Newsletter · Edition #3 · DPDP Act · 3 min read

DPDP consent: what “valid consent” actually means

A pre-ticked box and a buried privacy policy won’t clear the DPDP bar.

Under the DPDP Act, consent isn’t a checkbox you assume. It has to be free, specific, informed, unambiguous and given by a clear affirmative action — and it has to be as easy to withdraw as it was to give.

Where teams fall short

Bundling unrelated purposes into one consent. Pre-ticked boxes. Notices no one could reasonably understand. No working way to withdraw. Each undermines the validity of the consent you’re relying on to process data at all.

Design for withdrawal

If withdrawing consent is harder than granting it, you have a problem. Build the withdrawal and erasure path first — it forces you to actually know where the data went, which is the hard part anyway.

The bottom line

Consent is an ongoing relationship, not a one-time click. Make it specific, understandable and reversible.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →