Home/Resources/Consent Notices Under DPDP Rules 2025: The Exact Requirements, With Examples
Digital & E-Commerce Legal Support6 MIN READLast updated: July 2026

Consent Notices Under DPDP Rules 2025: The Exact Requirements, With Examples

Somewhere in your app or website, right now, sits a sentence shaped like this: “By continuing, you agree to our Terms of Service and Privacy Policy.” For a decade, that sentence was Indian data compliance in its entirety. Under the DPDP Act, 2023 and the DPDP Rules, 2025, that sentence is close to worthless, and the companies that understand why will spend the runway to May 2027 rebuilding a layer of product most teams have never consciously designed: the consent notice.

Consent Notices Under DPDP Rules 2025: The Exact Requirements, With Examples article image

Quick Answer

Somewhere in your app or website, right now, sits a sentence shaped like this: “By continuing, you agree to our Terms of Service and Privacy Policy.” For a decade, that sentence was Indian data compliance in its entirety. Under the DPDP Act, 2023 and the DPDP Rules, 2025, that sentence is close to worthless, and the companies that understand why will spend the runway to May 2027 rebuilding a layer of product most teams have never consciously designed: the consent notice. This article does one job thoroughly: it sets out exactly what a valid consent notice must contain under the Rules, shows worked before and after examples, and covers the machinery around the notice, withdrawal, consent records, and the arriving Consent Managers, that turns a compliant sentence into a compliant system.

  • The DPDP Rules turn consent from a checkbox into a designed product surface: self contained plain language notices at each collection point, itemising data against purposes, unbundled affirmative actions, withdrawal as easy as consent and wired to real pipelines, all recorded because the burden of proof is yours, with Consent Managers arriving to interoperate from late 2026. Rebuild the flows during the runway to May 2027 and the “by continuing you agree” sentence can retire with the era it belonged to.
Consent Notices Under DPDP Rules 2025: The Exact Requirements, With Examples supporting image
Related documentation

The legal skeleton: Sections 5 and 6, Rule 3

The Act’s Section 6 defines consent with five adjectives that each do work: free, specific, informed, unconditional, and unambiguous, signified by clear affirmative action, and limited to the personal data necessary for the specified purpose. Section 5 requires that every request for consent be preceded or accompanied by a notice. Rule 3 of the 2025 Rules then specifies the notice itself, and its requirements translate into a checklist a product team can build against. The notice must be understandable independently, a self contained text, not a hyperlink trail into a forty page policy. It must be in clear and plain language. It must contain an itemised description of the personal data being collected, categories named, not gestured at. It must state the specified purpose, and an itemised description of the goods, services, or uses enabled by the processing, the user should be able to see what they get and what it costs in data. It must provide the communication link, a working way to reach the fiduciary, and describe how the Data Principal can exercise rights, withdraw consent, and complain to the Data Protection Board. And the Rules push availability toward English plus the Eighth Schedule languages, so notices should be ready in the languages your users actually read. Around the notice, the Act adds the operational tests: consent must be as easy to withdraw as it was to give, withdrawal must stop the processing it covered, and the fiduciary carries the burden of proving valid consent, which quietly mandates consent records, who consented, to what text, when, through what action.

Worked example one: the login flow

Before, the classic: “Sign up with your mobile number. By continuing you agree to our Privacy Policy.” One checkbox, every purpose bundled, notice by hyperlink. After, DPDPA shaped. At the collection moment, a short notice: “To create your account, we collect your mobile number and name. Mobile number: used for login by OTP and for order and payment messages. Name: used on your invoices and deliveries. We do not use these for marketing unless you separately agree below. Withdraw anytime in Settings, Privacy, or write to grievance@yourapp.in. Full details: Privacy Notice.” Below it, a separate, unticked toggle: “Send me offers and recommendations by SMS and email,” its own purpose, its own consent. Two design decisions carry the compliance: the notice is readable in one breath and itemises data against purposes, and marketing is unbundled, so the account works whether or not the toggle is touched, which is what unconditional means.

Worked example two: the delivery app’s location ask

Before: the operating system permission dialog alone, “Allow YourApp to access this device’s location?”, treated as consent. It is not; it is a technical permission with no purpose notice behind it. After: a pre permission screen in the app’s own voice: “We use your live location only while an order is active, to show delivery progress and help the rider find you. We do not collect location in the background or use it for advertising. You can refuse and type your address instead.” Then the OS dialog. The pattern generalises: the OS asks about the sensor; the DPDPA notice explains the purpose, the limits, and the alternative, and the refusal path keeps the service usable wherever the data is not strictly necessary.

The machinery behind the sentence

Consent records. Since the fiduciary must prove consent, log the notice version, language, timestamp, and the affirmative action for every consent, and keep the mapping between notice versions and processing purposes as notices evolve. When a user complains to the Board in 2028, your defence is this log. Withdrawal that works. Build a privacy dashboard where each granted consent appears as a switch, and wire the switches to the actual pipelines, the marketing system, the analytics SDKs, the processors, because withdrawal that updates a database flag while the emails continue is a documented violation, not a compliance feature. Grievances route to the published contact with the response clock our grievance officer article describes. Consent Managers. From November 2026, the Rules’ Consent Manager provisions come alive: registered platforms through which users can give, review, and withdraw consent across fiduciaries, interoperable by design. Most companies will not become Consent Managers, but consent architectures built now should assume an external platform may someday present, and revoke, consent on a user’s behalf, one more reason consent records need clean structure rather than screenshots. Legitimate uses. Honesty requires the boundary note: not all processing runs on consent. Section 7 permits defined legitimate uses, notably where the individual voluntarily provides data for a purpose and does not object, employment related processing, medical emergencies, and state functions. These are narrower than the GDPR’s legitimate interests, they are enumerated, not open ended, and choosing between the consent gate and a legitimate use gate for each processing activity is exactly the legal judgment that should not be improvised.

Can AI help build compliant consent flows?

Substantially, and in a specifically useful way: translation and scale. AI tools can draft itemised notices per collection point from your data inventory, keep the data against purpose pairs synchronised as features change, render every notice in the Eighth Schedule languages with plain language reading levels, and audit live flows for bundling patterns, the single checkbox covering five purposes that fails Section 6 on contact. They can also stress test comprehension, asking a model to answer “what did I just agree to?” from your notice is a cheap usability trial. The limits are the recurring ones: whether a given activity may ride a legitimate use instead of consent is a legal call, machine translations of legal text need human review before deployment, and consent UX that manipulates, pre ticked boxes, dark patterns, guilt copy, fails the free and unambiguous tests no matter how fluent the prose. Draft and scale with AI; gate the judgments through a qualified human.

When to Review This

  • The DPDP Rules turn consent from a checkbox into a designed product surface: self contained plain language notices at each collection point, itemising data against purposes, unbundled affirmative actions, withdrawal as easy as consent and wired to real pipelines, all recorded because the burden of proof is yours, with Consent Managers arriving to interoperate from late 2026. Rebuild the flows during the runway to May 2027 and the “by continuing you agree” sentence can retire with the era it belonged to.

Disclaimer

This article is for general information only and is not legal advice. Consent architecture depends on your specific processing, so take professional advice before acting.

CLARITY

Common Questions

What must a DPDPA consent notice contain?

A self contained, plain language text itemising the personal data collected, the specific purposes and the goods or services they enable, how to exercise rights and withdraw consent, contact and grievance details, and the way to complain to the Data Protection Board, per Rule 3 of the 2025 Rules.

Is a checkbox linking to the privacy policy valid consent?

Almost certainly not for multiple purposes: it fails specificity, the notice’s independence requirement, and often the unconditional test when the tick gates unrelated services. Purpose level notices with separate affirmative actions are the compliant pattern.

Do consent notices need to be in regional languages?

The Rules push availability toward English and the Eighth Schedule languages; serving notices in the user’s language is both the safe reading and good design.

Does everything need consent under the DPDPA?

No. Section 7’s legitimate uses cover enumerated situations, voluntary provision, employment, emergencies, state functions, but they are narrower than GDPR’s legitimate interests, and classification per activity deserves legal review.

When do these requirements bite?

The core obligations become enforceable on 13 May 2027, with Consent Manager provisions arriving from November 2026, the runway our DPDPA compliance checklist maps deadline by deadline.

How do we prove consent later?

Consent records: notice version and language, timestamp, and the affirmative action, retained and queryable. The burden of proof sits on the fiduciary, so the log is the compliance.

Need Help with Consent Notices Under DPDP Rules 2025: The Exact Requirements, With Examples?

Contact Tirth Inamdar at Inamdar Legal for customized assistance on your specific requirements.

EXPLORE MORE

Related Resources

View All Resources

Related Services

Digital & E-Commerce Legal Support

Website Agreements

Website terms and legal documentation support for online businesses.

Digital & E-Commerce Legal Support

Terms and Conditions

Terms and conditions drafted for clear online use.

Digital & E-Commerce Legal Support

Privacy Policy

Privacy policy drafting support for websites and apps.

Digital & E-Commerce Legal Support

E-Commerce Legal Documentation

Legal documentation support for e-commerce operations.