← Back to blog
Guide·2 min read

Consent under the DPDPA — building a compliant consent programme

Consent is the backbone of the DPDPA. Here's what valid consent requires, the mistakes to avoid, and how to operationalise consent and withdrawal at scale.

F

Fortifyze Team

Trufe · 16 June 2026

For most processing under India's DPDPA, consent is the legal basis — and the bar is higher than the cookie-banner box-ticking many teams are used to. Getting consent right is the difference between a defensible programme and a fragile one.

What valid consent requires

Under the DPDPA, consent must be:

  • Free — not bundled or coerced;
  • Specific — tied to clearly stated purposes, not a vague catch-all;
  • Informed — preceded by a clear notice of what's collected and why;
  • Unambiguous — a clear affirmative action;
  • Withdrawable — as easy to withdraw as it was to give.

Crucially, when consent is withdrawn, you must stop the corresponding processing and cascade that decision to your processors.

Common mistakes

  • One blanket consent for many unrelated purposes. Purposes must be granular.
  • No record of what was consented to, when, and against which notice version. If you can't prove it, you can't rely on it.
  • Withdrawal that's harder than granting. A hidden, multi-step opt-out won't pass.
  • Ignoring downstream processors. Withdrawal has to propagate.

What an operational consent programme looks like

  1. Branded, granular consent forms that capture purpose-level choices.
  2. Versioned notices — every consent is tied to the exact notice text shown.
  3. An immutable audit trail of grants and withdrawals, with timestamps.
  4. Easy withdrawal and preference management for data principals.
  5. Renewal flows for when purposes or notices change.

Consent and the rest of your programme

Consent doesn't live alone. It connects to:

  • Data discovery — knowing what data a purpose actually touches;
  • Data-subject rights — withdrawal often triggers erasure;
  • Records of processing — each purpose maps to a processing activity and lawful basis.

How Fortifyze helps

Fortifyze provides branded consent forms and cookie banners, granular purposes, versioning, renewal campaigns and a complete audit trail — wired into discovery, rights and records so consent is something you can prove, not just claim.

Explore consent management or talk to us.

General information, not legal advice.

Consent ManagementDPDPACompliance

See Fortifyze on your data

Discover personal data and prove DPDPA compliance in one platform.

Get started freeTalk to Sales