What India’s DPDP regime demands of your business

Breaching consent and data protection regulations can prove extremely costly, demanding board-level attention for peace of mind

The Digital Personal Data Protection (DPDP) regime, comprising the DPDP Act, 2023, and DPDP Rules, 2025, establishes a consent-driven framework that significantly reshapes how digital personal data may be processed in India.

For businesses, this goes beyond procedural compliance; it operates as a substantive legal metric affecting digital architecture and necessitating a rethink on risk allocation. Consent here functions as a legal threshold requiring operational discipline and a considered policy reset that prioritises individual autonomy over broader processing flexibility.

Valid consent demands active clarity

The statutory standard for valid consent is exacting. Consent must be free, informed, specific, unambiguous, unconditional and indicated through clear affirmative action.

Each element carries interpretive weight. “Free” consent excludes coercion and conditionality not indispensable for service delivery. “Informed” consent requires transparency in both substance and presentation. “Specific” consent requires purpose limitation at a granular level, barring omnibus approvals. “Unambiguous” consent rules out reliance on implied or passive conduct.

Taken together, these requirements render many legacy consent practices, such as pre-ticked boxes, legally untenable.

Consent is inseparable from notice. The act mandates that a detailed notice precedes or accompanies request for consent, setting out the nature of personal data collected, the purpose of processing, and the mechanisms for grievance redressal and withdrawal. Notices must be substantively complete and intelligible to users across India’s diverse linguistic landscape.

Although the act does not prescribe a format for obtaining consent, it places substantial emphasis on outcome: consent must be clear, specific and based on an active user decision. Passive mechanisms, including pre-ticked boxes, are insufficient.

Companies must architect their products so that the user journey naturally reflects a valid consent. Where data is processed for several distinct purposes, consent must be obtained separately for each.

However, not all processing under the act is consent dependent. The act recognises “certain legitimate uses”. These include processing necessary for the performance of a function under law, compliance with a court order, employment-related purposes, and processing by the state for the provision of subsidies or services set out in the schedule to the act.

Businesses should map their processing activities carefully against these grounds before defaulting to a consent-first approach, as misclassification in either direction carries compliance risk.

Consent managers and evidentiary compliance

The act introduces consent managers as regulated entities that support data principals in providing, managing and withdrawing consent through interoperable platforms. While engagement is discretionary, their emergence signals a regulatory trajectory towards standardised, user-controlled consent ecosystems. Early integration can offer both compliance and reputational advantages.

Data principals must be able to withdraw consent with the same ease with which it was given. If consent is obtained through a single-step interaction, withdrawal cannot be shrouded in layered navigation or procedural friction.

Where consent is the basis of processing and a question arises in a proceeding, the data fiduciary must demonstrate that valid consent was obtained. This makes consent an evidentiary construct, requiring robust internal systems for recording, storing and retrieving consent artefacts.

Timestamping and audit trails are not administrative niceties. They are essential components of defensible compliance.

Localise consent or face penalties

Standard global templates will often require localisation to meet Indian statutory expectations.

The urgency is not merely regulatory, it is financial. Penalties for breach of the act’s consent and data protection provisions can reach INR2.5 billion (USD26.4 million) per instance, placing India firmly within the bracket of jurisdictions where data protection demands board-level attention.

Businesses embedding consent into the product lifecycle, not treating it as a documentation formality, will better withstand regulatory scrutiny; the DPDP regime does not reward delay.

Mehar Babrah, an associate, provided research assistance on this article