DPDP Act 2023 · Advanced Topics
DPDP Act
Advanced Topics
Deep dive into complex DPDP compliance scenarios: consent management, cross-border transfers, children's data protection, legitimate uses, and regulatory conflicts.
Expert guidance for organizations across Mumbai, Bangalore, Delhi, Hyderabad, Gurgaon, and Pune.
DPDP Act 2023 · Sections 6, 7, 9 & 16 · Last reviewed June 2026
Direct Answer
What are the hardest parts of DPDP Act compliance?
The DPDP Act 2023 is short on text but deep in edge cases, and five areas account for most of the difficulty: granular consent and withdrawal (Section 6), cross-border transfers (Section 16), children’s data (Section 9), Section 7 legitimate uses, and conflicts with sector regulators. The recurring theme is that the Act states a principle simply, but engineering it correctly — unbundled consents, verifiable parental consent, a defensible legitimate-use claim — is where programs succeed or fail.
Two rules of thumb resolve most hard calls. First, where the DPDP Act — administered by MeitY — overlaps a sector regulator (RBI, SEBI, IRDAI, TRAI), follow the stricter requirement and document the basis. Second, treat consent as the default and legitimate uses as narrow exceptions, not a convenient bypass. The deep-dives below work through each scenario with concrete right/wrong examples; the DPDP Act knowledge hub covers the baseline obligations these build on.
Expert Deep Dives
Five Advanced Compliance Areas
Consent Management Deep Dive
Granular vs Bundled Consent
DPDP Act requires consent to be "specific" - meaning consent for one purpose cannot be bundled with consent for another unrelated purpose. Organizations must provide separate consent options for distinct purposes.
E-commerce Platform
Single checkbox: "I agree to receive order updates and marketing communications"
Separate checkboxes: (1) "I agree to receive order updates" (required), (2) "I agree to receive marketing communications" (optional)
Banking App
Bundled consent for account opening, credit assessment, and third-party offers
Separate consent for: (1) Account opening (required), (2) Credit assessment (required for loans), (3) Marketing offers (optional)
Best Practices:
Consent Withdrawal Mechanisms
Section 6(4) requires that withdrawal of consent must be as easy as giving consent. This means the withdrawal mechanism must be equally accessible and straightforward.
Mobile App
Consent given via one-click button, withdrawal requires emailing support
Consent given via button, withdrawal via same button or in-app settings with one click
Website
Consent via popup, withdrawal buried in privacy policy with complex form
Consent via popup, withdrawal via account settings or footer link with simple toggle
Best Practices:
Consent Refresh Strategies
While DPDP Act does not mandate consent expiry, best practice is to periodically refresh consent, especially for marketing and profiling purposes.
Best Practices:
Consent Manager Integration
Rule 4 establishes Consent Managers as intermediaries for managing consent. Organizations can integrate with registered Consent Managers for standardized consent management.
Technical Considerations:
Cross-Border Transfer Complexities
Restricted Countries Framework
Section 16 allows Central Government to restrict data transfers to specific countries. Organizations must monitor notifications and ensure compliance.
As of January 2025, no restricted countries list has been notified. However, organizations should prepare for potential restrictions.
Preparation Steps:
Cloud Infrastructure Considerations
Most organizations use cloud providers with global infrastructure. Cross-border transfer compliance requires careful architecture.
Multi-Region Cloud Deployment
Data may be replicated across regions for redundancy
Configure cloud services to restrict data to specific regions, disable automatic cross-region replication, use region-specific encryption keys
Global SaaS Platform
Customer data from India mixed with global customer data
Implement data residency options, separate Indian customer data, use dedicated India region infrastructure
Adequacy Decisions (Future)
Similar to GDPR, DPDP Act may allow adequacy decisions for countries with equivalent data protection. Monitor for future developments.
Children's Data Protection
Age Threshold: Under 18
Unlike GDPR (16 years) or COPPA (13 years), DPDP Act sets the age threshold at 18 years. This is significantly higher and requires robust age verification.
Implications:
Verifiable Parental Consent
Section 9 requires "verifiable" parental consent - meaning organizations must have reasonable assurance that consent is from actual parent/guardian.
Verification Methods:
OTP to Parent Mobile
Document Verification
Credit Card Verification
Video KYC
Prohibited Processing
Section 9(2) prohibits tracking, behavioral monitoring, and targeted advertising of children.
Prohibited:
Allowed Processing:
Legitimate Uses Analysis (Section 7)
When Consent is NOT Required
Section 7 lists specific purposes where consent is not required. Understanding these exemptions is critical for compliance.
Voluntary provision by Data Principal
Example: User voluntarily provides email in contact form for specific purpose
Conditions: Purpose must be clear, data used only for stated purpose
Performance of function under law
Example: Government agency collecting data for statutory function
Conditions: Must be authorized by law, limited to necessary data
Compliance with court order or legal obligation
Example: Responding to court summons, tax compliance
Conditions: Must be actual legal requirement, not voluntary
Medical emergency
Example: Hospital accessing patient records in emergency
Conditions: Genuine emergency, proportionate access
Employment-related processing
Example: HR processing employee data for payroll, benefits
Conditions: Limited to employment relationship, reasonable necessity
Safeguarding life or health
Example: Contact tracing during epidemic, emergency services
Conditions: Genuine threat to life/health, proportionate response
Common Mistakes:
State Processing Standards
Section 7(b) allows State to process data for specific purposes. This creates a separate framework for government data processing.
State Processing Exemptions:
Conflict Resolution
DPDP vs Sector-Specific Regulations
Organizations in regulated sectors must comply with both DPDP Act and sector-specific regulations. Understanding how these interact is critical.
Banking & Finance (RBI)
RBI mandates data localization; DPDP allows cross-border transfer (subject to restrictions)
Follow stricter requirement (RBI data localization)
Maintain data in India as per RBI, ensure DPDP compliance for Indian data
Securities (SEBI)
SEBI requires retention of records for specific periods; DPDP requires data minimization
Retain data as per SEBI requirements, delete after retention period
Document legal basis for retention, implement automated deletion post-retention
Insurance (IRDAI)
IRDAI requires extensive data collection; DPDP requires purpose limitation
Collect data as per IRDAI requirements with clear purpose specification
Separate consent for regulatory vs marketing purposes
Telecom (TRAI)
TRAI has specific consent requirements for commercial communication
Comply with both TRAI (DND) and DPDP consent requirements
Implement dual consent tracking, respect both frameworks
DPDP vs Contractual Obligations
Contracts may require data sharing or processing that conflicts with DPDP requirements.
B2B Contract Requiring Data Sharing
Contract requires sharing customer data with partner; DPDP requires consent
Obtain consent for data sharing, or renegotiate contract
Include DPDP compliance clauses in all new contracts
Data Retention in Service Agreement
Contract requires indefinite data retention; DPDP requires data minimization
Renegotiate retention period, or obtain ongoing consent
Define reasonable retention periods in contracts
DPDP vs Other Privacy Laws (GDPR, CCPA)
Organizations operating globally must comply with multiple privacy frameworks.
Recommended Approach:
Key Differences:
Territorial Scope
Processing of digital personal data in India
Processing in EU or offering goods/services to EU residents
Determine which law applies based on data subject location and processing location
Age Threshold
18 years
16 years (or lower as per member state)
Apply stricter threshold (18) for users who may be in both jurisdictions
Penalties
Up to ₹250 Crores
Up to €20M or 4% of global turnover
Ensure compliance with both to avoid penalties under either framework
DPDP Advanced Topics — Frequently Asked Questions
The edge-case questions on consent, transfers, children’s data, and regulatory conflicts.
Does the DPDP Act allow consent to be bundled?
No. The DPDP Act requires consent to be specific, so consent for one purpose cannot be bundled with consent for an unrelated purpose. In practice you must present separate, individually selectable consents — for example, order updates as one (required) consent and marketing as another (optional) consent — rather than a single "I agree to everything" checkbox. Service cannot be made conditional on an optional consent, and a withdrawal mechanism must be as easy to use as the original opt-in (Section 6(4)).
Can personal data be transferred outside India under the DPDP Act?
Yes, by default. The DPDP Act takes a "blacklist" approach: cross-border transfers are generally permitted, but Section 16 empowers the Central Government to restrict transfers of personal data to specific countries or territories by notification. Sector rules can be stricter — RBI, for instance, requires certain payment data to be stored in India. Organisations should maintain a transfer inventory (what data goes where, via which processors) and a contingency plan in case a destination is later restricted.
What is the age of a child under the DPDP Act?
Under the DPDP Act, a child is anyone under 18 years of age — higher than GDPR (16, or lower by member state) or the US COPPA (13). Processing a child’s personal data requires verifiable parental consent, and Section 9 prohibits tracking, behavioural monitoring, and targeted advertising directed at children, as well as any processing likely to cause harm. This higher threshold means many mainstream services must build robust age-assurance and parental-consent mechanisms.
When can personal data be processed without consent under the DPDP Act?
Section 7 defines "legitimate uses" where consent is not required. These include data a data principal voluntarily provides for a specified purpose, performance of a function under law, compliance with a legal obligation or court order, medical emergencies, safeguarding life or health during an epidemic or disaster, and certain employment-related processing. Each is narrow and conditional — for example, the employment exemption is limited to what is reasonably necessary for the employment relationship. Stretching a legitimate use to avoid obtaining consent is a frequent compliance error.
How do you resolve a conflict between the DPDP Act and a sector regulator?
Where the DPDP Act and a sector regulation both apply, the prudent default is to follow the stricter requirement and document the legal basis for it. For example, RBI data-localisation overrides DPDP’s permissive cross-border stance for payment data; SEBI and IRDAI record-retention mandates justify holding data that DPDP minimisation might otherwise delete, so you retain per the sector rule and delete afterwards; and TRAI commercial-communication consent operates alongside DPDP consent. Tranquility Cybersecurity (TCSA) helps regulated organisations reconcile these overlapping regimes without creating gaps in either.
Working through a hard scenario? Cross-check it against the DPDP Act knowledge hub, quantify the downside with the penalty calculator, and review how we have handled comparable engagements on our proof page. For specialist help, Tranquility Cybersecurity (TCSA) offers DPDP compliance consulting in India.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreSignificant Data Fiduciary
Enhanced obligations for large-scale data processors under the DPDP Act.
Read moreDPDP Cross-Border Transfers
Rules on transferring personal data outside India under the DPDP Act.
Read moreDPDP vs GDPR
Side-by-side comparison for companies subject to both regimes.
Read moreISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreDPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours