DPDPA Consent Management: How to Collect, Store and Withdraw User Consent Legally

Apr 17, 2026

Article by

Introduction

The Digital Personal Data Protection (DPDP) Act, 2023, represents a tectonic shift in how personal information is handled within the Indian jurisdiction. Moving decisively away from the era of "implied consent", where merely browsing a website or clicking "continue" was often deemed agreement to complex, hidden terms, the new law mandates an active, informed, and transparent permission model. Under Section 4 of the Act, the processing of digital personal data is only lawful if it is for a "specified purpose" for which the data principal has provided explicit consent.

Consent is no longer just a legal formality relegated to a footer link; it is a primary governance model that requires deep integration into the technical stack of a company. The DPDP Rules, 2025, have further clarified these obligations, introducing strict standards for Notice delivery and timelines for responding to user requests. For organisations operating in India, this means re-engineering user interfaces to support multiple languages, implementing privacy by design in backend architectures, and preparing for the arrival of Consent Managers, which are regulated entities that will soon allow users to manage all their digital permissions from a single, unified dashboard.

With the Data Protection Board of India (DPBI) empowered to levy penalties of up to ₹250 crore for security failures and ₹50 crore for general consent violations, the cost of non-compliance is existential. This post explores how to operationalise the consent lifecycle legally, ensuring that every data point processed is backed by a valid, verifiable, and revocable permission.

1. The Six Pillars of Valid Consent: The FISU UW Standard

Under Section 6(1) of the Act, consent is only valid if it satisfies six cumulative requirements. Pursuant to section 6(2), any part of the consent that infringes upon the provisions of the act or the rules shall be invalid to the extent of such infringement. This framework is specifically designed to eliminate Dark Patterns, which are manipulative user interface designs that trick individuals into sharing more data than they intended. The DPDP Rules, 2025, provide the necessary procedural "connective tissue" to operationalise the six pillars of valid consent. While the Act sets the overarching legal standard, the Rules mandate specific interconnected requirements for Data Fiduciaries to ensure compliance is technical and not just theoretical.

Multilingual Notice Delivery: The Rules expand on the "Informed" pillar by requiring that the notice preceding consent be available in English or any of the 22 languages specified in the Eighth Schedule to the Constitution of India. This ensures that information provided under Section 5 of the Act is accessible to all Data Principals regardless of linguistic background.
Consent Manager Framework: To manage these requirements at scale, the Rule 6 of the DPDP rules, 2025 introduces the role of Consent Managers who act as regulated intermediaries. These entities help individuals give, manage, and withdraw consent through a single, interconnected platform, fulfilling the "Withdrawable" and "Specific" mandates of Section 6 of the Act.
Verifiable Parental Consent: For the "Free" and "Informed" pillars regarding minors, the Rules specify the technical standards required to obtain verifiable parental consent before processing a child's data. This satisfies the heightened obligations under Section 9, ensuring that children are not subjected to harmful tracking or targeted advertising.
Accountable Documentation: The Rules require Significant Data Fiduciaries (SDFs) to maintain detailed, interconnected logs of consent, often referred to as a Consent Ledger. This documentation is essential to satisfy the "burden of proof" required by Section 6(10) of the Act.

Operationalising Compliance with GoTrust

By treating the Act and the Rules as an interconnected compliance ecosystem, organisations can move from theoretical legal adherence to proactive enforcement. GoTrust's role is critical in bridging this gap:

Automated Data Discovery: GoTrust continuously scans environments to identify personal data, classifying it by sensitivity and tagging geographic locations to ensure residency rules are enforced in real time.
Flow Mapping: The platform traces how personal data moves between systems, regions, and vendors, identifying cross border transfers and alerting teams if data is sent to blacklisted jurisdictions or unauthorised third-party processors.
DSPM and Real Time Alerts: Using Data Security Posture Management (DSPM), GoTrust detects misconfigurations and unauthorised data movements, preventing compliance violations before they reach production.
Audit Ready Evidence: GoTrust maintains immutable logs of data transfers and access patterns, allowing organisations to produce timestamped records for the Data Protection Board to prove compliance with Section 16.

Requirement

Legal Definition and Mandate

Non-Compliance Risk

Free

Consent must be voluntary, without any coercion, deception, or "coercive bundling" of services.

Making the use of a basic calculator app conditional upon the acceptance of marketing cookies.

Informed

Must be preceded or accompanied by a Section 5 Notice in plain, understandable language.

Collecting data before the user has had a chance to read the privacy notice.

Specific

Consent is valid only for the purpose mentioned in the notice; fresh consent is needed for new purposes.

Using data collected for "courier delivery" to perform "credit scoring" without notice.

Unconditional

Cannot be made a condition for a contract or service that does not require that specific data.

Making a "newsletter signup" mandatory to purchase a physical product.

Unambiguous

Requires a "clear affirmative action" (opt-in); silence or inactivity is not consent.

Using pre-ticked checkboxes or "By continuing, you agree" banners.

Withdrawable

Users must have the right to revoke permission at any time without negative consequences.

Requiring a physical letter or a phone call to opt out of an online service.

2. Multilingual Notices and Transparency Requirements

In accordance with Rule 3 of the Digital Personal Data Protection Rules, 2025, read with Section 5 of the DPDP Act, 2023, the Data Fiduciary shall provide a notice containing an itemised description of personal data being processed, specified purposes, and mechanisms for withdrawal of consent, exercising rights, and filing complaints. The notice shall be presented independently and be understandable without reference to other information. Furthermore, the Data Fiduciary must provide the option to access the notice in English or Crucially, the notice must be available in English or any of the twenty-two languages specified in the Eighth Schedule to the Constitution of India. This ensures that a user in Tamil Nadu can read the notice in Tamil, while a user in West Bengal can access it in Bengali. This focus on language ensures that no one is left behind as we move online. To follow these guidelines, the notice must state:

The specific categories of personal data being collected, such as name, phone number or real time location.
The reason for collection including the specific purpose of processing for each category.
The way the user can exercise their rights to access, correction and erasure of their data.
The process to withdraw consent and the direct contact details of the Data Protection Officer (DPO).

By providing this information upfront, Data Fiduciaries ensure that the user understands the "data for service" exchange, reducing the likelihood of future disputes or grievances.

3. Heightened Protections for Children and Persons with Disabilities

Section 9 of the DPDP Act introduces heightened protections for "vulnerable" data principals. For any user under the age of 18 or a person with a disability who has a lawful guardian, the data fiduciary must obtain verifiable parental or guardian consent. This is a significant departure from previous norms where age-gating was often a simple, unverified checkbox.

The law strictly prohibits the following:

Any processing of personal data that is likely to cause a "detrimental effect" on the well-being of a child.
The tracking or behavioural monitoring of children for any purpose, including targeted advertising.
Any advertising directed specifically at children that could be harmful.

To comply with these stringent rules, businesses must implement robust age-verification mechanisms. This may include DigiLocker based-tokens, Aadhaar backed guardian verification, or other government approved-methods to ensure the person providing consent is legally authorised to do so. Failure to protect children’s data is viewed as a high-gravity offence under the Act.

4. Storing Consent: The Burden of Proof and Consent Artefacts

A critical requirement is found in Section 6(10): if a dispute arises, the Data Fiduciary must prove that valid consent was obtained. This transforms consent from a mere UI element into a technical requirement for "consent artefacts", which are cryptographically signed, immutable records of the transaction.

An organisation must maintain a comprehensive "consent ledger". These logs should include:

The Timestamp: The exact date and time consent was granted.
Version Control: The specific version of the Privacy Notice that was displayed to the user at that time.
The Purpose Log: A record of which specific purposes, such as analytics, marketing, or core service, the user agreed to.
Identity Token: A unique, anonymised identifier linking the consent to a specific user account.

If a user later claims they never agreed to marketing calls, the organisation must be able to produce the specific record from the ledger. Without such evidence, the DPB will likely side with the individual, leading to significant fines.

5. Withdrawal: The Principle of Comparative Ease

Section 6(4) of the Act establishes a revolutionary rule: the ease of withdrawing consent must be comparable to the ease of giving it. This "comparative ease" mandate is designed to end the practice of "consent traps", where users find it nearly impossible to revoke permissions once they have been granted.

Withdrawal Phase

Operational Requirement

Technical Implementation

Access

The withdrawal mechanism must be as prominent as the opt-in.

If consent were a "One Click" popup, withdrawal must be a "One Click" dashboard setting.

Timeliness

Processing must cease with an ease of withdrawal comparable to the ease of giving consent, as per Section 6(4) of the DPDP Act, 2023.

Backend triggers must instantly stop data flow to marketing automaton pipelines.

Downstream Impact

All third-party Data Processors must be notified immediately.

Use automated APIs to signal revocation to cloud vendors and sub-processors.

Data Erasure

Personal data must be erased unless there is a legal requirement to retain it.

Automate the right to be forgotten workflow to delete or anonymise records.

Consequences

Fiduciaries can stop providing services that rely on the withdrawn data.

Inform the user clearly: "Revoking location access will disable the live tracking feature."

Proof of Revocation

Maintain a log of the withdrawal event for audit purposes.

Record the date, time, and method of withdrawal in the Consent Ledger.

The technical workflow for withdrawal must be automated. For instance, if a user revokes consent for marketing emails on their profile page, the system should instantly update the CRM (Customer Relationship Management) tool and notify any third-party email service providers to cease communication.

6. The Rise of Consent Managers: A New Digital Entity

The DPDPA introduces an innovative entity to the global privacy landscape: the Consent Manager. Registered with the Data Protection Board, these entities act as intermediaries that enable data principals to manage their permissions across hundreds of different Data Fiduciaries through a single, interoperable platform.

By late 2026, Consent Managers will be fully operational across the digital ecosystem in India. This means a user could log into a single app, functioning as a "Privacy Dashboard for India", and see a comprehensive list of every company they have shared data with. From there, they can revoke permission for an e-commerce site they no longer visit or update their preferences for a social media app. For businesses, this means your backend systems must be ready to receive and process "revocation signals" from these external platforms seamlessly.

7. Governance and the Role of the Data Protection Officer (DPO)

To manage this complex lifecycle, Significant Data Fiduciaries (SDFs), which are organisations handling large volumes of sensitive data, must appoint a Data Protection Officer based in India. The DPO serves as the primary point of contact for the Data Protection Board and the individuals whose data is being processed.

The DPO's responsibilities include:

Overseeing periodic Data Protection Impact Assessments (DPIAs) to identify risks in new products.
Ensuring that the notice provided to users is accurate and updated whenever processing activities change.
Managing the grievance redressal mechanism to resolve user complaints within the timelines specified in the DPDP Rules, 2025.
Conducting annual data audits to verify that the organisation is adhering to its own consent records.

Building a strong relationship between the DPO and the engineering teams is essential for maintaining compliance. Privacy can no longer be handled by the legal department in isolation; it must be a shared responsibility across the entire organisation.

Conclusion

Compliance with the Digital Personal Data Protection (DPDP) Act, 2023, represents a fundamental redesign of the digital trust architecture rather than a mere "tick box" exercise. As the DPDP Rules, 2025, come into force, the era of collecting data first and asking for permission later has officially ended, replaced by a gold standard of transparent, user-controlled consent. Organisations that embrace Consent by Design by integrating multilingual notices and easy withdrawal mechanisms directly into their product DNA will do more than just avoid regulatory penalties. By investing in automated consent management tools and respecting the Right to be Forgotten, businesses can transform complex legal mandates into a foundation of lasting customer loyalty and a significant competitive advantage in a privacy-conscious market.