The DPDP Act places consent at the centre of its regulatory architecture. Unlike some jurisdictions that offer multiple legal bases for processing (legitimate interest, contractual necessity, etc.), the DPDP Act primarily relies on consent and a narrow set of “legitimate uses” defined in Section 7.
This means that for most commercial data processing, obtaining valid consent is not just best practice — it is a legal prerequisite. And the Act sets a high bar: consent must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action.
What Valid Consent Looks Like
The Act and Rules together paint a detailed picture of valid consent. Every consent request must be preceded or accompanied by a notice that is standalone, written in clear and plain language, and available in English or any Eighth Schedule language. The notice must itemise the personal data being collected and the specific purposes of processing.
Consent cannot be bundled with other terms and conditions. It must be purpose-specific — a blanket consent for all future processing is invalid. And withdrawal of consent must be as easy as giving it. If consent is given through two clicks, withdrawal should not require a phone call, a written letter, or navigating a maze of settings.
The Consent Manager: A Uniquely Indian Innovation
The DPDP Act introduces the concept of Consent Managers — registered entities that act as intermediaries, enabling Data Principals to give, manage, review, and withdraw consent through a single interoperable platform. Think of them as consent aggregators, similar in concept to account aggregators in the financial sector.
Consent Managers must be companies incorporated in India with a minimum net worth of INR 2 crore. They must act in a fiduciary capacity towards Data Principals, maintain consent records for at least seven years, and avoid conflicts of interest with Data Fiduciaries. Their operations are subject to periodic audits and DPBI oversight.
The Consent Manager framework becomes operational in November 2026. Businesses should begin evaluating how they will integrate with Consent Managers and whether their existing consent mechanisms meet the new standards.
Cookie Consent and Digital Consent Mechanisms
For organisations with digital properties, cookie consent is a critical compliance area. Websites must identify and classify cookies, deploy customisable consent banners with multilingual support, and provide granular control to visitors over tracking. Pre-ticked boxes or implied consent (such as “by continuing to browse, you agree”) do not meet the Act’s standard. Beyond cookies, any data collection through online forms, mobile apps, IoT devices, sensors, or trackers requires explicit, documented consent. Data privacy platforms can automate this process by providing cookie consent management, preference management, and consent record-keeping in a single interface.