Consent & Obligations
Consent and Notice Under the DPDP Act
Under the DPDP Act, personal data can be processed on only two grounds: consent, or certain legitimate uses. Consent must be free, specific, informed, unconditional, and unambiguous, given after a clear notice, and as easy to withdraw as it was to give. This chapter covers notice and consent requirements end to end.
On What Basis Can You Process Personal Data?
Section 4 of the DPDP Act 2023
The Act permits processing personal data on exactly two grounds: with the Data Principal's consent, or for certain legitimate uses defined in Section 7.
Section 4 lays down the foundational rule for all personal data processing in India. A Data Fiduciary may process personal data only if one of two conditions is met: the Data Principal has given consent, or the processing falls under a recognised legitimate use.
The Act also defines what counts as a "lawful purpose" — it is any purpose that is not expressly forbidden by law. In other words, if no statute prohibits the activity, it can qualify as a lawful purpose. However, having a lawful purpose alone is not enough; you still need either consent or a legitimate use ground to actually process the data.
This two-track structure shapes everything that follows. If you rely on consent, Sections 5 and 6 govern how you must obtain and manage it. If you rely on a legitimate use, Section 7 lists the specific situations where consent is not required.
Key Points
- Personal data can only be processed with consent or under a legitimate use — there is no third option.
- A "lawful purpose" means any purpose not expressly forbidden by law.
- Even with a lawful purpose, you must still satisfy either the consent requirements or qualify under a legitimate use.
What Notice Must You Give Before Collecting Data?
Section 5 of the DPDP Act 2023; Rule 3 of the DPDP Rules 2025
Before or at the time of requesting consent, you must give the Data Principal a clear notice explaining what data you collect, why, and how they can exercise their rights — in English or any of the 22 Eighth Schedule languages.
Every time a Data Fiduciary requests consent, it must accompany or precede that request with a notice. This notice must tell the Data Principal three things: first, what personal data will be collected and for what purpose; second, how the Data Principal can exercise their rights under Section 6(4) (withdrawal of consent) and Section 13 (rights such as correction, erasure, and grievance redressal); and third, how to file a complaint with the Data Protection Board.
For personal data that was already being processed before the Act came into force, the Data Fiduciary must give the same notice as soon as reasonably practicable. Processing may continue until the Data Principal actually withdraws consent — there is no automatic cut-off — but the notice obligation still applies.
The notice must be available in English or any language listed in the Eighth Schedule to the Constitution of India. This covers 22 languages including Hindi, Bengali, Tamil, Telugu, Marathi, Gujarati, Kannada, Malayalam, Odia, Punjabi, Assamese, and Urdu, among others.
Rule 3 adds further detail on what makes a notice compliant. The notice must be understandable on its own — a person should not need to read other documents to make sense of it. It must use clear, plain language with an itemised description of the personal data being collected and the specified purposes for which it will be used. Finally, it must provide communication links that allow the Data Principal to withdraw consent, exercise their rights, and file complaints with the Board.
Key Points
- Notice must be given before or at the time of requesting consent.
- The notice must specify: (a) what personal data is collected and why, (b) how to withdraw consent and exercise rights, (c) how to complain to the Board.
- For data collected before the Act, the same notice must be given as soon as reasonably practicable.
- Notice must be available in English or any of the 22 Eighth Schedule languages.
- Rule 3 requires the notice to be self-contained, written in clear plain language, with itemised descriptions and working communication links.
How Does Consent Work Under the DPDP Act?
Section 6 of the DPDP Act 2023; Rule 4 of the DPDP Rules 2025
Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The Data Principal can withdraw it at any time, and withdrawal must be as easy as giving consent.
Section 6 is the most operationally detailed section of the Act. It sets out ten sub-sections that together define how consent must be obtained, managed, and withdrawn.
To be valid, consent must meet seven criteria: it must be free (not coerced), specific (tied to particular data and purposes), informed (the Data Principal understands what they are agreeing to), unconditional (not bundled with unrelated conditions), unambiguous (leaving no room for doubt about the Data Principal's intention), given through a clear affirmative action (such as ticking a box or clicking a button — silence or pre-ticked boxes do not count), and limited to the personal data that is necessary for the specified purpose. If a Data Fiduciary collects more data than necessary for the stated purpose, the consent for the excess data is not valid.
Any portion of a consent request that infringes the Act is invalid to that extent. This means if part of your consent form violates the Act, the rest may still hold, but the offending portion is struck down.
The consent request itself must be presented in clear, plain language. The Data Principal must be given the option to read the request in English or any Eighth Schedule language. The request must also include contact details of the Data Protection Officer or an authorised person who can answer questions.
Withdrawal of consent is a fundamental right. The Data Principal may withdraw consent at any time. Critically, the ease of withdrawing consent must be comparable to the ease of giving it. If consent is given with a single click, withdrawal should not require filling out a form, sending an email, and waiting for a response.
Once consent is withdrawn, the consequences fall on the Data Principal — for example, they may lose access to a service that requires that data. However, any processing that took place before withdrawal remains lawful. The Data Fiduciary must stop processing within a reasonable time after withdrawal, unless another legal basis (such as a legitimate use) authorises continued processing.
The burden of proof sits squarely with the Data Fiduciary. If a dispute arises, the Data Fiduciary must prove that notice was given and valid consent was obtained. This makes proper record-keeping essential.
Key Points
- Consent must be: free, specific, informed, unconditional, unambiguous, given through a clear affirmative action, and limited to data necessary for the specified purpose.
- Any part of consent that infringes the Act is invalid to that extent — the rest may survive.
- Consent requests must be in clear, plain language with an English or Eighth Schedule language option.
- Withdrawal of consent is available at any time, and must be as easy as giving consent.
- Withdrawal does not affect the legality of processing that occurred before withdrawal.
- On withdrawal, the Data Fiduciary must stop processing within a reasonable time.
- The Data Fiduciary bears the burden of proving that notice was given and consent obtained.
Not sure if you meet these requirements?
Take the free DPDP Readiness Assessment to get an instant compliance score and a detailed gap analysis report.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. It is a plain-English interpretation of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. The official gazette text is the only authoritative source. Consult qualified legal counsel before making compliance decisions.