Consent (DPDP Act)
The primary lawful basis for processing personal data under the DPDP Act — must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action.
Full Definition
Section 6 of the DPDP Act 2023 sets out the consent framework. Consent must be: free (not coerced), specific (for a particular purpose), informed (with a clear notice), unconditional, and unambiguous (expressed through a clear affirmative action — no pre-ticked boxes or implied consent). Consent must be accompanied by a notice (Section 5) that clearly describes the personal data to be collected, the purpose of processing, and how Data Principal rights can be exercised. Consent can be withdrawn at any time (Section 6(4)) — withdrawal is as easy as giving consent. A Data Fiduciary must cease processing and cause its Processors to cease processing within a reasonable period after withdrawal. The DPDP Act is consent-heavy: unlike GDPR's six lawful bases, the DPDP Act's alternative 'legitimate use' grounds are narrow.
In Indian Law
DPDP Act 2023, Sections 5 and 6. Notice requirements (Section 5) must be provided before or at the time of collecting data. The Consent Manager framework (Section 6(9), Rule 4 — Phase 2, November 2026) creates a registered intermediary through which Data Principals can give, manage, and withdraw consent centrally. Children's data requires verifiable parental consent (Section 9). Notably absent: no legitimate interests basis (unlike GDPR Article 6(1)(f)) — this is one of the DPDP Act's most significant departures from the GDPR framework.
Related Legal Sections
Frequently Asked Questions
Can a company continue processing data after a Data Principal withdraws consent?
No. Section 6(4) requires the Data Fiduciary to cease processing (and ensure Processors also cease) within a reasonable time after consent is withdrawn. However, withdrawal does not affect the lawfulness of processing done before withdrawal.
What is a 'Consent Manager' under the DPDP Act?
A Consent Manager is a DPDP-specific registered intermediary through which Data Principals can give, manage, review, and withdraw consent centrally (Section 6(9), Rule 4). It is a novel concept — the GDPR has no equivalent statutory role. Consent Managers must be registered with the Data Protection Board and will be operational from November 2026 (Phase 2).