GRCDesk
Free AssessmentTemplatesConsultationBlogAbout
Start Free Assessment
All Articles
DPDP Act9 min read1 March 2026

Consent Management Under the DPDP Act: Getting It Right

Consent is the backbone of the DPDP Act. This guide covers what valid consent looks like, common mistakes, and how to implement it practically.

If there is one thing that will trigger the most complaints under the DPDP Act, it is consent. Or more accurately, the lack of proper consent.

I audit consent mechanisms for a living. And I can tell you that about 8 out of 10 Indian websites I review are doing it wrong. Pre-ticked boxes, bundled consent, vague language, no withdrawal option. All of these are violations waiting to happen.

Here is how to get consent right under the DPDP Act.

What the Act Actually Requires

Section 6 of the DPDP Act lays out the consent requirements clearly. Valid consent must be:

Free: The person must have a genuine choice. You cannot deny a service entirely because someone refused consent for an unrelated purpose. If someone wants to buy a product, you cannot force them to consent to marketing emails as a condition of purchase.

Specific: Each purpose must have its own consent. "I consent to everything" is not valid. You need: "I consent to receive order updates via email" AND separately "I consent to receive promotional offers."

Informed: The person must know what they are consenting to. This means a clear description of what data you are collecting, why, and who you might share it with. No legal jargon. No 40-page documents.

Unconditional: You cannot make consent a precondition for something unrelated. Consent to data processing for a specific purpose should not be tied to unrelated benefits or services.

Unambiguous: Consent must involve a clear affirmative action. Silence, pre-ticked boxes, or inactivity do not count. The person must actively do something — check a box, click a button, toggle a switch.

The Most Common Mistakes I See

Mistake 1: The Blanket Consent

"By using this website, you agree to our Privacy Policy and consent to all data processing described therein."

This is not valid consent under the DPDP Act. It is not specific, it is not informed (nobody reads the full privacy policy), and it bundles multiple purposes into one vague agreement.

Mistake 2: Pre-Ticked Checkboxes

Having a checkbox that is already ticked when the page loads, saying "I agree to receive marketing communications." The user has to un-tick it to opt out. Under DPDP, the box must start unticked. The person must actively tick it.

Mistake 3: No Withdrawal Mechanism

You collected consent beautifully. But there is no way for the user to take it back. No unsubscribe link in emails. No privacy settings in the app. No "delete my data" option. The Act says withdrawal must be as easy as giving consent.

Mistake 4: Cookie Consent That Does Nothing

A banner pops up saying "We use cookies. OK?" with a single button. No choices, no categories, no ability to decline. While the DPDP Act does not have cookie-specific regulations like the EU ePrivacy Directive, the principle of informed consent still applies to tracking technologies.

Mistake 5: Not Keeping Consent Records

If the Board asks you to prove that User X consented to Purpose Y on Date Z, can you? Most companies cannot. You need a consent log — what was consented to, when, by whom, and through which mechanism.

How to Implement Consent Properly

At Sign-Up/Registration

Separate checkboxes for each purpose. Example:

  • ☐ I agree to the Terms of Service and Privacy Policy (required for service)
  • ☐ Send me product updates and feature announcements via email (optional)
  • ☐ Send me promotional offers and discounts (optional)
  • ☐ Share anonymised usage data to improve the product (optional)

For Existing Users

If you collected data before the DPDP Act came into force, you need to send a notice to existing users informing them about your data practices and giving them the option to withdraw consent. This is a one-time exercise but it is mandatory.

Consent Withdrawal

Three practical approaches:

  1. Email-level: Unsubscribe links in every email (you should already have this)
  2. Account-level: A "Privacy Settings" page in the user account where they can toggle each consent on or off
  3. Full withdrawal: A way to request complete data deletion — either self-service or via a form/email

Record Keeping

For every consent collected, log:

  • Who consented (user ID or email)
  • What they consented to (specific purpose)
  • When (timestamp)
  • How (which form/page, version of privacy notice shown)
  • Any subsequent changes (withdrawal, re-consent)

This does not need to be a fancy system initially. A database table with these fields works fine. But you need to have it.

The Bottom Line

Consent violations are the low-hanging fruit for regulators. They are easy to spot, easy to prove, and easy to complain about. When a user reports that they never consented to marketing emails and you cannot prove otherwise, that is a clear violation.

Get your consent mechanism right now, before complaints start flowing in. It is one of the cheapest and fastest compliance fixes, and it prevents the most common type of regulatory trouble.

A
Akshay
GRC & InfoSec Consultant — ISO 27001, SOC 2, DPDP Act

Want to know where your business stands on DPDP compliance?

Take the Free Assessment

More Articles

DPDP Act

The DPDP Act, 2023: What Every Indian Business Needs to Know

DPDP Act

DPDP Act Penalties: The Real Cost of Non-Compliance in 2026

DPDP Act

DPDP Compliance Checklist for Indian Startups: 20 Things to Do Now