Reading the DPDP Act: What Consent Really Demands of You

The Digital Personal Data Protection Act, 2023 reads like a deceptively simple document. It runs to a few dozen sections, avoids the dense definitional thicket of comparable regimes abroad, and rests almost entirely on a single, familiar idea: that personal data may be processed only with the informed consent of the person it belongs to. The difficulty, as is so often the case, lies not in the principle but in what it demands of those who must put it into practice.

For most businesses, the operative question is no longer whether they need consent, but whether the consent they already collect would survive scrutiny. The Act sets a higher bar than the perfunctory checkbox most organisations have relied upon, and the gap between the two is where exposure now lives.

What the Act asks of consent

Under the statute, consent must be free, specific, informed, unconditional and unambiguous, signalled by a clear affirmative action. Each adjective carries weight. Specific forecloses the omnibus permission that purports to authorise every conceivable use. Informed requires that the request be accompanied by a notice describing, in plain language, the data sought and the purpose for which it will be processed. Unconditional means that a service may not be withheld merely because a person declines processing that the service does not actually require.

Consent obtained for one purpose does not travel quietly to another. Each new use is, in principle, a new request.

The practical consequence is that consent must be purpose-bound and revocable. A person who agrees today must be able to withdraw tomorrow with the same ease, and the withdrawal must take effect without penalty. Systems built on the assumption that permission, once given, is permanent will need rethinking.

Where notices commonly fail

In reviewing consent flows, the same weaknesses recur. They are rarely dramatic; they are usually the small economies that accumulate into risk:

• Purposes drafted so broadly that they describe an intention rather than a use.
• Pre-ticked boxes, or designs that make refusal materially harder than acceptance.
• Bundled consent — a single act that purports to authorise unrelated processing.
• No accessible, equally simple route to withdraw.
• Notices available only in English, where the Act contemplates the languages of the Eighth Schedule.

None of these is difficult to remedy in isolation. Together, they describe a consent architecture that was built for a different legal era and has not yet caught up.

A short, practical checklist

For an organisation taking its first measured steps, the work is less a compliance project than a question of discipline: map the data you hold and why; rewrite each notice to state one purpose plainly; separate the consents that genuinely differ; and build a withdrawal mechanism that is as light as the one that obtained consent in the first place. Do that, and most of the Act's demands resolve themselves.

This commentary is provided for general informational purposes only. It reflects the law as understood at the time of writing, does not constitute legal advice, and should not be relied upon in any specific matter. For advice on your circumstances, please consult a qualified advocate. Reading this note does not create a lawyer–client relationship with RDB Associates.