EverydayPDF Logo
DPDP Act 2023 · India

Consent Under the DPDP Act: What Valid Consent Looks Like

Updated July 5, 2026·7 min read·EverydayPDF Research

The DPDP Act is a consent-first law. With no GDPR-style "legitimate interests" ground, almost everything you do with personal data needs either valid consent or one of the narrowly enumerated "legitimate uses" in Section 7. Getting consent right is therefore the core compliance task.

What valid consent requires

Under Section 6, consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action, and limited to the personal data necessary for the specified purpose. Pre-ticked boxes, bundled consents and "by continuing you agree" patterns all fail this standard.

The notice that must accompany consent

  • An itemised description of the personal data being collected.
  • The specific purpose of processing — no vague "service improvement" catch-alls.
  • How the individual can exercise their rights (access, correction, erasure).
  • How to withdraw consent — and withdrawal must be as easy as giving consent.
  • How to complain to the Data Fiduciary and to the Data Protection Board.
  • Available in English or any of the 22 scheduled languages, at the individual's option.

Section 7: the "legitimate uses" that don't need consent

  1. Data the individual voluntarily provided for a specified purpose and hasn't objected to being used for it.
  2. State functions — subsidies, benefits, services, licences, permits.
  3. Compliance with a law, court judgment or decree.
  4. Medical emergencies — threat to life or immediate health.
  5. Epidemics, disasters and public-order breakdowns.
  6. Employment purposes — safeguarding the employer from loss, providing benefits to employees.

Note what is missing

Marketing, analytics, profiling, AI training and "improving our services" are not legitimate uses. They need consent. This is the single biggest operational difference from GDPR-era assumptions.

Consent managers: India's unique construct

From November 2026, registered Consent Managers give individuals a single interoperable dashboard to grant, review and withdraw consent across services. They must be registered with the Data Protection Board, meet prescribed technical and net-worth criteria, and act as fiduciaries to the individual — they cannot monetise the consent data they handle.

Less data collected, less consent to manage

Data minimisation is the quiet hero of consent compliance: what you never collect, you never need consent for. EverydayPDF's tools require no signup and process files locally — we cannot see your documents at all.

Our zero-data architecture

Frequently asked questions

Can I rely on implied consent under the DPDP Act?+

No. Consent requires a clear affirmative action and must be specific and unambiguous. Silence, inactivity, pre-ticked boxes or continued use of a service do not constitute valid consent.

Do existing users need fresh consent after the Act commences?+

Where personal data was collected before commencement with earlier consent, the fiduciary must provide the new-format notice as soon as practicable — processing can continue until the individual withdraws, but the notice and easy-withdrawal obligations apply.

Is consent needed to process employee data?+

Often not — Section 7 lists employment purposes as a legitimate use, covering things like payroll, benefits and protecting the employer from loss. But processing outside those purposes (say, monetising employee data) would still need consent.

What is a Consent Manager and must my business integrate with one?+

A Consent Manager is a Board-registered platform through which individuals can manage consent across services, operational from November 2026. Whether and how fiduciaries must interoperate depends on the notified framework — watch for Board guidance if you operate at scale.

How quickly must I honour a consent withdrawal?+

Withdrawal must be as easy as granting consent, and once withdrawn, processing based on that consent must stop within a reasonable time, followed by erasure unless retention is required by law.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.