Newsletter · Edition #3 · DPDP Act · 3 min read
DPDP consent: what “valid consent” actually means
A pre-ticked box and a buried privacy policy won’t clear the DPDP bar.
Under the DPDP Act, consent isn’t a checkbox you assume. It has to be free, specific, informed, unambiguous and given by a clear affirmative action — and it has to be as easy to withdraw as it was to give.
Where teams fall short
Bundling unrelated purposes into one consent. Pre-ticked boxes. Notices no one could reasonably understand. No working way to withdraw. Each undermines the validity of the consent you’re relying on to process data at all.
Design for withdrawal
If withdrawing consent is harder than granting it, you have a problem. Build the withdrawal and erasure path first — it forces you to actually know where the data went, which is the hard part anyway.
The bottom line
Consent is an ongoing relationship, not a one-time click. Make it specific, understandable and reversible.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
