Introduction

In the digital ecosystem, consent is no longer just a pop-up or checkbox—it is a legal foundation for the collection and processing of personal data. The Digital Personal Data Protection Act, 2023 (DPDP Act) has formalised the legal definition of consent in India and laid down strict conditions for how it must be obtained, managed, and revoked.

This article unpacks the requirements of consent under the DPDP Act, why it matters for businesses, and how to implement a compliant consent architecture in your digital platforms.

1. What Is ‘Consent’ Under the DPDP Act?

   Under Section 7 of the DPDP Act, consent means:

   “Any freely given, specific, informed, and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for a specified purpose.”

   
   

2. Key Elements of Valid Consent

   To be legally valid under the DPDP Act, consent must meet the following conditions:

3. Notice and Consent: A Two-Step Process

   The DPDP Act requires that notice precedes consent. The notice must contain:

   • Nature of personal data collected

   • Purpose of processing

   • Manner of processing

   • Grievance redressal mechanism

   • Option to access and correct data

   • Contact details of the Data Fiduciary or its representative

   Notices must be in clear and plain language, and available in English and other languages as prescribed by the Government.

   
   

4. Consent for Minors and Persons with Disability

   For children under 18 years and persons with disability, consent must be given by their parents or lawful guardians. Businesses must build mechanisms to:

   • Verify age (age gating)

   • Authenticate parental or guardian consent

   • Revalidate such consent periodically

     
     

5. Right to Withdraw Consent

   Data Principals have the right to withdraw consent at any time, and the process must be:

   • As simple as giving consent

   • Without affecting previous lawful processing

   • Clearly explained in the privacy policy or consent interface

   On withdrawal, the data must be erased unless legally required to be retained.

   
   

6. What Is ‘Deemed Consent’?

   The DPDP Act also allows processing without explicit consent in limited circumstances called ‘deemed consent’, such as:

   • When personal data is voluntarily shared (e.g., posting a CV online)

   • For State functions (law enforcement, licensing, etc.)

   • For employment-related purposes

   • For emergencies, medical needs, or public interest

   However, this does not exempt businesses from transparency, fairness, or security obligations.

   
   

7. Designing a Consent Mechanism for Your Business

   To comply with the DPDP Act:

   • Display a clear and granular consent request—separate checkboxes for marketing, analytics, etc.

   • Include a summary and full version of your privacy notice

   • Allow users to view, modify, and withdraw consent easily

   • Maintain consent logs and records for legal defensibility

   • Use a consent management platform if operating at scale

     
     

8. Penalties for Invalid or Absent Consent

   The DPDP Act imposes steep penalties for non-compliance:

9. How Apar Law Assists Clients With Consent Compliance

   We help startups, platforms, and enterprises:

   • Draft clear, legally compliant consent notices and policies

   • Create consent management workflows tailored to your tech stack

   • Vet third-party processors for downstream compliance

   • Train teams on data privacy and consent protocols

   • Represent clients in case of breach or regulator investigation

Conclusion

In the age of digital surveillance, obtaining meaningful consent isn’t just good practice—it’s a legal imperative under India’s new data protection regime. Businesses must adopt user-centric, transparent, and dynamic consent systems to avoid penalties and build user trust.

Need help building a DPDP-compliant consent framework?

Apar Law offers full-stack legal support—from policy drafting to tech integrations—to ensure your business meets India’s evolving data privacy standards. Talk to us today.