Consent Management: Building Frameworks That Hold Up Under Scrutiny

Valid consent under DPDP must satisfy multiple requirements simultaneously. It must be free, meaning the data principal had a genuine choice and was not coerced. It must be specific, meaning it relates to a particular processing purpose rather than general processing. It must be informed, meaning the data principal understood what they were consenting to based on adequate notice. It must be unconditional, meaning it was not bundled with consent to other unrelated processing or made a precondition for unrelated services. It must be unambiguous, meaning it was given through clear affirmative action rather than inferred from inaction or pre-ticked boxes. And it must be documented in a form that proves all of these conditions were met. Consent that fails any of these requirements may not be valid even if the data principal believed they were giving consent at the time.

Most current Indian data collection practices rely on broad consent through privacy policies and terms of service that bundle multiple processing purposes into single agreements. DPDP requires consent that is significantly more specific, more granular, and more clearly evidenced. The privacy policy approach does not satisfy DPDP requirements because it fails the specificity test (one consent for many purposes) and often fails the informed test (data principals do not actually read privacy policies). DPDP-compliant consent typically requires separate consent for each meaningful processing purpose, presented in a way that makes the choice clear and obtains affirmative action from the data principal.

The DPDP Act envisions consent managers as registered intermediaries that allow data principals to manage their consent across multiple data fiduciaries through a single interface. The framework is similar to account aggregators in financial services. Consent managers will allow data principals to grant, modify, and withdraw consent at granular levels, with the consent decisions propagating to the relevant data fiduciaries automatically. The consent manager ecosystem is still developing, but organizations should design their consent management infrastructure with consent manager integration in mind. Retrofitting consent manager integration into systems that were designed without it is significantly more difficult than designing for it from the start.

Legacy consent is one of the most difficult DPDP compliance challenges. Personal data collected under previous consent regimes may not satisfy DPDP requirements, particularly if the consent was bundled, generic, or not adequately documented. Organizations have several options: re-consent the data principals through new DPDP-compliant consent flows (effective but operationally significant), narrow the use of legacy data to processing that does not require new consent, delete legacy data that cannot be supported under DPDP, or rely on legal grounds other than consent where applicable. The right approach depends on the value of the legacy data, the feasibility of re-consenting, and the alternative legal grounds available. There is no universal answer, but doing nothing is rarely the right answer.

The DPDP Act requires that notice include the personal data being collected, the purpose for which it will be processed, the manner in which data principal rights can be exercised, and the manner of complaint to the Data Protection Board. The rules and regulations under the Act will likely specify additional content requirements. Beyond the minimum requirements, effective notices include information about retention periods, third-party sharing, cross-border transfers where applicable, and the consequences of withholding consent. Notices should be written in language that data principals can actually understand, not just language that satisfies regulatory expectations of legal completeness.

No. The DPDP Act requires consent to be given through clear affirmative action. Implied consent based on continued use, pre-ticked boxes, or inferred from inaction does not satisfy the Act's requirements. This represents a significant shift from current Indian practice, where implied consent has been common. Organizations that rely on implied consent need to redesign their consent capture to require affirmative action, which typically means active opt-in flows rather than passive opt-out arrangements. The implementation effort is real, but the alternative is consent that may not be valid when challenged.

Multi-channel consent is one of the more complex operational challenges in consent management. Data principals interact with organizations across websites, mobile applications, in-person interactions, call centers, third-party platforms, and increasingly through consent manager intermediaries. Consent must be captured consistently across these channels, stored in a unified consent record, and respected in operational systems regardless of where the original consent was given. This requires consent management infrastructure that integrates across channels rather than creating silos. The architectural decisions made early in consent management implementation determine whether multi-channel consent works smoothly or becomes a perpetual source of operational issues.