Consent Under the DPDP Act: What Valid Consent Looks Like
The DPDP Act is a consent-first law. With no GDPR-style "legitimate interests" ground, almost everything you do with personal data needs either valid consent or one of the narrowly enumerated "legitimate uses" in Section 7. Getting consent right is therefore the core compliance task.
What valid consent requires
Under Section 6, consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action, and limited to the personal data necessary for the specified purpose. Pre-ticked boxes, bundled consents and "by continuing you agree" patterns all fail this standard.
The notice that must accompany consent
- An itemised description of the personal data being collected.
- The specific purpose of processing — no vague "service improvement" catch-alls.
- How the individual can exercise their rights (access, correction, erasure).
- How to withdraw consent — and withdrawal must be as easy as giving consent.
- How to complain to the Data Fiduciary and to the Data Protection Board.
- Available in English or any of the 22 scheduled languages, at the individual's option.
Section 7: the "legitimate uses" that don't need consent
- Data the individual voluntarily provided for a specified purpose and hasn't objected to being used for it.
- State functions — subsidies, benefits, services, licences, permits.
- Compliance with a law, court judgment or decree.
- Medical emergencies — threat to life or immediate health.
- Epidemics, disasters and public-order breakdowns.
- Employment purposes — safeguarding the employer from loss, providing benefits to employees.
Note what is missing
Marketing, analytics, profiling, AI training and "improving our services" are not legitimate uses. They need consent. This is the single biggest operational difference from GDPR-era assumptions.
Consent managers: India's unique construct
From November 2026, registered Consent Managers give individuals a single interoperable dashboard to grant, review and withdraw consent across services. They must be registered with the Data Protection Board, meet prescribed technical and net-worth criteria, and act as fiduciaries to the individual — they cannot monetise the consent data they handle.
Less data collected, less consent to manage
Data minimisation is the quiet hero of consent compliance: what you never collect, you never need consent for. EverydayPDF's tools require no signup and process files locally — we cannot see your documents at all.
Our zero-data architectureFrequently asked questions
Can I rely on implied consent under the DPDP Act?+
No. Consent requires a clear affirmative action and must be specific and unambiguous. Silence, inactivity, pre-ticked boxes or continued use of a service do not constitute valid consent.
Do existing users need fresh consent after the Act commences?+
Where personal data was collected before commencement with earlier consent, the fiduciary must provide the new-format notice as soon as practicable — processing can continue until the individual withdraws, but the notice and easy-withdrawal obligations apply.
Is consent needed to process employee data?+
Often not — Section 7 lists employment purposes as a legitimate use, covering things like payroll, benefits and protecting the employer from loss. But processing outside those purposes (say, monetising employee data) would still need consent.
What is a Consent Manager and must my business integrate with one?+
A Consent Manager is a Board-registered platform through which individuals can manage consent across services, operational from November 2026. Whether and how fiduciaries must interoperate depends on the notified framework — watch for Board guidance if you operate at scale.
How quickly must I honour a consent withdrawal?+
Withdrawal must be as easy as granting consent, and once withdrawn, processing based on that consent must stop within a reasonable time, followed by erasure unless retention is required by law.
Continue reading
What is the DPDP Act?
India's first comprehensive data protection law, explained in plain English — definitions, scope, rights and duties.
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
DPDP vs GDPR
A side-by-side comparison for teams that operate under both regimes — where India's law is stricter, and where it is lighter.
DPDP Rules 2025
The rules that switched the Act on — notification, phased commencement, and the 13 May 2027 hard deadline.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
