DPDP Act 2023 · Section 6 & Rule 4 · Consent Management
DPDP Consent
Management
Consent is the cornerstone of the DPDP Act. Understanding consent requirements and leveraging Consent Managers is essential for lawful data processing.
Section 6 requires consent to be free, specific, informed, unconditional, and unambiguous — and withdrawal must be as easy as giving it.
DPDP Act 2023 · Section 6 + Rule 4, DPDP Rules 2025 · Last reviewed June 2026
Direct Answer
What makes consent valid under the DPDP Act?
Under the DPDP Act 2023, consent is the primary lawful basis for processing personal data, and Section 6 requires it to be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The DPDP Rules 2025 add the Consent Manager — a Board-registered platform under Rule 4 that lets individuals give, manage, review, and withdraw consent in one interoperable place — with the right to withdraw consent as easily as it was given.
Section 6
What Constitutes Valid Consent?
Free
Consent must be given freely without coercion or undue influence
Specific
Consent must be specific to the purpose for which data is processed
Informed
Data Principal must be fully informed about processing activities
Unconditional
Consent cannot be bundled with other services as a condition
Unambiguous
Clear affirmative action indicating agreement is required
At a Glance
Consent Requirements at a Glance
Each attribute of valid consent under Section 6, what it means in practice, and a common way organizations get it wrong.
| Attribute | What it means | Common failure |
|---|---|---|
| Free | Given without coercion, pressure, or undue influence | Denying a service unless unrelated marketing consent is also given |
| Specific | Tied to each distinct purpose of processing | A single blanket tick-box covering many unrelated purposes |
| Informed | Preceded by clear notice of what data, why, and rights | Consent buried in dense terms with no plain-language notice |
| Unconditional | Not bundled as a condition for an unrelated service | Forcing analytics consent to access core functionality |
| Unambiguous | Indicated by clear affirmative action | Pre-ticked boxes or inferring consent from silence |
Rule 4
Consent Manager (Rule 4)
A Consent Manager is a registered entity that enables Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
Registration Requirements
Entity Requirements
Technical Requirements
Operational Requirements
Section 6(4)
Withdrawal of Consent
Data Principals have the right to withdraw consent at any time with the same ease as giving consent.
- Must be as easy as giving consent
- Takes effect from time of withdrawal
- Does not affect prior processing
Upon withdrawal, Data Fiduciaries must:
- Stop processing immediately
- Erase personal data within specified time
- Ensure processors also erase data
Frequently Asked Questions
Common questions on valid consent, Consent Managers, withdrawal, and records.
What makes consent valid under the DPDP Act?
Under Section 6 of the DPDP Act 2023, consent must be free, specific, informed, unconditional, and unambiguous, signalled by a clear affirmative action. It must be preceded by a notice describing the personal data collected, the purpose, and how to exercise rights and withdraw consent. Pre-ticked boxes, bundled consent, and inferring consent from silence are not valid.
What is a Consent Manager under the DPDP Act?
A Consent Manager is an entity registered with the Data Protection Board that gives data principals a single, interoperable platform to give, manage, review, and withdraw consent across multiple data fiduciaries. Rule 4 of the DPDP Rules 2025 sets the registration and operating conditions, including a minimum net worth of ₹2 crore, interoperability, and no conflict of interest.
Can a data principal withdraw consent at any time?
Yes. The DPDP Act guarantees the right to withdraw consent at any time, and withdrawal must be as easy as giving it. Withdrawal takes effect from that point and does not invalidate processing already carried out lawfully. On withdrawal, the data fiduciary must stop processing and ensure it and its processors erase the personal data unless retention is legally required.
Do I still need consent if I already comply with GDPR?
Often, yes, and more frequently than under the GDPR. The DPDP Act is consent-centric and does not recognise a legitimate-interest basis, so several activities that rely on legitimate interest under the GDPR will need consent (or a narrow legitimate use) under DPDP. Existing GDPR consent mechanisms are a strong starting point but usually need re-engineering.
How should consent records be maintained?
Data fiduciaries should keep an auditable record of each consent — what was consented to, when, the notice shown, and any withdrawal — so they can demonstrate a valid basis for processing if the Data Protection Board asks. Where a Consent Manager is used, it maintains an interoperable consent audit trail that the data principal can access.
Continue your DPDP research
- DPDP Act compliance hub — the full guide to the Act and Rules 2025.
- DPDP compliance consulting in India — consent flow design and end-to-end implementation.
- DPDP penalty calculator — model the cost of consent and other defaults.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreData Principal Rights
Access, correction, erasure and grievance redressal rights.
Read moreDPDP Compliance Checklist
A step-by-step checklist for DPDP Act readiness.
Read moreDPDP vs GDPR
Side-by-side comparison for companies subject to both regimes.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours