CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to DPDP Act 2023 (India)

DPDP Consent Framework

Consent is the primary legal basis for processing personal data under the DPDP Act. The Act sets a high bar for valid consent and introduces the novel concept of Consent Managers. Understanding this framework is critical because, unlike GDPR where you have six lawful bases, DPDP essentially gives you two paths: valid consent OR certain legitimate uses (Section 7). Getting consent wrong is the most common compliance failure.

Consent Requirements

Free consent — not obtained through coercion, undue influence, or tying it to an unrelated service

Section 6(1)

Do not use dark patterns. Do not make service access conditional on consent for unrelated data processing. Offer granular consent options.

Specific consent — given for a specific, clearly stated purpose

Section 6(1)

Each purpose must have its own consent request. Do not bundle purposes into a single consent. Example: separate consent for 'order processing' and 'marketing emails'.

Informed consent — preceded by a clear notice in plain language

Section 5 and 6(1)

Provide a notice before or at the time of requesting consent. The notice must be in clear, plain language (not legalese). It must include: what data, why, how to exercise rights, how to complain.

Unconditional consent — not subject to conditions beyond what is reasonable

Section 6(1)

Do not attach unreasonable conditions to consent. Do not require consent for non-essential processing as a precondition for essential services.

Unambiguous consent — indicated by a clear affirmative action

Section 6(1)

Use opt-in mechanisms (checkboxes that default to unchecked, explicit 'I agree' buttons). Pre-ticked boxes do NOT constitute valid consent. Silence or inactivity is not consent.

Consent limited to necessary data — only for data that is needed for the specified purpose

Section 6(1)

Collect only the minimum personal data needed. If you need name and email for newsletter delivery, do not also collect date of birth and phone number.

Withdrawal must be as easy as giving consent

Section 6(6)

If consent was given by clicking a button, withdrawal must be equally simple — not buried in settings or requiring a phone call. Provide a one-click 'Withdraw Consent' option.

Notice must be available in English and all languages in the Eighth Schedule of the Constitution

Section 5(2)

Prepare your consent notice in English plus 22 scheduled languages (Hindi, Bengali, Tamil, Telugu, Marathi, etc.). This is a significant operational requirement.

Legitimate Uses (Without Consent)

Voluntary Provision for Specified Purpose

Section 7(a)

Where a Data Principal voluntarily provides personal data to the Data Fiduciary for a specified purpose and has not indicated to the Fiduciary that they do not consent to the use of their data.

A customer voluntarily provides their business card at a trade show booth A person fills in a feedback form at a restaurant without being asked

State — Subsidies, Benefits, Services, Licences, Permits

Section 7(b)

The State or its instrumentalities can process personal data for providing subsidies, benefits, services, certificates, licences, or permits without explicit consent.

Aadhaar-based authentication for PDS ration distribution Processing data for issuing driving licences Government scholarship disbursement

Legal Obligation

Section 7(c)

Processing necessary for compliance with any law in force in India, or for compliance with any order or judgement of a Court or Tribunal.

Retaining employee PAN data for income tax compliance Reporting suspicious transactions to FIU under PMLA Maintaining customer records under GST law

Medical Emergency

Section 7(d)

Processing to respond to a medical emergency involving a threat to life or immediate threat to health of the Data Principal or another individual.

Hospital accessing a patient's medical history during an emergency admission Sharing blood group information with an ambulance service

Safety and Security (Epidemic, Disaster, Public Order)

Section 7(e)

Processing for purposes related to safety and security during any disaster or breakdown of public order, for employment purposes, and for ensuring safety and security in public spaces.

Contact tracing during an epidemic Processing data for disaster relief coordination CCTV surveillance in public areas for safety

Employment Purposes

Section 7(f)

Processing necessary for employment-related purposes such as recruitment, payroll, benefits administration, and workplace safety.

Processing employee data for salary payment and benefits Background verification during recruitment Maintaining attendance records

👤 Consent Manager Role

A Consent Manager is a new intermediary concept unique to the DPDP Act. It is a person registered with the Data Protection Board who acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Think of it as a 'consent dashboard' that aggregates all your consents across different Data Fiduciaries.

  • Enable Data Principals to give, manage, review, and withdraw consent through a unified platform
  • Maintain accurate records of all consent transactions
  • Ensure interoperability with Data Fiduciaries' systems
  • Act in the interest of the Data Principal at all times
  • Comply with all provisions of the DPDP Act as if it were a Data Fiduciary in respect of the personal data it processes
  • Maintain transparency and accessibility of the consent management platform
← Back to DPDP Act 2023 (India)