Consent sits at the very centre of the DPDP Act. Unlike regimes that offer a long menu of lawful bases, the Act makes consent the default route to processing personal data, with only a narrow set of defined exceptions. That places enormous weight on getting consent right — which is why redesigning consent is usually the first concrete project in any programme of dpdp compliance.
But the Act does not accept just any tick of a box. It sets a demanding standard for what counts as valid consent, and the 2025 Rules add detail on how that consent must be requested and recorded. Consent that fails the standard is no consent at all, leaving the underlying processing unlawful.
This guide explains the five qualities valid consent must have, the notice that must precede it, how withdrawal works, and the practical steps to capture and evidence consent in a way that would satisfy the Data Protection Board.
Consent as the default lawful basis
Under the DPDP Act, personal data may generally be processed only on the basis of the data principal's consent, unless one of the defined legitimate uses applies. This makes consent the workhorse of the regime: for most ordinary commercial processing — marketing, profiling, optional features, data sharing — consent is what you will rely on.
Because so much rides on it, consent cannot be treated as a formality buried in a sign-up flow. It is a substantive legal requirement, and a weak consent practice undermines the lawfulness of everything downstream. Designing it well is foundational, not cosmetic.
This default-consent design also means you cannot quietly fall back on a vague 'legitimate interest' the way some other regimes allow. Either a defined legitimate use applies, or you need consent — which makes a clean, well-engineered consent flow the single most important asset in most organisations' compliance toolkit.
Free, specific, informed, unconditional, unambiguous
The Act defines valid consent as a free, specific, informed, unconditional and unambiguous indication of the data principal's wishes, given through a clear affirmative action. Each word carries weight. Free means no coercion or bundling; specific means tied to defined purposes; informed means preceded by a clear notice.
Unconditional means you cannot make access to a service hinge on consent to unrelated processing, and unambiguous, with a clear affirmative action, rules out pre-ticked boxes, silence or inactivity as consent. Genuine, deliberate agreement is the benchmark, and anything short of it is vulnerable to challenge.
In practice, the easiest way to fail this test is bundling: forcing a person to accept marketing or data-sharing in order to use a core service. Separating essential processing from optional processing, and letting people decline the optional parts without losing the service, is the clearest route to consent that is genuinely free.
Consent must be limited to what is necessary
Consent under the Act is confined to the personal data necessary for the specified purpose. You cannot use a single broad consent to justify collecting far more data than the purpose requires, or to keep the door open for future, unrelated uses you have not yet defined.
This data-minimisation principle pushes organisations toward granular, purpose-by-purpose consent rather than one sweeping permission. In practice that means designing consent flows that ask only for what each purpose genuinely needs, and that can be extended cleanly if new purposes arise later.
Granularity also future-proofs your consent. When each purpose has its own consent, adding a new purpose later is a clean, incremental ask rather than a reason to re-paper everything — and individuals are far more comfortable agreeing to specific, understandable uses than to a sweeping catch-all permission.
The notice that must come first
Consent is only valid if it is informed, and that requires a notice given to the data principal before or at the time consent is sought. The notice must, in clear and plain language, describe the personal data to be collected and the purpose, and explain how the person can withdraw consent, exercise their rights, and complain to the Data Protection Board.
The 2025 Rules expect this notice to be standalone and itemised, so the individual can actually understand what they are agreeing to. A request for consent must also be available in English or any language listed in the Eighth Schedule of the Constitution, reflecting India's multilingual reality.
Layering helps reconcile completeness with clarity: a short, itemised notice at the point of consent, with the option to expand into detail. The summary must still cover the essentials — data, purpose, withdrawal, rights and complaints — so the person consenting genuinely understands what they are agreeing to.
Withdrawal must be as easy as giving
A defining feature of DPDP consent is that withdrawing it must be as easy as giving it. If a person consented with a single click, they must be able to withdraw with comparable ease — not by hunting through menus or emailing a support desk that never replies.
When consent is withdrawn, the fiduciary must stop the relevant processing, and cause its processors to do the same, unless another lawful basis genuinely applies. This makes consent a living relationship the individual controls, and it requires withdrawal to propagate reliably through your systems rather than being acknowledged and ignored.
The hidden engineering challenge is propagation. A withdrawal that updates a front-end flag but never reaches the analytics pipeline, the CRM or the processor still leaves you processing without a basis. Treat withdrawal as an event that must cascade through every system that touches the data.
Recording and evidencing consent
Because the fiduciary must be able to demonstrate compliance, capturing clean records of consent is essential. For each consent you should be able to show what the person agreed to, when, on the basis of what notice, and through what affirmative action — with the ability to reflect later withdrawals.
Structured, timestamped, purpose-specific consent records are what allow you to answer the Board, honour withdrawals accurately, and integrate with the consent manager ecosystem the Act envisages. Treat consent records as audit evidence, not as transient form data to be discarded.
These records are also what let you respond confidently to a complaint or an audit. Being able to show, for a specific individual, exactly what they consented to and when transforms a potentially adversarial inquiry into a routine demonstration of compliance.
Free resource
Free DPDP Policy Templates
Privacy notice, consent and core DPDP policy documents you can adapt to your business.
Consent for children and special cases
Where the data principal is a child — anyone under eighteen — consent must come from a parent or lawful guardian, obtained in a verifiable way. In addition, the Act prohibits tracking, behavioural monitoring and targeted advertising directed at children, so consent alone does not unlock those uses.
Services likely to be used by minors therefore need age assurance and a parental-consent pathway built in. Getting this wrong is among the more serious failures under the Act, attracting some of its highest penalties, so it warrants careful, deliberate design rather than an afterthought.
Because the children's-data rules carry some of the Act's steepest penalties, conservative design is wise: where you cannot reliably establish that a user is an adult, route them through the protective path. Over-protecting is cheap; under-protecting a minor's data is among the costliest mistakes you can make.
Building a compliant consent flow
In practice, a compliant flow combines a clear, itemised notice with granular, purpose-specific consent captured through deliberate action, a frictionless withdrawal mechanism, and clean records of the whole interaction. It avoids dark patterns, pre-ticked boxes and bundling, all of which the Act's standard rules out.
Done well, this is not merely defensive. A transparent, respectful consent experience builds trust with the people you serve and produces exactly the kind of clean, defensible records that make audits and regulator interactions straightforward rather than stressful.
Finally, test your consent flow with real users. If people cannot tell what they agreed to, or cannot find how to withdraw, the flow is not compliant in spirit even if it ticks the boxes. Usability and compliance, in consent design, are two sides of the same coin.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.