WikiFrameworksIndia's DPDPValid Consent Requirements

Valid Consent Requirements

Updated: 2026-02-08

Plain English Translation

Under Section 6(1) of the Act, obtaining valid consent DPDP style means the user must actively say yes without being forced or tricked. You cannot use pre-ticked boxes, bundle consent with other terms, or hide the agreement in legal jargon. The DPDP consent requirements mandate that consent must be free, specific, informed, unconditional, and unambiguous with clear affirmative action. This ensures the user knows exactly what they are agreeing to, effectively establishing free specific informed consent before any data is processed.

Executive Takeaway

Consent is the legal bedrock for data processing; if it is flawed, all downstream processing is illegal. Non-compliance with consent standards can attract penalties up to INR 50 crore (approx. USD 6 million).

ImpactHigh
ComplexityHigh

Why This Matters

  • Invalid consent voids the lawful basis for processing, making the data unusable and the organization liable for penalties.
  • Trust is eroded if users feel tricked into giving consent through dark patterns or ambiguous language.

What “Good” Looks Like

  • Consent forms that use clear, plain language with granular options for different processing purposes.
  • A positive action (like clicking a button or checking a box) is required to opt-in, rather than opting out.

Common Questions

Consent is valid under Section 6(1) only if it is free, specific, informed, unconditional, and unambiguous, accompanied by a clear affirmative action signifying agreement to the processing for a specified purpose.

It means the user must have a genuine choice without coercion, agree to a precise purpose, understand what they are agreeing to via a notice, and not be forced to agree as a condition for receiving a service.

Consent is unambiguous when there is a clear affirmative action, such as clicking an 'I Agree' button or checking an empty box, leaving no doubt about the user's intention.

Invalid practices include using pre-ticked boxes, bundling consent for data processing with terms of service, or making consent a condition for supplying goods or services where the data is not necessary for that service.

No, consent must be specific to the purpose of processing. Section 6(1) requires consent to be limited to personal data necessary for the specified purpose, implying it cannot be broadly bundled with unrelated terms.

Under Section 6(10), the Data Fiduciary bears the burden of proof. This is done by maintaining records that show a notice was given and the Data Principal took affirmative action to give consent.

Clear affirmative action is a deliberate action by the user, such as clicking a button, swiping, or checking a box, that signifies their agreement. Silence or inactivity does not constitute affirmative action.

Avoid pre-selected options, ensure the request is in clear and plain language, do not make consent a condition for unrelated services, and allow users to withdraw consent as easily as they gave it.

Official Standard Text

DPDP Section 6(1)

"The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."

Revision History

VersionDateAuthorDescription
1.0.02026-02-08WatchDog Security GRC Wiki TeamInitial publication from DPDP Workbook