What is Consent Management Under DPDPA? (And Why You Need It Now)

If you strip the DPDPA down to its single most important requirement, it is this: you cannot process a person's personal data without their consent. Everything else in the Act builds on this foundation.

But consent under the DPDPA is not the 'I agree' checkbox that most websites currently use. The law defines consent very precisely — and most organisations' current consent practices fall short of the standard. Getting this wrong is not a minor technicality. It is the core violation that the Data Protection Board will investigate first.

This guide explains exactly what consent management means under the DPDPA, what a valid consent looks like, and how to build a consent infrastructure that protects your business.

The DPDPA defines consent as a free, specific, informed, unconditional and unambiguous indication by the Data Principal through a clear affirmative action. Each word in this definition carries legal weight.

• FREE: The person must not be forced or pressured. Consent tied to receiving a service ('agree to our data collection or you cannot use the app') is not free consent
• SPECIFIC: One consent for one purpose. You cannot get a single consent to 'use your data for all our purposes'. Each processing activity needs its own consent
• INFORMED: The person must know exactly what they are agreeing to — what data, for what purpose, shared with whom, for how long
• UNCONDITIONAL: No conditions attached. The person should not have to give consent as part of accepting other terms
• UNAMBIGUOUS: A clear positive action — clicking 'I consent', ticking an empty checkbox, or signing a form. Silence, pre-ticked boxes, or scrolling past a banner do NOT count

Before collecting consent, you must provide a consent notice to the user. This is not the same as a privacy policy — it is a clear, concise notice given at the point of data collection. The DPDPA specifies what this notice must contain.

• The personal data you are about to collect
• The specific purpose for which it will be used
• The identity of all third parties and Data Processors you will share it with
• A description of what data will be shared with each third party
• How the user can withdraw consent
• How the user can access or correct their data
• Contact details of your Grievance Officer

The notice must be available in English and in any other language the user prefers from the 22 scheduled languages of India. This is a significant operational requirement for businesses with large, diverse user bases.

One of the most important concepts in DPDPA consent management is the consent artefact. This is the digital record that proves consent was given — when, by whom, for what purpose, and in what form.

A consent artefact is essentially a signed, machine-readable document or electronic record that captures the complete details of a consent transaction. MeitY, India's technology ministry, has published a technical specification for what a valid consent artefact must contain.

• Unique identifier for the consent transaction
• Identity of the Data Principal (without storing their personal data unnecessarily)
• Identity of the Data Fiduciary
• The specific purpose of consent
• The timestamp of when consent was given
• The version of the privacy notice shown at the time
• Digital signature to ensure the record cannot be tampered with

Every consent your organisation collects must generate a consent artefact. This is what you show the Data Protection Board if you are ever investigated. Without it, you have no way to prove consent was validly obtained.

The DPDPA requires that withdrawing consent must be as easy as giving it. This is a practical requirement that most businesses are not ready for.

If a user could give consent by clicking a button on your website, they must be able to withdraw it just as easily — also by clicking a button, in the same or fewer steps. Making withdrawal difficult (burying it in settings, requiring a support ticket, or making users call a helpline) is a violation.

• Provide a clear 'Manage my consent' option accessible from every page or the user's account dashboard
• When consent is withdrawn, stop processing that person's data for that purpose immediately
• If withdrawal means you can no longer provide the service, inform the user clearly — but do not use this as a threat to discourage withdrawal
• Delete the user's data if consent was the only legal basis for holding it
• Notify any Data Processors or third parties you shared the data with so they can also stop processing

The DPDPA introduces a new type of regulated entity that does not exist in any other data protection law in the world: the Consent Manager.

A Consent Manager is a company registered with the Data Protection Board that acts as a single point of contact for users to manage all their consents across multiple platforms and Data Fiduciaries in one place. Think of it as a unified consent dashboard for users.

This framework becomes operational on November 13, 2026. To register as a Consent Manager, a company must be incorporated in India and have a minimum net worth of ₹2 crore.

• Important: Most businesses do NOT need to register as a Consent Manager
• What most businesses need is a Consent Management Platform (CMP) — software that helps them collect, store, and manage consents from their own users
• A Consent Manager is a new type of intermediary business — essentially a consent infrastructure provider
• DataDefend is a CMP — we help you manage consent with your users. We are not the same as a registered Consent Manager under DPDPA

A DPDPA-compliant consent infrastructure has four core components. You need all four to be fully compliant.

• Consent Collection: A user-facing consent notice and form that is specific, clear, multilingual, and generates a valid consent artefact for every consent given
• Consent Storage: A secure, tamper-proof database that stores every consent artefact with its full details — accessible for audit at any time
• Consent Management: A portal where users can view, update, and withdraw their consents at any time with a single click
• Consent Propagation: A system to notify all connected Data Processors and third parties when a user withdraws consent so that processing stops across your entire ecosystem

Building this from scratch requires significant engineering effort. Most organisations find it more efficient to use a purpose-built consent management platform that handles all four components out of the box.

DataDefend's consent management platform is built specifically for the DPDPA — with MeitY-compliant consent artefacts, 22 Indian language support, one-click withdrawal, real-time consent APIs, and webhook-based propagation to your entire tech stack. Start with 3,000 free consents per month — no credit card required.