More Than the Checkbox: Designing Legally Binding Consent under India’s DPDP Act

Posted On - 27 March, 2026 • By - Aniket Ghosh

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDP Act”), along with the notified Rules, represents a fundamental shift in India’s data protection framework. Consent under this law is no longer a formalistic, checkbox-based exercise; it is a substantive, demonstrable, and system-driven legal requirement.

Consent must now be obtained, recorded, and maintained in a manner that is affirmative, informed, and traceable. This aligns with the constitutional principle of informational self-determination, recognized by the Supreme Court in Justice K.S. Puttaswamy v. Union of India1, which established privacy as a fundamental right and emphasized the individual’s control over personal data.

The DPDP Act operationalizes this principle, imposing strict standards on how consent is sought, documented, and verifiably linked to specific processing purposes.

1. Notice as a Precondition (Section 5)

Under Section 5, no request for consent may be made without prior notice. The notice must clearly communicate:

  1. The nature of the personal data being collected and the specific purpose for which it will be processed.
  2. How consent may be revoked and the process for lodging complaints.
  3. The procedure for filing complaints with the Data Protection Board of India.

This provision eliminates the practice of post-hoc or consolidated disclosures. Consent must be purpose-specific, point-of-collection, and just-in-time, as mandated by law.

Section 6 sets out the substantive standard for valid consent, which must be:

  • Free (not coerced or bundled)
  • Specific to the purpose
  • Informed with clear notice
  • Unconditional for the particular purpose requested
  • Unambiguous, expressed through a clear affirmative action

Key operational rules include:

  • Bundled consent is prohibited. Consent for the core service cannot be conditioned on agreement to ancillary uses such as marketing, analytics, or profiling. Each purpose must be individually selectable.
  • Default, pre-ticked, or implied consent mechanisms are invalid. Consent must reflect a conscious, affirmative act.

These requirements emphasize that consent is not a contractual formality, but a substantive legal obligation.

Consent is assessed in the context of the user interface (UI) and user experience (UX). UI patterns that nudge users towards consent such as:

  • Prominent “Accept All” buttons
  • Buried or multi-step options for refusal

may undermine voluntariness. Even when refusal is technically possible, these design choices may render consent non-compliant.

Comparative guidance: The European GDPR invalidates consent obtained via pre-ticked boxes or fragmented disclosures. While not binding in India, such jurisprudence is persuasive, given the DPDP Act’s emphasis on affirmative and informed consent.

4. Purpose Creep and Versioning

A common compliance failure occurs when consent is obtained for one purpose but later used for additional processing, e.g., new analytics functionality or data-sharing arrangements.

Consent must be linked to the specific notice version and purpose. Without this, a Data Fiduciary cannot demonstrate informed consent, and such consent may be treated as legally non-existent.

Solution: Maintain version-controlled notices and purpose-linked consent records to document exactly what a user consented to at any given time.

Section 6(10) places the burden of proof squarely on the Data Fiduciary to show that valid consent was obtained. Consent records must be preserved as evidence, including:

  • The notice format provided
  • Purposes disclosed
  • Language of notice, user actions, and timestamps
  • Linkage between consent and subsequent data use

Deleting or altering consent records while continuing to process data exposes fiduciaries to regulatory and legal risks.

6. Operationalizing Compliance

Consent must be embedded as a systemic feature, not an isolated action. Key compliance measures include:

  • Purpose-level consent indicators instead of single Boolean flags
  • Immutable versioning of notices with user-notice mapping
  • Purpose tagging of personal data fields in backend systems
  • Enforceable withdrawal mechanisms for consent

Compliance requires coordination between legal, product, and engineering teams to implement privacy by design.

Conclusion

The DPDP Act redefines digital consent in India. Valid consent is not hidden in fine print or implied by inaction; it is transparent, affirmative, and verifiable.

In this framework, UX design is part of the law. Legal validity depends on interface design and backend infrastructure. Data Fiduciaries that treat consent as a continuous, active system, rather than a mere checkbox, will be well-positioned to withstand regulatory scrutiny under India’s evolving data protection landscape.

  1. K.S. Puttaswamy (Aadhar/Privacy-2J.) v. Union of India, (2014) 6 SCC 433 ↩︎

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.