Consent Management Under DPDPA: What You Need to Know

What is Valid Consent Under DPDPA?

Section 6 of the DPDPA defines valid consent as consent that is:

1. Free

Consent must be given voluntarily, without coercion, fraud, or misrepresentation. Key principles:

• No bundling: Don't make consent a condition for providing services unless processing is necessary for that service
• No manipulation: Avoid dark patterns or deceptive design to obtain consent
• Clear options: Make it as easy to deny consent as it is to give it
• No pre-checked boxes: Default to "no consent" rather than requiring users to opt-out

2. Specific

Consent must be given for a specific purpose. Avoid:

• Blanket consent for all purposes
• Vague language like "for business purposes"
• Open-ended consent that could cover future unknown uses

Instead, clearly state each purpose and obtain separate consent for each:

• "Process payment for your order"
• "Send you order status updates"
• "Improve our product recommendations based on your browsing history"
• "Share your information with delivery partners"

3. Informed

Before seeking consent, you must provide a clear notice containing:

• What data: Specific categories of personal data to be collected
• Why: The purpose of processing
• How to exercise rights: Process for accessing, correcting, or erasing data
• Grievance mechanism: How to file complaints

The notice must be:

• Available in English and all 22 scheduled Indian languages
• Written in clear and plain language
• Easy to access and understand

4. Unconditional

Consent cannot be conditional on accepting terms unrelated to the purpose of processing. For example:

• Don't require consent for marketing as a condition to complete a purchase
• Don't bundle consent for different purposes into a single "accept all" option
• Provide granular choices for different processing purposes

5. Unambiguous

Consent must be clear and unequivocal, demonstrated by:

• Affirmative action: Clicking a button, checking a box, or providing a signature
• Clear language: No ambiguous phrasing that could confuse users
• Explicit agreement: No implied consent from silence or inactivity

Special Rules for Children's Data

DPDPA has stringent requirements for processing children's personal data (individuals below 18 years):

• Verifiable parental consent: Must obtain consent from the parent or legal guardian
• Age verification: Implement mechanisms to verify the child's age
• No tracking or behavioral monitoring: Prohibited for advertising or other targeted purposes
• No processing harmful to the child: Cannot process data in ways detrimental to the child's well-being

Consent Withdrawal

DPDPA grants Data Principals the right to withdraw consent at any time. As a Data Fiduciary, you must:

Make Withdrawal Easy

• As easy as giving: Withdrawal must be as simple as the process of giving consent
• Same channel: Allow withdrawal through the same channel used for giving consent
• No justification required: Don't ask users to explain why they're withdrawing consent
• Immediate effect: Stop processing personal data for that purpose once consent is withdrawn

Implementation Examples

Effective consent withdrawal mechanisms:

• Account settings: Provide a consent management dashboard where users can view and manage all consents
• Unsubscribe links: Include one-click unsubscribe in marketing emails
• Preference center: Allow granular control over different types of processing
• Customer support: Enable withdrawal requests through phone, email, or chat

Post-Withdrawal Actions

When consent is withdrawn:

1. Cease processing: Immediately stop processing data for the withdrawn purpose
2. Notify processors: Inform any Data Processors about the withdrawal
3. Delete data: Erase personal data unless retention is required by law or another legal ground exists
4. Confirm to user: Send acknowledgment of the withdrawal and actions taken
5. Update audit logs: Document the withdrawal in your consent records

Consent Managers

Section 9 of DPDPA introduces the concept of Consent Managers - entities registered with the Data Protection Board that enable Data Principals to:

• Give, manage, review, and withdraw consent through a single platform
• Maintain a centralized record of all consents given
• Exercise their rights under DPDPA more easily

How Consent Managers Work

1. Registration: Data Principal registers with a Consent Manager
2. Consent requests: Data Fiduciaries send consent requests through the Consent Manager
3. Centralized control: Data Principal reviews and responds to requests in one place
4. Consent transmission: Consent Manager communicates the decision to Data Fiduciaries
5. Ongoing management: Data Principal can view, modify, or withdraw consents at any time

Benefits of Consent Managers

For Data Principals:

• Single platform to manage all consents
• Better visibility and control over personal data
• Simplified consent management across multiple services

For Data Fiduciaries:

• Standardized consent collection process
• Reduced compliance complexity
• Interoperable consent infrastructure
• Automated consent lifecycle management

The Data Protection Board will notify the regulations for registration and operations of Consent Managers. Organizations should prepare to integrate with these systems once they become operational.

Consent Audit Logs

Maintaining comprehensive consent audit logs is critical for DPDPA compliance and demonstrating accountability. Your consent management system must record:

Essential Log Information

• Identity: Who gave consent (anonymized identifier)
• Timestamp: Exact date and time of consent
• Purpose: Specific purpose for which consent was given
• Consent text: Exact wording shown to the user
• Method: How consent was obtained (web form, mobile app, etc.)
• Version: Version of privacy notice shown
• IP address/device: Technical details for verification
• Withdrawal: If and when consent was withdrawn
• Modifications: Any changes to consent over time

Audit Log Best Practices

1. Immutable records: Use write-once systems to prevent tampering
2. Encryption: Protect logs with strong encryption
3. Retention: Keep logs for at least the duration of processing plus any legal retention period
4. Access control: Restrict access to authorized personnel only
5. Regular backups: Maintain redundant copies in secure locations
6. Audit readiness: Ensure logs can be retrieved and presented to regulators quickly

Sample Consent Log Entry

{
  "consent_id": "CNS-2025-0001-XXXX",
  "user_id": "USR-HASH-XXXXX",
  "timestamp": "2025-02-10T14:30:00+05:30",
  "purpose": "Send promotional emails about products",
  "consent_given": true,
  "consent_text": "I agree to receive marketing emails...",
  "notice_version": "v2.1",
  "method": "web_form",
  "ip_address": "203.XXX.XXX.XXX",
  "user_agent": "Mozilla/5.0...",
  "modified": [],
  "withdrawn": null
}

Implementing a Consent Management System

Technical Architecture

A robust consent management system should include:

1. Consent collection layer: UI components for obtaining consent (banners, modals, forms)
2. Storage layer: Database for storing consent records and audit logs
3. API layer: Services for checking consent status and managing lifecycle
4. Integration layer: Connections to marketing tools, analytics, CRMs, etc.
5. Reporting layer: Dashboards for compliance monitoring and audits

Key Features

• Granular consent: Support multiple purposes and processing activities
• Version control: Track changes to privacy notices and consent text
• Expiry management: Handle time-limited consents and renewal workflows
• Proof of consent: Generate verifiable proof for regulatory inquiries
• Consent renewal: Prompt for re-consent when purposes change
• Multi-language support: Present notices in user's preferred language
• Cross-device sync: Maintain consent status across devices and channels

Build vs Buy

Consider these factors:

Build in-house if:

• You have specific customization requirements
• You need tight integration with proprietary systems
• You have development resources and expertise

Use third-party solutions if:

• You want faster time to compliance
• You need pre-built integrations with common tools
• You prefer outsourcing maintenance and updates
• You want compliance experts managing the system

Common Consent Management Pitfalls

1. Cookie Walls

Blocking access to your website unless users consent to all cookies violates the "free" consent requirement. Provide alternatives like cookie-free versions or graceful degradation.

2. Buried Withdrawal Options

Making consent withdrawal difficult (e.g., requiring emails to customer support while allowing one-click consent) is non-compliant. Ensure withdrawal is equally accessible.

3. Vague Purpose Statements

Generic purposes like "to improve our services" are too broad. Be specific: "to analyze which features you use most to prioritize development."

4. Implied Consent

Statements like "by continuing to use our website, you consent..." don't meet the unambiguous consent requirement. Always require affirmative action.

5. Consent Fatigue

Bombarding users with consent requests reduces genuine informed consent. Consolidate requests, use progressive disclosure, and only ask when necessary.

Testing Your Consent Management

Regularly audit your consent processes:

• User journey testing: Walk through consent collection as a user
• Withdrawal testing: Verify withdrawal mechanisms work correctly
• Data flow verification: Confirm data processing stops after withdrawal
• Log completeness: Check audit logs contain all required information
• Integration testing: Ensure all systems respect consent status
• Compliance review: Periodically assess against DPDPA requirements

Conclusion

Effective consent management is foundational to DPDPA compliance. By implementing systems that make obtaining, managing, and withdrawing consent simple and transparent, you not only meet regulatory requirements but also build trust with your users.

Start by auditing your current consent practices, identifying gaps, and implementing a robust consent management system. Use our DPDPA compliance checklist to ensure you've covered all requirements.