In short: This DPDP consent manager compliance checklist walks Indian founders and product managers through every step required under the Digital Personal Data Protection Act 2023 and the Rules notified in 2025 — from notice design and consent capture to withdrawal rights and record-keeping — so your app or website stays on the right side of the law.
Key points
- The Digital Personal Data Protection Act 2023 (DPDP Act) requires a Data Fiduciary to obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data for most purposes — bundled or pre-ticked consent boxes are unlawful.
- A Consent Manager is a registered entity through which a Data Principal can give, manage, review, and withdraw consent across multiple platforms; using one does not transfer your compliance obligations as a Data Fiduciary.
- Consent must be as easy to withdraw as it is to give; withdrawal must take effect without detriment to the individual and does not apply retroactively to already-completed processing.
- The DPDP Rules 2025 specify the form and content of the notice that must accompany or precede the consent request, including itemised disclosure of the personal data sought, the purpose, and grievance contact details.
- Children’s data requires verifiable parental or guardian consent, and the Rules impose additional conditions on Data Fiduciaries before processing data of minors under 18.
- Penalties for consent-related violations can reach significant amounts under the Act; exact penalty figures should be verified against the current text on India Code before relying on them.
What is a Consent Manager under the DPDP Act?
The DPDP Act introduces the concept of a Consent Manager — an entity registered with the Data Protection Board of India that acts as a single, interoperable platform through which a Data Principal (your user) can manage consents given to multiple Data Fiduciaries (businesses like yours).
Think of it as a dashboard your users can log into to see every app they have consented to, review what data is being processed, and withdraw consent at any time — all without contacting each business individually.
Importantly, routing consent through a registered Consent Manager does not shift your obligations. You remain the Data Fiduciary and remain accountable for lawful processing.
Why does this matter for your app or website right now?
The DPDP Act received Presidential assent in August 2023. The Rules were notified in 2025, triggering concrete compliance deadlines for businesses collecting personal data in India.
If your app or website collects even a name and phone number, you are a Data Fiduciary and the consent framework applies to you. Non-compliance exposes you to investigation by the Data Protection Board and financial penalties.
For a broader overview of how Indian digital law affects everyday business, see our Law for You guides on the key statutes you need to know.
DPDP consent manager compliance checklist: step by step
Step 1 — Map your data and purposes before you design anything
Before writing a single line of code, list every category of personal data you collect, the specific purpose for each, and whether you have a lawful basis other than consent (such as a legal obligation or a court order). Consent is only one lawful basis under the Act.
Delete purposes you cannot justify. The DPDP Act’s purpose-limitation principle means you cannot collect data “just in case.”
Step 2 — Draft a compliant notice
A consent request must be accompanied by a notice that is written in clear, plain language and is available in the languages listed in the Eighth Schedule of the Constitution if the user requests it. The notice must specify:
- the personal data to be processed and the purpose for each item;
- the manner in which the Data Principal can exercise their rights (access, correction, erasure, grievance); and
- contact information for your Data Protection Officer or grievance officer.
Do not bury these disclosures in a 40-page privacy policy linked at the footer. The notice must be prominent and co-located with the consent ask.
Step 3 — Build a lawful consent UI
Your consent interface must satisfy the five adjectives the Act uses: free, specific, informed, unconditional, and unambiguous. In practice, this means:
- no pre-ticked checkboxes;
- separate tick-boxes for each distinct purpose (bundled consent is invalid);
- no dark patterns (confusing language, hidden decline options, or guilt-trip copy);
- no gate-keeping — users must not be denied a core service for refusing optional processing.
Step 4 — Decide whether to integrate a registered Consent Manager
If you serve a large user base or operate across multiple platforms, integrating with a registered Consent Manager can reduce your operational burden. The Consent Manager provides the interoperable infrastructure; you provide the accurate purpose and data descriptions via their API.
Verify that any Consent Manager you use is registered with the Data Protection Board. Registration requirements and the list of approved entities are set by the Rules — check the Board’s official register before signing a contract.
Step 5 — Build withdrawal mechanisms that work
Withdrawal of consent must be as easy as giving it. If a user tapped one button to consent, they must be able to withdraw with approximately the same effort. Withdrawal must take effect promptly and must not result in denial of a service to which the user is otherwise entitled.
Plan for what happens in your back-end when consent is withdrawn: data associated with withdrawn purposes should either be deleted or de-identified unless another lawful basis applies.
Step 6 — Handle children’s data separately
For users under 18, you must obtain verifiable consent from a parent or guardian before any processing. The Rules set out the specific mechanism for age verification and parental consent — review them carefully and do not rely on a simple self-declaration checkbox. Violations in this category attract heightened scrutiny.
Step 7 — Maintain consent records
You must be able to demonstrate that valid consent was obtained. Keep timestamped logs of: the notice version shown, the specific purposes consented to, the date and time, and any subsequent withdrawal. These logs are your evidence if the Data Protection Board investigates.
Step 8 — Appoint and publish a grievance officer
Every Data Fiduciary must provide a means for Data Principals to raise complaints. Publish the grievance officer’s name (or designation) and contact details clearly on your app and website. The Rules specify timelines for acknowledging and resolving complaints — check the current Rules text for the precise figures.
Quick reference: key consent requirements at a glance
| Requirement | What the DPDP Act / Rules require | Common mistake to avoid |
|---|---|---|
| Form of consent | Free, specific, informed, unconditional, unambiguous | Bundled or pre-ticked consent |
| Notice | Plain language, itemised by data category and purpose | Hiding disclosure in a long privacy policy |
| Withdrawal | As easy as giving consent; no detriment to user | Requiring a written request or multi-step form |
| Children’s data | Verifiable parental / guardian consent before processing | Self-declaration age checkbox |
| Record-keeping | Timestamped logs of notice version, purposes, consent date | No audit trail; relying on user’s browser cookie log |
| Grievance redressal | Named officer, published contact details, defined timelines | Generic “contact us” form with no named owner |
| Consent Manager | Must be registered with Data Protection Board if used | Using an unregistered third-party consent tool |
What about existing user data collected before the Act?
The Act and Rules address processing of previously collected data, but the transition provisions require careful reading. Generally, if you wish to continue processing data collected before the Act’s commencement for a purpose that now requires consent, you will need to obtain fresh, compliant consent.
Do not assume that a pre-2023 privacy policy tick-box constitutes valid consent under the new standard. Seek legal advice on your specific legacy data situation.
Frequently asked questions
Do I have to use a registered Consent Manager, or can I build my own consent flow?
You are not required to use a third-party Consent Manager. You can build your own consent flow directly into your app or website, provided it meets every requirement of the DPDP Act 2023 and the Rules 2025 — free, specific, informed, unconditional, and unambiguous consent with a compliant notice, easy withdrawal, and proper record-keeping. A registered Consent Manager is an option that can simplify multi-platform consent management, but using one does not remove your obligations as a Data Fiduciary.
Can I make a core feature of my app conditional on the user consenting to marketing communications?
No. Consent must be unconditional. Tying access to a core service to agreement to optional or unrelated processing purposes — such as marketing emails — is unlawful under the DPDP Act. You may offer additional features in exchange for additional optional consent, but the baseline service must remain accessible to users who decline non-essential processing. This principle is sometimes called “consent without coercion.”
How quickly must I act on a consent withdrawal request?
The DPDP Act requires withdrawal to be honoured without undue delay, and the Rules specify grievance and response timelines — check the current Rules text on India Code for the precise figures, as these may be updated. As a practical matter, your back-end systems should be designed to stop processing and flag the relevant data for deletion or de-identification within hours rather than days. Document every withdrawal and the action taken as part of your audit trail.
This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.
