Lawful Processing and Consent under DPDP Act 2023

Under the Digital Personal Data Protection (DPDP) Act, 2023, consent serves as the default legal basis for processing personal data. As defined under Section 6 of the Act, consent must be free, specific, informed, unconditional, and unambiguous—demonstrated through a clear affirmative action by the individual (Data Principal). This means that consent cannot be obtained through pre-ticked boxes, bundled approvals for unrelated purposes, or coercive terms that require waiving statutory rights.

Table of Contents

1. Consent as the Default Legal Basis
2. Building a Compliant Consent Flow
3. Withdrawal & Consequence Management
4. Processing without Consent – Section 7 “Legitimate Uses”
5. Consent for Children & Persons with Disabilities
6. Consent Managers – Future of Interoperable Permissions
7. Record‑keeping & Audit Trail
8. Key Takeaways

Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. Consent as the Default Legal Basis

Section 6 codifies consent as the principal gateway to lawful processing, echoing the autonomy principle in Justice Puttaswamy. Consent must be –

Free | Specific | Informed | Unconditional | Unambiguous – demonstrated by a clear affirmative action.

2. Building a Compliant Consent Flow

1. App – Opens the sign‑up page
2. Displays notice (purpose, data items, rights, DPB info)
3. Clicks “I Agree”
4. DB – Logs timestamp + consent version

Note right of App – Withdrawal via settings or Consent Manager

2.1 Notice Essentials

• Identity & contact of Data Fiduciary/DPO
• Purpose(s) of processing – distinct granularity
• List of personal data fields collected
• Rights & grievance channel
• Withdrawal mechanism (one‑click toggle)
• DPB complaint route

Provide in English and a principal Indian language appropriate to the audience.

2.2 Prohibited Practices

• Pre‑ticked boxes or inertial opt‑in
• Bundling unrelated purposes (“all future marketing”)
• Forcing waiver of statutory rights

3. Withdrawal & Consequence Management

• Must be “as easy as giving consent” (eg same UI path).
• On withdrawal, halt processing and erase data unless retention is mandated by law.
• If service delivery genuinely depends on that data, the Fiduciary may discontinue service but must inform the user before withdrawal is finalised.

4. Processing without Consent – Section 7 “Legitimate Uses”

#	Legitimate Use	Key Conditions	Example
1	Voluntary provision of personal Data	Data Principal voluntarily gives data & there is no objection to its use for specific purpose.	Visitor drops a business card to obtain the white‑paper download.
2	State benefits/licences/Subsidies	Processing by the State or its instrumentalities to provide subsidy, benefits, services, certificates, permits etc.	Transport Dept re‑uses Aadhaar to issue driving licence.
3	Legal Function of the State	Necessary for the performance of any function of the State or instrumentality under law for purposes like sovereignty, integrity, public order, security of the State, etc	Crime‑investigation database.
4	Legal Obligation/Compliance with Orders	Necessary for compliance with Indian law, or judicial decree/order; includes foreign judgements of civil/contractual nature.	Telco retains CDRs for 2 years per DoT rules.
5	Medical Emergency	Threat to life or severe health risk to any individual.	Hospital accesses patient allergy data when unconscious.
6	Epidemic / Disaster Response	Measures taken for safety of individuals or to provide services/assistance during disasters or breakdown of public order.	Sharing evacuee lists after flood.
7	Employment Purposes	Proportionate processing is used to recruit, pay, evaluate, or protect employer IP.	Attendance biometrics; insider‑threat monitoring.

Compliance guardrail –  Processing must still be necessary and proportionate; misuse outside the enumerated scope attracts penalties equal to consent breaches.

5. Consent for Children & Persons with Disabilities

• Age cut‑off – 18 years (higher than GDPR).
• Obtain verifiable parental or guardian consent (methods to be prescribed—OTP, digital locker, etc.).
• Absolute Prohibitions – behavioural tracking, targeted ads, detrimental processing.
• For incapacitated adults, lawful guardian’s consent required.

6. Consent Managers – Future of Interoperable Permissions

Registered intermediaries that –

1. Present consolidated dashboard of consents.
2. Transmit digitally signed consent artefacts to Fiduciaries.
3. Maintain auditable logs; owe fiduciary duty to Data Principal.

DPB will issue regulatory standards (tech specs, grievance SLA). Early participation can streamline user experience and reduce Fiduciary overhead.

7. Record‑keeping & Audit Trail

Fiduciaries must preserve evidence of consent – timestamp, version of notice, language, device ID, etc. The DPB may demand logs during an inquiry. Absence of proof = no consent.

8. Key Takeaways

• Design opt-in by default; avoid “take‑it‑or‑leave‑it” bundles.
• Map each processing purpose – match to either valid consent or a specific legitimate‑use clause.
• Build a withdrawal toggle and suppression workflows.
• For minors, implement age‑gating and parental verification now.
• Document everything—DPB’s first question in an inquiry will be “Show us the consent or legitimate‑use record.”

Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Obligations of Data Fiduciaries under DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals