Withdrawal of Consent
Plain English Translation
Under Section 6(4) of the Act, every user has the absolute right to withdrawal of consent at any time. The law specifically mandates that the DPDP consent withdrawal process must be comparable in ease to the process of giving consent. If a user could sign up with one click, they must be able to opt out consent DPDP with similar ease. Once a user triggers this right, the organization must stop processing their data within a reasonable time and instruct any third-party processors to do the same.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Provide an email address or simple form for users to request withdrawal.
- Manually update the database to stop processing.
- Acknowledge the request via email.
Required Actions (scaleup)
- Implement a self-service privacy portal for consent withdrawal process management.
- Automate the suppression of marketing emails upon withdrawal.
- Log withdrawal requests for audit purposes.
Section 6(4) grants the Data Principal the right to withdraw consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
Yes, Section 6(4) explicitly requires that the ease of withdrawing consent must be comparable to the ease with which such consent was given.
Under Section 6(6), the Data Fiduciary must cease and cause its Data Processors to cease processing the personal data within a reasonable time unless retention is required by law.
The Act does not explicitly address fees, but Section 6(4) requires the ease of withdrawal to be comparable to giving consent. If giving consent was free, charging a fee would likely violate the comparability requirement.
Section 6(6) mandates that the Data Fiduciary must cease processing the personal data within a reasonable time after the Data Principal withdraws her consent.
The Act grants the right to withdraw at any time. However, Section 6(6) allows continued processing if such processing without consent is required or authorised under the provisions of this Act or any other law.
Yes, Section 6(7) allows a Data Principal to manage, review, or withdraw consent through a Consent Manager, implying granular control over specific consents given for specified purposes.
Under Section 6(10), the Data Fiduciary bears the burden of proof. Therefore, organizations should maintain robust system logs recording the timestamp, user action, and subsequent cessation of processing.
"Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given."
"The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal."
"If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
