Consent is the foundation of the DPDP Act 2023. For most commercial data processing, consent is the only valid legal basis — unlike GDPR, there's no broad "legitimate interests" exception. But not all consent is valid under the Act. Here's what the law requires and what common practices fail the test.
What Valid Consent Requires (Section 6)
Section 6 of the DPDP Act is explicit. Consent must be:
- Free — not coerced, not a condition of service (where the service can reasonably be provided without that particular data)
- Specific — for a particular purpose, not blanket permission for all uses
- Informed — the person must understand what they're consenting to
- Unconditional — no "accept our terms or get no service" where consent is the mechanism for the terms themselves
- Unambiguous — an affirmative action, not implied by inaction or a pre-ticked box
What Does NOT Count as Valid Consent
Pre-Ticked Checkboxes
A checkbox that is already checked by default — "I agree to receive marketing messages" — is not valid consent. Consent must be an active, positive action by the customer. Unchecking a pre-ticked box is not an affirmative action.
Bundled Consent
A single checkbox that covers multiple purposes — "I consent to my data being used for order processing, marketing, analytics, and sharing with third parties" — is not valid consent. Consent must be specific. If you want to process data for three different purposes, you need consent for each purpose separately (or at minimum, clearly separate consent statements).
Consent Buried in Terms & Conditions
A clause in your Terms of Service that says "by using our service you consent to data collection" is not valid consent under the DPDP Act. The consent must be obtained separately, before or at the time of data collection, through a dedicated consent mechanism — not embedded in lengthy terms that no one reads.
Forced Consent
Making consent a condition of a service where it doesn't need to be. If you're a delivery service and you require consent to share the customer's address with advertisers as a condition of delivering their order — that's forced consent and invalid. The consent to use the address for delivery is necessary; the consent to share with advertisers is not, and must be separate and optional.
Implied Consent
"They gave me their number so they obviously agree to be contacted" is not valid consent. Giving you a phone number for a specific purpose (confirming an order) does not constitute consent to add them to your marketing broadcast list.
The Consent Notice
Before obtaining consent, you must provide a consent notice. The notice must be in clear, plain language (not legal jargon) and must explain:
- What personal data will be collected
- The specific purpose for which it will be processed
- Any third parties with whom it will be shared
- How the Data Principal can withdraw consent
- How they can access, correct, or request deletion of their data
The notice must be available in any of the 22 Eighth Schedule languages if the customer requests it. This is an important and often overlooked requirement — for an Indian SMB with customers across the country, having your consent notice only in English may not meet this standard.
Consent Must Be Withdrawable
Section 6(4): A Data Principal may withdraw consent at any time. And critically — withdrawing consent must be "as easy as the process by which consent was given." If you made it a one-click opt-in, you must offer a one-click opt-out. You cannot require someone to send an email and wait 30 days to withdraw the consent they gave with a single tap.
Records of Consent
You must keep a record of every consent obtained — who gave consent, for what purpose, when, and how. This record becomes essential if:
- A customer claims they never consented to something
- The Data Protection Board investigates your consent practices
- You need to demonstrate compliance during an audit
The record should include: customer identifier, consent timestamp, the version of the consent notice shown, the specific purposes consented to, and the channel (in-person, online, WhatsApp, etc.).
Consent for Children
For anyone under 18, consent must come from a verified parent or legal guardian. Standard consent mechanisms that work for adults are not sufficient. See our Parental Consent Guide for the specific requirements.
Practical Checklist: Is Your Consent Valid?
- ☐ Is the checkbox or confirmation step unchecked by default?
- ☐ Is consent obtained before or at the time of data collection?
- ☐ Does the consent notice clearly explain what data and for what purpose?
- ☐ Is marketing consent separate from order-processing consent?
- ☐ Is there an equally easy way to withdraw consent?
- ☐ Is the consent record stored with timestamp and purpose?
- ☐ Is the consent notice available in Indian languages on request?
If you answered "no" to any of these, your current consent collection method likely does not meet DPDP requirements.