The Consent Foundation
The Digital Personal Data Protection Act, 2023 places consent at the heart of lawful data processing. Unlike regimes that recognise multiple legal bases for processing, the DPDPA treats consent as the primary gateway for most personal data collection. Understanding what constitutes valid consent is therefore not optional knowledge but essential compliance infrastructure.
The Act specifies that consent must be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action. Additionally, consent must be limited to the data necessary for the specified purpose. These seven elements together define valid consent under Indian law.
Dissecting the Seven Elements
Free Consent
Consent is not free if the Data Principal has no genuine choice or feels compelled to consent. Conditioning a service on consent to unnecessary data processing undermines freedom. A social media platform requiring consent to sell data to advertisers as a condition of account creation would fail this test.
Power imbalances matter. An employer seeking consent from an employee for extensive data processing faces scrutiny. The employment relationship creates inherent pressure that may compromise freedom. Consider whether the Data Principal can realistically refuse without adverse consequences.
Specific Consent
Blanket consents covering unlimited purposes are invalid. Each distinct processing purpose requires its own consent. Collecting data for service delivery is one purpose. Using the same data for marketing is another. Sharing with third parties is yet another. Each requires separate, explicit consent.
Granularity is key. Present consent options that allow Data Principals to accept some purposes while declining others. A customer may consent to receiving order updates but decline promotional communications. Your systems must accommodate such selective consent.
Informed Consent
Data Principals must understand what they are consenting to. This requires providing clear, accessible information before consent is sought. Burying consent requests in lengthy terms of service fails this standard. Legal jargon that obscures rather than illuminates fails this standard.
The notice requirements under Section 5 are integral to informed consent. Before collecting data, inform the Data Principal of the data being collected, the purpose of processing, how to exercise their rights, and how to file complaints. Use plain language. Be specific rather than vague.
Unconditional Consent
Consent tied to conditions unrelated to the processing purpose is invalid. Requiring consent to data sharing as a condition for a discount, where the sharing has no connection to the discount mechanism, creates an impermissible condition.
This element prevents coercive consent practices. If the Data Principal must accept something beyond the essential processing to obtain something they want, the consent may be conditional and therefore invalid.
Unambiguous Consent
There must be no doubt that consent was given. Silence, pre-ticked boxes, or inactivity do not constitute consent. The Data Principal must actively indicate agreement. Opt-out mechanisms, where consent is assumed unless specifically declined, fail this standard.
Design your consent interfaces to require positive action. A clearly labelled consent button that must be clicked. A signature on a consent form. An affirmative response to a consent request. The action must leave no ambiguity about the Data Principal's intention.
Clear Affirmative Action
Closely related to unambiguity, this element requires a deliberate act signifying agreement. Scrolling through a page is not affirmative action. Closing a banner is not affirmative action. Continuing to use a service after seeing a consent notice may not constitute affirmative action.
Require an unmistakable gesture. Document when and how that gesture was made. Maintain records demonstrating the affirmative action occurred.
Data Minimisation
Consent covers only data necessary for the specified purpose. You cannot obtain consent for collecting extensive personal data when only minimal data is needed. If a service requires only a name and email, consent to collect date of birth, address, and phone number for that same purpose may be invalid for the unnecessary elements.
Review your data collection practices against actual processing needs. Eliminate collection of data that serves no defined purpose. What you do not collect, you do not need consent for, and you cannot breach.
Technical Implementation
Consent management requires robust technical infrastructure. At minimum, implement a consent management platform that records what consent was given, when, for what purpose, and how it can be withdrawn. This record is your evidence if consent validity is challenged.
Integrate consent records with your processing systems. Data should only be processed for purposes for which valid consent exists. If consent is withdrawn, processing must cease. This requires real-time synchronisation between consent records and operational systems.
Withdrawal Mechanisms
The DPDPA mandates that withdrawal of consent must be as easy as giving consent. If consent was given through a single click, withdrawal must not require filling lengthy forms, making phone calls, or visiting physical offices.
Provide clear withdrawal pathways. A prominently displayed option in user account settings. A link in every communication. A straightforward online form. Upon withdrawal, cease processing immediately unless another legal basis applies.
Documenting Consent
Maintain comprehensive consent records. For each Data Principal, document when consent was obtained, what notice was provided, what purposes were consented to, and any subsequent withdrawals. These records must be retrievable for regulatory audits or individual requests.
Consider using consent receipts that provide Data Principals with confirmation of their consent choices. This transparency builds trust and provides you with evidence of the consent transaction.
Regular Review
Consent is not perpetual. Review whether consents remain valid over time. If your processing purposes change, existing consent may not cover new purposes. If your data sharing arrangements expand, fresh consent may be needed.
Implement periodic consent renewal for long-term processing relationships. Annual affirmation that the Data Principal wishes to continue the processing relationship maintains consent freshness and demonstrates ongoing commitment to consent validity.
