Notice and Consent Overview

The DPDP Act makes consent the primary ground for processing personal data. Valid consent requires that data principals are properly informed through a compliant notice before or at the time of collection.

The Consent-Notice Link

Consent cannot be valid without adequate notice. The notice informs; the consent confirms. Both must work together for lawful processing under DPDP.

Notice Requirements

The DPDP Act and Rules specify what notices must contain:

Mandatory Notice Elements

  • Identity: Name and contact details of the Data Fiduciary
  • Data Collected: Personal data that will be collected
  • Purpose: Purpose(s) for which data will be processed
  • Rights: How the data principal may exercise their rights
  • Complaint: How to make a complaint to the Data Protection Board

Additional Information (as applicable)

  • Categories of data shared with other fiduciaries
  • Categories of data shared with processors
  • Cross-border transfer information
  • Retention periods (recommended)

Timing

  • Before collection of personal data, OR
  • At the time of collection (if before not practicable)
  • Upon material change to processing purposes

Language Requirements

  • Available in English
  • Available in any of the 22 scheduled languages as applicable to the principal
  • Clear, plain language (avoid legal jargon)

Designing Compliant Notices

Format Options

  • Comprehensive Notice: Full privacy policy covering all processing
  • Itemised Notice: Specific notice for each purpose/collection point
  • Layered Approach: Short summary with link to detailed notice

Design Best Practices

  • Use headings and structure for readability
  • Avoid dense paragraphs of legal text
  • Use bullet points for lists
  • Consider visual elements (icons, tables) where helpful
  • Ensure mobile-friendly presentation
  • Make text size readable (minimum 12pt equivalent)

Sample Notice Structure

  1. Who We Are: Identity and contact details
  2. What We Collect: Categories of personal data
  3. Why We Collect: Purposes (listed separately)
  4. Who We Share With: Categories of recipients
  5. Your Rights: How to exercise data principal rights
  6. How to Contact Us: Grievance officer details
  7. How to Complain: Data Protection Board information

The goal is informed consent, not just technical compliance. If a reasonable person cannot understand your notice, it likely fails the "informed" test even if all elements are present.

The DPDP Act specifies five characteristics of valid consent:

Free

  • Not obtained through coercion, undue influence, or pressure
  • Service access should not be conditional on unnecessary consent
  • Pre-ticked boxes are not valid consent

Specific

  • Given for specific, identified purposes
  • Blanket consent for "all purposes" is not valid
  • Each purpose should be separately identified

Informed

  • Principal has received adequate notice
  • Principal understands what they are consenting to
  • Notice must be provided before/at consent request

Unconditional

  • Not bundled inappropriately with service access
  • Consent for marketing should be separate from service consent
  • Principal should not be penalised for refusing optional consent

Unambiguous

  • Clear affirmative action required
  • Silence, pre-ticked boxes, or inactivity do not constitute consent
  • Consent mechanism should leave no doubt about intent

Consent Collection Methods

  • Checkbox: Unticked by default, requiring active selection
  • Button: "I Agree" or "Accept" following notice display
  • Signature: Physical or electronic for paper/offline collection
  • Verbal: With recording and confirmation (less common for digital)

What to Record

For each consent, capture and retain:

  • Who: Identifier for the data principal
  • What: Purposes consented to
  • When: Date and time of consent
  • How: Method of consent (checkbox, button, etc.)
  • Notice Version: Version of notice in effect at consent

Granular Consent

Consider offering granular consent for different purposes:

  • Essential service provision (required)
  • Product improvement (optional)
  • Marketing communications (optional)
  • Analytics and profiling (optional)
  • Third-party sharing (optional)
Consent Best Practice

Even where the law might permit bundled consent, offering granular options builds trust and reduces risk. Data principals appreciate control over their data.

Data principals have the right to withdraw consent at any time:

Withdrawal Mechanism Requirements

  • Easy to access (as easy as giving consent)
  • Clearly communicated in privacy notice
  • No barriers or discouragement
  • Effective without undue delay

Upon Withdrawal

  • Stop processing for consented purposes
  • Erase data unless other lawful ground applies
  • Inform principal of consequences (e.g., service limitations)
  • Do not penalise principal for withdrawal

Implementation

  • Provide self-service withdrawal option where possible
  • Accept withdrawal through grievance channel
  • Record withdrawal date and scope
  • Implement technical controls to stop processing

The DPDP Act introduces Consent Managers as registered intermediaries:

What Consent Managers Do

  • Act as single point for principals to manage consents
  • Enable viewing of all consents given
  • Enable withdrawal of consent
  • Maintain audit trail of consent transactions

Fiduciary Obligations

  • May offer Consent Manager as option to principals
  • Must honour consent/withdrawal through Consent Manager
  • Must integrate with registered Consent Managers

Integration Considerations

  • Technical integration via prescribed APIs
  • Real-time consent status updates
  • Interoperability with multiple Consent Managers

Children's Data

Special requirements apply to processing children's personal data:

Age Threshold

  • Child is defined as individual below 18 years
  • Verifiable parental consent required

Parental Consent

  • Must be verifiable (not just claimed)
  • Parent/guardian must consent on behalf of child
  • Age verification mechanism required

Prohibited Processing

  • No tracking or behavioural monitoring of children
  • No targeted advertising directed at children
  • No processing that may cause harm to child

Exemptions

The Central Government may exempt certain Data Fiduciaries from:

  • Parental consent requirement (for certain purposes)
  • Age verification requirement
  • Such exemptions will be notified

Common Mistakes to Avoid

Notice Mistakes

  • Notice too long and unreadable
  • Notice uses legal jargon instead of plain language
  • Notice missing required elements
  • Notice not available in applicable languages
  • Notice not updated when processing changes

Consent Mistakes

  • Pre-ticked consent boxes
  • Consent buried in terms and conditions
  • No record of consent given
  • Blanket consent for all purposes
  • Withdrawal harder than giving consent

Process Mistakes

  • Not linking consent records to notice versions
  • Not honouring withdrawal promptly
  • Continuing marketing after consent withdrawal
  • Not refreshing consent when purposes change
DPDP India Privacy Consent