What makes consent valid
- Free, specific, informed, unconditional and unambiguous
- Bound to a stated purpose — no bundling of unrelated purposes
- Accompanied or preceded by a clear notice describing the data, purpose and rights
- Withdrawable at any time, with equal ease
Privacy notices done right
The notice tells the Data Principal what personal data you collect, why, and how they can exercise their rights and raise grievances. Keep it plain, versioned, and available in the applicable Indian language(s).
- Describe data categories, purposes and retention plainly
- Explain how to withdraw consent and how to raise a grievance
- Version every notice so you can prove what a person agreed to
Withdrawal must actually do something
Recording a withdrawal is not enough — it must propagate to dependent processing. When consent is withdrawn or expires, downstream systems should stop, mask, restrict or delete the affected data accordingly.
Verifiable consent artifacts
Each consent, modification and withdrawal should produce a tamper-evident artifact with a timestamp and the notice version. For financial data flows, alignment with the DEPA / Account-Aggregator consent-artifact model is a strong fit.
Special cases
- Children and persons with disability: verifiable consent via a lawful guardian
- Multiple languages: serve notice and consent in the Data Principal's language
- Multiple channels: web, app, API, SMS, IVR and in-person should all produce consistent records
This guide is educational and general in nature — it is not legal advice. Confirm specific obligations against the DPDP Act, 2023, the DPDP Rules, 2025 and any sectoral regulations that apply to you.