Consent Management Under India’s DPDP Act: What Every Startup Founder Needs to Know

Imagine this. A user downloads your fintech app in Mumbai, enters their phone number, taps “I Agree” on a long wall of text they never read, and starts transacting. Six months later, they want to know exactly what data you collected, why, and how to stop you from using it. Under India’s Digital Personal Data Protection Act, 2023, that user now has every legal right to ask those questions and you are legally required to have clear answers.

Consent is not a checkbox anymore. It is the foundation of lawful data processing in India. If you are building a product that collects names, emails, phone numbers, payment details, or even device identifiers from Indian users, the way you collect and manage consent will determine whether your business is compliant or exposed to penalties that can go up to ₹250 crore.

This article is the second in our DPDP compliance series at The Startup Zone. Here, we break down what consent means under the law, how consent managers work, and what practical steps founders need to take.

What Does “Consent” Actually Mean Under the DPDP Act?

Under Section 6 of the DPDP Act, consent is the primary legal basis for processing personal data. But this is not the vague “by using this service you agree to our terms” language that Indian internet users have grown accustomed to. The Act requires consent to be:

Free – meaning you cannot force someone to agree as a condition of service if that data is not needed for the service. Think of a food delivery app that demands access to your contacts list before letting you order dinner. That would not qualify as “free” consent.

Specific – meaning you must explain exactly what data you are collecting and for what purpose. A blanket statement like “we collect your data to improve our services” will not survive regulatory scrutiny.

Informed – meaning the user must actually understand what they are agreeing to. The consent request must be written in plain language, not buried in legal jargon. And it must be available in English or any language listed in the Eighth Schedule of the Constitution.

Unconditional – meaning you cannot tie consent to unrelated conditions, such as waiving the right to file a complaint with the Data Protection Board.

Unambiguous – meaning the user must take a clear affirmative action. Pre-ticked boxes, implied consent through silence, or bundled agreements do not count. The user must actively say yes.

Example: Consider an ed-tech platform that requires students to consent to data processing for course delivery and, in the same breath, seeks permission to share their data with recruitment partners. Under the DPDP Act, these would need to be two separate, clearly described consent requests. Bundling them into one “I Agree” button would make the consent invalid.

The Privacy Notice: Your Compliance Starting Point

Before you even ask for consent, the DPDP Rules 2025 require you to provide a standalone privacy notice. This is not your website’s generic privacy policy. It is a specific, plain-language document that tells users exactly what you plan to do with their data.

Your notice must include an itemised description of the personal data you will collect, the specific purpose for each category of data, a clear link or mechanism for withdrawing consent (and the Act says this must be as easy as giving consent), information on how users can exercise their rights under the Act, and details on how to lodge a complaint with the Data Protection Board of India.

If your notice is vague, incomplete, or misleading, the consent obtained through it may be considered invalid. And processing data on invalid consent is treated the same as processing without consent, a violation that can attract penalties of up to ₹200 crore.

Consent Managers: The New Regulated Intermediary

One of the most distinctive features of India’s framework is the concept of the Consent Manager. If you have heard of Account Aggregators in India’s financial sector. platforms that let users share their financial data across institutions with a single consent flow. Consent managers work on a similar principle but for personal data broadly.

A Consent Manager under the DPDP Act is a registered entity that acts as a single point of contact for individuals to give, manage, review, and withdraw consent across multiple platforms. Think of it as a centralised dashboard where a user can see every company they have shared data with and control those permissions from one place.

Who Can Become a Consent Manager?

The DPDP Rules set strict eligibility requirements. A Consent Manager must be a company incorporated in India with a minimum net worth of ₹2 crore. They must demonstrate adequate technical, operational, and financial capacity. They need valid certifications for their consent management platform. And here is a critical restriction: a Consent Manager cannot simultaneously act as a data fiduciary (the company deciding why to collect data) or a data processor (the company handling data on someone else’s behalf) for the same individual whose consent they manage. This prevents conflicts of interest.

Consent Manager registration with the Data Protection Board opens from November 2026, and they must retain consent records for at least seven years.

Timeline calendar for DPDP to be enforced

Phase	Date	What Becomes Enforceable
Phase 1	14 Nov 2025 (Immediate)	Data Protection Board established in NCR. Administrative provisions and penalty framework activated. Complaint mechanisms go live.
Phase 2	14 Nov 2026 (12 months)	Consent Manager registration opens. Only India-incorporated entities with ₹2 crore net worth qualify. Foreign platforms like OneTrust and TrustArc are excluded from operating as registered managers.
Phase 3	13 May 2027 (18 months)	FULL COMPLIANCE DEADLINE. All privacy notices, consent systems, security safeguards, breach protocols, data retention, children’s protections, Data Principal rights infrastructure must be operational. NO GRACE PERIOD.

Do Startups Need to Appoint a Consent Manager?

No, it is not mandatory for every business. You can manage consent internally, provided you meet all legal requirements. But as the ecosystem matures, integrating with registered Consent Managers could simplify compliance and build user trust, especially if you operate across multiple platforms or handle high volumes of user data.

The Right to Withdraw: Consent Is Not a One-Time Event

Here is where many startups trip up. Consent under the DPDP Act is not a one-way door. Users have the right to withdraw consent at any time, and you must honour that withdrawal promptly.

When a user withdraws consent, you must stop processing their data and ensure your data processors (cloud providers, analytics tools, marketing platforms) stop too. The only exceptions are where processing is required under another Indian law, for example, financial record-keeping mandated under the Income Tax Act.

Example: Consider a telecom company that contracts a third-party service to email monthly bills to customers. If a customer withdraws consent for email communication and switches to in-app billing, the telecom company must not only stop emailing but must also instruct its email vendor to stop processing that customer’s data for billing purposes. The Act explicitly provides this scenario in its explanatory notes.

Case Study: What the boAt Data Breach Teaches Us About Consent Failures

REAL-WORLD CASE STUDY

Company: boAt (Imagine Marketing Pvt Ltd)

Breach: April 2024, personal data of 7.5 million customers leaked by a hacker called “ShopifyGUY”

Data exposed: Customer names, email addresses, phone numbers, physical addresses, and purchase histories

Scale of damage: 2 GB of data listed on the dark web for just ₹180 (~$2)

The Consent Problem Hidden Inside This Breach

On the surface, the boAt breach looks like a cybersecurity failure. And it was. But underneath the technical failure lies a deeper consent management problem that every startup founder should study.

When you buy a pair of boAt earphones on Amazon or Flipkart, you provide personal data for one specific purpose: completing the transaction and receiving delivery. Your name, phone number, and address are needed for that order, and arguably for warranty service afterwards.

But here is the question the DPDP Act now forces companies to answer: why was that data still stored months or years after the transaction was complete?

Under Section 8(7) of the DPDP Act, a Data Fiduciary must delete personal data once the purpose for which it was collected has been fulfilled. If you bought earphones in 2022 and the warranty expired in 2023, there is no lawful reason to retain your name, phone number, and address in 2024 unless:

You obtained fresh, specific consent to retain the data for a new purpose (e.g., marketing, loyalty programmes)

Retention is required by another law (e.g., tax records under the Income Tax Act)

The 7.5 million records that ended up on the dark web almost certainly included customers whose transaction purpose had long been served. Under the DPDP Act, retaining that data without a valid consent basis would itself be a violation, before the breach even happened.

Building a Consent System That Works

For founders building products today, consent compliance is a design problem as much as a legal one. Here is what a compliant consent flow looks like in practice:

Step 1: Map your data. Before writing a single line of privacy policy, understand what personal data your product collects, where it flows, and who processes it. This includes third-party tools, analytics SDKs, payment gateways, and cloud storage.

Step 2: Draft standalone notices. For each distinct processing purpose, create a clear notice. If you collect data for order fulfilment and separately for marketing, those are two separate notices with two separate consent requests.

Step 3: Build granular consent capture. Design your UI to allow users to consent to individual purposes, not an all-or-nothing bundle. Use toggle switches, purpose-specific consent screens, or layered consent flows.

Step 4: Create withdrawal mechanisms. Ensure users can withdraw consent as easily as they gave it. If consent was a single tap, withdrawal should be a single tap too.

Step 5: Log everything. Maintain timestamped records of every consent action: when it was given, for what purpose, in what language, and when it was withdrawn. These logs become your evidence if the Data Protection Board ever investigates.

Conclusion

Consent management is not a legal formality. Under the DPDP framework, it is the mechanism through which your users exercise control over their data. Getting it right means designing systems that are transparent, granular, and respectful of user choice from day one.

If you are unsure where to start, The Startup Zone helps Indian startups build compliance roadmaps tailored to their product and stage. Get in touch for a your DPDP assessment.

Next in the series: Significant Data Fiduciary Obligations Under DPDP, Who Qualifies and What Rules Apply.