot make signing up a single click but force a phone call or a multi-step process to opt out.

Section 6(6) addresses what happens next: on withdrawal, the Data Fiduciary must — within a reasonable time — cease processing the Data Principal’s personal data, and cause its Data Processors to cease processing, unless that processing is required or authorised under the Act or any other law. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and it may carry legitimate consequences (for example, you may no longer be able to provide a service that depended on the data).

What is a Consent Manager under the DPDPA?

The DPDPA introduces a distinctive concept: the Consent Manager. Under Section 6(7)–6(9), a Data Principal may give, manage, review and withdraw consent through a Consent Manager — a single point of contact that acts on behalf of the individual. A Consent Manager must be registered with the Data Protection Board and must be interoperable, meeting the technical and financial conditions the DPDP Rules 2025 prescribe (including a minimum net worth and obligations to act in a fiduciary capacity towards the Data Principal).

For Data Fiduciaries, this means consent may arrive not only directly through your own interface but also via a registered Consent Manager’s platform, with a verifiable record of what the individual agreed to. Designing your consent flow to interoperate with Consent Managers future-proofs it.

Why must consent be granular and per-purpose?

Because consent must be specific and limited to necessary data, you cannot bundle multiple unrelated purposes behind a single checkbox. Each distinct purpose — fulfilling an order, sending marketing, sharing with a partner, analytics — needs its own clearly described consent that the individual can grant or decline independently.

• No bundling — do not combine consent for the core service with consent for optional purposes like marketing or profiling.
• No pre-ticked boxes — every consent must require a positive, affirmative action by the Data Principal.
• Independent toggles — let individuals accept some purposes and decline others without losing the core service.
• Plain-language purpose statements — each toggle should describe its purpose so consent is genuinely informed.

How do you prove consent was validly obtained?

Section 6(10) places the burden of proof on the Data Fiduciary: in the event of a question, you must be able to demonstrate that notice was given and that valid consent was obtained in accordance with the Act and the Rules. That makes an audit trail essential. For every consent event you should be able to produce a tamper-evident record capturing the version of the notice shown, the exact purposes consented to, the timestamp, the consent artefact or identifier, and any subsequent withdrawal — so you can reconstruct precisely what each individual agreed to and when.

When do you need to re-consent?

Consent is anchored to a specific purpose. If you materially change the purpose of processing — adding a new use of the data, sharing it with a new category of recipient, or extending it beyond what the original notice described — the original consent no longer covers that new activity. You must serve a fresh Section 5 notice and obtain new, specific consent before processing for the changed purpose. Treat material change as a re-consent trigger rather than an internal update.

When can you process without consent (legitimate uses)?

Consent is the primary basis, but Section 7 provides an alternative: a defined list of “legitimate uses” where personal data may be processed without separate consent. These include data the individual has voluntarily provided for a specified purpose, certain State functions and subsidy/benefit delivery, compliance with legal obligations and court orders, responding to medical emergencies and disasters, and specified employment purposes. Legitimate uses are narrow and purpose-bound — they are not a fallback for processing you simply forgot to get consent for, and the Section 8 obligations still apply.

How do you build a compliant consent flow?

Bringing Sections 5, 6 and 7 together, a compliant consent flow can be built in six steps:

1. 1Map your purposes and data — list each distinct processing purpose and the minimum personal data necessary for it, so consent can be specific and limited.
2. 2Draft an itemised, plain-language notice — describe the data collected, the purposes, how to exercise rights and withdraw consent, and how to complain to the Board, available in English and Eighth Schedule languages.
3. 3Capture consent by clear affirmative action — present granular, unticked, per-purpose toggles with no bundling and no pre-selection, so each consent is free, specific and unambiguous.
4. 4Make withdrawal as easy as giving — provide a one-step, equally accessible way to withdraw any consent, and cease the relevant processing (and instruct processors to cease) within a reasonable time.
5. 5Log a tamper-evident audit trail — record the notice version, purposes, timestamp, consent artefact and any withdrawal for every event, so you can prove compliance under Section 6(10).
6. 6Re-consent on material change and support Consent Managers — re-notify and re-collect consent when purposes change, and design the flow to interoperate with registered Consent Managers.