Consent Management Under DPDP — A Complete Guide

Consent is the cornerstone of India's Digital Personal Data Protection Act 2023. Unlike frameworks that offer multiple legal bases for processing (such as the GDPR's six grounds), the DPDP Act places consent front and center as the primary mechanism for lawful data processing. Getting consent right is not optional — it is the foundation upon which your entire compliance posture rests.

This guide covers everything you need to know about collecting, managing, and documenting consent under the DPDP Act.

What the DPDP Act Says About Consent

Section 6 — Consent Requirements

Section 6 establishes that consent must be:

• Free — Not coerced, pressured, or obtained through deceptive patterns
• Specific — Given for a particular, clearly defined purpose
• Informed — The Data Principal understands what they are consenting to, based on the notice provided under Section 5
• Unconditional — Consent cannot be made a condition of accessing a service unless the personal data is necessary for that service
• Unambiguous — Demonstrated through a clear affirmative action

Consent must be preceded by a notice (under Section 5) that itemizes the personal data to be collected and the purpose of processing, in clear and plain language.

Section 7 — Certain Legitimate Uses

The Act provides limited exceptions where processing is permitted without consent:

• Specified purposes related to employment
• Medical emergencies threatening life or health
• Safety and assistance during disasters
• State functions including subsidies and licenses
• Compliance with court orders or judgments
• Purposes related to prevention and investigation of offenses

These are narrow carve-outs. For the vast majority of business data processing, consent is required.

Section 11 — Withdrawal of Consent

Data Principals have the right to withdraw consent at any time. The Act explicitly requires that withdrawal must be as easy as giving consent. Upon withdrawal, the Data Fiduciary must stop processing the data and delete it unless retention is required by another law.

This means if consent is given through a one-click banner action, withdrawal cannot require calling a helpline, sending a letter, or navigating a labyrinth of settings pages.

The Five Pillars of DPDP Consent Management

1. Granular, Purpose-Specific Consent

The DPDP Act does not permit blanket consent. You cannot present a single "I agree to everything" checkbox that covers analytics, marketing, third-party sharing, and essential services. Each purpose requires separate consent.

Best practice: Present consent options as individual toggles or checkboxes, one per purpose:

• Essential cookies (necessary for site function — may not require consent)
• Analytics and performance tracking
• Marketing and advertising
• Third-party data sharing

This is how the DPDP Comply consent banner works — it presents granular, per-purpose consent options in a user-friendly interface.

2. Pre-Collection Notice

Before requesting consent, you must provide a notice under Section 5 that includes:

• An itemized description of the personal data to be collected
• The specific purpose for each category of data
• How the Data Principal can exercise their rights
• How to file a complaint with the Data Protection Board

This notice is typically your privacy policy, but it must be presented in conjunction with the consent collection mechanism — not buried in a separate page.

3. Affirmative Action

Consent must be obtained through a clear affirmative action. This rules out:

• Pre-ticked checkboxes — The Data Principal must actively check the box
• Implied consent — Continuing to browse a website is not consent
• Consent by inaction — "If you do not opt out, we assume consent" is not valid
• Bundled consent — Forcing agreement to all purposes as a package

The Data Principal must actively and deliberately indicate their consent for each purpose.

4. Easy Withdrawal

Section 11 requires that withdrawal be as simple as granting consent. If a user consented via a banner click, they should be able to withdraw via a similar mechanism. Practical implementations include:

• A persistent "Cookie Preferences" or "Privacy Settings" link in the website footer
• A settings page within your application where consent preferences can be toggled
• A clear "Withdraw Consent" option accessible from the same banner interface
• An API endpoint for programmatic consent withdrawal (useful for mobile apps)

DPDP Comply provides a window.DPDPConsent.withdraw() JavaScript method that allows seamless programmatic withdrawal, in addition to UI-based withdrawal.

5. Immutable Audit Trails

You need proof that consent was obtained — who consented, when, to what purposes, and via what mechanism. This audit trail must be:

• Immutable — Records cannot be modified or deleted after creation
• Timestamped — Exact date and time of consent and any changes
• Comprehensive — Captures the version of the notice shown, the specific purposes consented to, and the method of consent
• Retrievable — Can be produced if the Data Protection Board requests evidence

Under the DPDP Act, the burden of proof for valid consent rests on the Data Fiduciary. Without a robust audit trail, you cannot demonstrate compliance even if you did everything else right.

Implementing Consent Management

For Websites

The most common consent touchpoint is your website. Implementation involves:

1. Deploy a consent banner that appears on first visit, presenting purpose-specific consent options
2. Block non-essential scripts (analytics, marketing pixels, third-party trackers) until consent is granted
3. Store consent records server-side with immutable audit logs
4. Provide a preferences center accessible at any time for withdrawal or modification
5. Respect consent state across sessions using secure, consent-specific cookies

For Mobile Apps

Mobile apps require:

1. In-app consent screens during onboarding, with purpose-specific toggles
2. A settings page where users can review and modify their consent preferences
3. API-based consent records stored on your backend
4. SDK integration to conditionally load analytics and advertising libraries

For APIs and Backend Systems

If you collect data through APIs (e.g., a sign-up endpoint), you need:

1. Consent parameters in your API requests indicating which purposes the user consented to
2. Server-side validation that consent was recorded before processing begins
3. Audit events logged for every consent grant and withdrawal

Consent for Children's Data

Section 9 of the DPDP Act provides special protections for children (under 18). Before processing children's data:

• Obtain verifiable parental or guardian consent
• Do not engage in tracking, behavioral monitoring, or targeted advertising directed at children
• The government may prescribe specific age verification mechanisms

These requirements apply to any service that is likely to be accessed by children, even if it is not specifically targeted at them.

Common Consent Management Mistakes

Treating consent as a one-time event

Consent is ongoing. If you add new processing purposes, you need fresh consent for those purposes. If your privacy notice changes materially, existing consent may need to be refreshed.

Not respecting withdrawal

Many organizations collect consent properly but fail on withdrawal — they continue sending marketing emails, do not delete data, or make the withdrawal process unnecessarily complex.

Missing audit trails

Collecting consent without recording it is almost as bad as not collecting it at all. If the Data Protection Board asks you to prove consent, "we showed a banner" is not sufficient.

Ignoring cross-device consent

If a user withdraws consent on their mobile device, that withdrawal must be reflected across all channels and devices where their data is processed.

How DPDP Comply Handles Consent

DPDP Comply provides an end-to-end consent management solution built specifically for the DPDP Act:

• Customizable consent banner — Embeddable JavaScript widget with per-purpose consent toggles
• Section 5 compliant notices — Notice content linked directly to the consent collection interface
• One-click withdrawal — Accessible via banner, settings page, or programmatic API
• Immutable audit trail — Every consent event recorded in an append-only ConsentAuditEvent log
• 30-day SLA tracking — Automated monitoring of rights request deadlines under Section 13(3)
• Multi-project support — Manage consent across multiple websites and apps from a single dashboard

Get Started Free and deploy a compliant consent banner in minutes, or View Pricing for advanced features.

Further Reading

• What is the DPDP Act 2023? — Comprehensive overview
• How to Create a DPDP-Compliant Privacy Policy — The notice that underpins consent
• Consequences of Non-Compliance — What happens when consent management fails
• Get DPDP Compliant in 15 Minutes — Quick-start implementation guide