DPDP Compliance Hub

Consent & Privacy Notices under the DPDP Act

Consent is the backbone of the DPDP Act for most processing. Valid consent must be free, specific, informed, unconditional and unambiguous — and it must be as easy to withdraw as it was to give. This guide covers what good consent and notice look like in practice.

7 min read

What makes consent valid

  • Free, specific, informed, unconditional and unambiguous
  • Bound to a stated purpose — no bundling of unrelated purposes
  • Accompanied or preceded by a clear notice describing the data, purpose and rights
  • Withdrawable at any time, with equal ease

Privacy notices done right

The notice tells the Data Principal what personal data you collect, why, and how they can exercise their rights and raise grievances. Keep it plain, versioned, and available in the applicable Indian language(s).

  • Describe data categories, purposes and retention plainly
  • Explain how to withdraw consent and how to raise a grievance
  • Version every notice so you can prove what a person agreed to

Withdrawal must actually do something

Recording a withdrawal is not enough — it must propagate to dependent processing. When consent is withdrawn or expires, downstream systems should stop, mask, restrict or delete the affected data accordingly.

Verifiable consent artifacts

Each consent, modification and withdrawal should produce a tamper-evident artifact with a timestamp and the notice version. For financial data flows, alignment with the DEPA / Account-Aggregator consent-artifact model is a strong fit.

Special cases

  • Children and persons with disability: verifiable consent via a lawful guardian
  • Multiple languages: serve notice and consent in the Data Principal's language
  • Multiple channels: web, app, API, SMS, IVR and in-person should all produce consistent records

This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.

See how dpflo implements this

Discovery, consent, rights, retention and breach — one sovereign platform, deployable where your data lives.