WikiFrameworksIndia's DPDPConsent Logging & Audit

Consent Logging & Audit

Updated: 2026-02-08

Plain English Translation

Under Section 6(10) of the Act, if a dispute ever arises regarding data processing, the burden of proof DPDP places is entirely on the organization to demonstrate valid consent. You cannot simply say a user agreed; you must provide irrefutable evidence. This requires a robust consent logging DPDP strategy that captures exactly what version of the notice was shown, the specific timestamp, and the clear affirmative action taken by the user. A simple checkbox in a database is insufficient; you need a forensic compliance audit trail to prove the consent was free, specific, and informed.

Executive Takeaway

In any legal proceeding, the organization is guilty until proven innocent regarding consent. Without a granular, tamper-proof audit trail linking specific users to specific policy versions, the company cannot defend against claims of unauthorized processing.

ImpactHigh
ComplexityHigh

Why This Matters

  • The burden of proof rests solely on the Data Fiduciary; lack of evidence equals a violation.
  • Regulatory penalties for processing without valid consent can reach INR 250 crore, which this log defends against.

What “Good” Looks Like

  • Immutable logs recording the exact time, IP address, and notice version ID for every consent event.
  • Ability to reconstruct the exact user experience (notice text and consent button) from any past date.

Common Questions

Section 6(10) requires the Data Fiduciary to prove that a notice was given and that consent was given in accordance with the Act. This implies a record of the notice content and the user's affirmative action.

While the Act doesn't specify a day count for logs, Section 6(10) refers to proving consent in a proceeding. Logs should be retained as long as the data is processed and for a subsequent limitation period to defend against disputes.

To meet the burden of proof, logs should likely contain the user identity, timestamp, specific notice version presented (to prove Section 5 compliance), and the specific affirmative action taken (to prove Section 6(1)).

Section 6(10) explicitly states that the Data Fiduciary shall be obliged to prove that notice was given and valid consent was obtained.

Standard logs can be edited. To ensure credible DPDP proof of compliance, organizations should use immutable storage (WORM), cryptographic hashing, or blockchain-based ledgers.

Likely not. A boolean 'true' flag does not prove what notice was shown or that the consent was 'informed' and 'specific' as required by Section 6(1) and Section 5.

You must log the withdrawal event. However, you should retain the original consent log to prove that the processing prior to withdrawal was lawful under Section 6(5).

Yes, because they link a user identifier (like email or user ID) to their choices. These logs themselves must be protected with reasonable security safeguards under Section 8(5).

Official Standard Text

DPDP Section 6(10)

"Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder."

Revision History

VersionDateAuthorDescription
1.0.02026-02-08WatchDog Security GRC Wiki TeamInitial publication from DPDP Workbook