BACK TO DPDP ACT(2017) 10 SCC 1
DPDP Act 2023
Section 6
Consent
THE STATUTE
Original Text
(1) Save as otherwise provided in this Act, consent of the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and shall be limited to such personal data as is necessary for such specified purpose. (2) The request for consent shall be presented to each Data Principal in a clear and plain language with an option to access the same in English or any language specified in the Eighth Schedule of the Constitution, and shall contain a description of the personal data and the purpose for processing. (3) Any part of consent given in violation of the provisions of this Act shall be invalid to the extent of such violation. (4) The Data Principal shall have the right to withdraw her consent given to a Data Fiduciary at any time, with ease of doing so being comparable to the ease with which such consent was given. (5) Upon withdrawal of consent, the Data Fiduciary shall, within a reasonable time, cease to process the personal data of such Data Principal unless such processing is required or authorised under any law for the time being in force.
Simplified
Section 6 is the heart of the DPDP Act's rights framework. Valid consent must be: Free (not coerced or made a condition of service beyond what is necessary); Specific (for a defined purpose, not open-ended); Informed (the individual knows what they're consenting to); Unconditional (not bundled with unrelated consents); and Unambiguous with a clear affirmative action (no pre-ticked boxes, no silence-as-consent). The multilingual notice requirement is groundbreaking — Data Fiduciaries must offer consent notices in any of India's 22 Eighth Schedule languages, not just English. This will require significant investment in localisation for platforms serving India. The consent withdrawal right is arguably the most practically important provision: Data Principals can withdraw at any time, and the ease of withdrawal must match the ease of giving consent. If you could consent in one click, you must be able to withdraw in one click. After withdrawal, the Data Fiduciary must stop processing within a reasonable time, erasing the data unless a legal obligation requires retention. Pre-ticked boxes, buried consent clauses in terms of service, and consent obtained as a non-negotiable condition of service will all need to be restructured to comply.
Common Queries
Valid consent must be free (not coerced), specific (for a particular purpose), informed (given after receiving Section 5 notice), unconditional (not bundled with take-it-or-leave-it terms), and unambiguous (a clear affirmative act — pre-ticked boxes and silence do not count). Consent that fails any of these criteria is invalid and cannot be used as a processing ground.
No. Section 6(1) requires consent to be specific and unconditional. Bundling data processing consent into general terms of service — where refusal means denial of service — is not valid consent under the DPDP Act. Consent for each distinct processing purpose must be separately obtainable.
Section 6(4) gives Data Principals the right to withdraw consent at any time, as easily as consent was given. Rule 3 of the DPDP Rules 2025 requires Data Fiduciaries to provide a direct link to the withdrawal mechanism in every notice. Withdrawal triggers the storage limitation obligation — the Data Fiduciary must stop processing and delete the data unless a legitimate use or legal obligation applies.
Section 6(5) prevents Data Fiduciaries from making services contingent on consent to processing that is not necessary for those services. However, if the data is genuinely needed to deliver the service, withdrawal of consent may mean the service cannot be provided. The proportionality test is whether the specific data and processing are necessary for the specific service.
Consent requires the Data Principal's active, informed agreement each time — and can be withdrawn. Legitimate uses under Section 7 do not require consent and cannot be blocked by the Data Principal for those specific purposes (e.g., a government cannot be refused access to data needed to deliver a benefit). The choice of which ground to rely on has significant consequences for Data Principal rights.
Legal Context
India's previous data protection framework under SPDI Rules 2011 required consent but provided minimal specifications about its quality. Courts developed some consent doctrine through IT Act Section 43A cases. The DPDP Act's consent framework closely tracks GDPR Article 7 but with important Indian modifications — particularly the multilingual notice requirement and the explicit ease-of-withdrawal standard.
Key Rules & Provisions
Consent notices must be available in all 22 Eighth Schedule languages — major localisation requirement.
Ease-of-withdrawal must match ease-of-consent — banning dark patterns in consent flows.
Bundled, blanket, or pre-ticked consents are invalid.
Consent withdrawal does not override other legal retention obligations.
Related Case Laws
Justice K.S. Puttaswamy v. Union of India (2017)
RELEVANCE
The Puttaswamy court's recognition of 'informational self-determination' — the individual's right to control how information about them is used — is the constitutional foundation for Section 6's consent requirements. Consent that is not freely and specifically given fails the informational self-determination standard.