Consent management is the foundation of DPDP compliance in India. Under the Digital Personal Data Protection Act, consent is the primary legal basis for processing personal data, and must be specific, informed, unambiguous and withdrawable.
Many organisations treat consent as a checkbox. In practice, consent management under DPDP requires a full lifecycle approach—from capture and storage to withdrawal and auditability.
This article focuses on how to design, implement and operationalise consent management aligned to DPDP compliance requirements.
1. What is Consent under DPDP
Under DPDP, consent is a clear affirmative action by the individual (Data Principal) permitting processing of personal data for a defined purpose.
Core characteristics:
• Specific to purpose
• Informed (clear notice)
• Freely given
• Capable of withdrawal
Consent cannot be:
• Implied or assumed
• Bundled across unrelated purposes
• Forced as a condition where not necessary
Weak consent directly impacts DPDP compliance and enforceability
2. Consent Lifecycle under DPDP (End-to-End View)
Consent management must be implemented as a controlled lifecycle, not a one-time event.
| Stage | Control Requirement | Evidence |
| Capture | UI-based consent (clear language) | Screens, logs |
| Record | Store consent with timestamp & purpose | Consent database |
| Use | Processing aligned to consent | System mapping |
| Withdraw | Easy withdrawal mechanism | Withdrawal logs |
| Audit | Traceability across lifecycle | Audit trails |
This lifecycle must integrate with:
• Data inventory
• Processing systems
• Data subject rights workflows
3. Designing Consent Capture (UI / UX Controls)
Consent design is a high-risk compliance area.
Good practices:
• Separate consent per purpose
• Plain language (no legal jargon)
• Layered notices (summary + detailed)
• Explicit action (checkbox, toggle, click)
Non-compliant patterns:
• Pre-ticked checkboxes
• Bundled consent (“accept all”)
• Hidden consent within T&Cs
• No clear withdrawal option
Consent must be as easy to withdraw as it is to give
4. Consent Recording and Auditability
DPDP requires organisations to demonstrate consent, not just obtain it.
Minimum logging requirements:
• Who gave consent (identifier)
• When consent was given
• What purpose was agreed
• How consent was obtained (UI / channel)
• Version of notice shown
Audit expectation:
• Trace from data → consent → purpose
• Ability to prove validity during audit
This is critical for DPDP audit readiness and certification positioning
5. Consent Withdrawal and Its Impact
Withdrawal is a mandatory DPDP requirement, not optional.
Controls required:
• Simple withdrawal interface (same channel as consent)
• Real-time or near real-time enforcement
• System-wide propagation of withdrawal
Operational impact:
• Processing must stop
• Data may need deletion (subject to retention rules)
This creates a direct dependency on data retention and deletion controls
6. Consent vs Legitimate Use under DPDP
Not all processing requires consent.
DPDP allows legitimate use in defined scenarios.
| Basis | When Used | Risk |
| Consent | Marketing, profiling, optional services | High if invalid |
| Legitimate Use | Legal compliance, employment, emergencies | Misclassification risk |
Key risk:
• Incorrect classification → regulatory exposure
Organisations must maintain a clear mapping of processing activities to legal basis
7. Technology Enablement (Consent Management Platforms)
For scale, organisations require system-driven consent management.
Typical components:
• Consent capture layer (web/app/API)
• Consent repository
• Integration with business systems
• Consent validation engine
Advanced capabilities:
• Version control of notices
• Consent dashboards
• API-based enforcement
Particularly relevant for BFSI, healthcare and digital platforms
8. Common Consent Management Failures (Observed in Practice)
• Consent captured but not stored
• Consent stored but not linked to processing
• Withdrawal not implemented across systems
• Multiple inconsistent consent sources
• No audit trail
These gaps directly weaken DPDP compliance defensibility
9. Linkage with Other DPDP Controls
Consent management does not operate in isolation.
Strong dependency on:
• Data inventory and mapping
• Data retention and deletion
• Data subject rights workflows
• Vendor processing controls
Example:
If consent is withdrawn but data is retained → compliance failure
10. Executive View — Why Consent Management Matters
Consent management is not just a regulatory requirement. It is:
• A legal basis for processing
• A key audit checkpoint
• A trigger for data subject rights
• A risk control for enforcement actions
Organisations that fail in consent management typically fail in overall DPDP compliance.
FAQs — Consent Management under DPDP
What is consent management under DPDP?
It is the process of obtaining, recording, managing and enabling withdrawal of consent for personal data processing.
Is consent mandatory for all processing under DPDP?
No. Some processing may be allowed under legitimate use, but consent remains the primary basis.
What happens if consent is withdrawn?
Processing must stop, and data may need to be deleted unless retention is legally required.
Can consent be bundled?
No. Consent must be specific and purpose-based.