DPDP’s Silent Clause: One Time Notice for Past Consents

At the core of India’s Digital Personal Data Protection (DPDP) Act is a simple obligation: Collect user consent for processing all personal data. But what happens to the vast amounts of personal data collected before the DPDP Act came into effect? Data that was often gathered through generic consent checkboxes, buried terms, or without any notice at all?

This is where DPDP’s one-time notice requirement comes in.

It mandates that organizations proactively inform users — even for data collected before the DPDP Act — about what personal data they hold, why they collected it, and how it’s being used. 

The one-time notice requirement serves as a legal bridge between legacy data practices and the new compliance regime. More than just another compliance checkbox, this is a rare opportunity to reset the data relationship with users — to demonstrate transparency, and bring historical data under legal cover before the regulators start asking questions.

What is the One Time Notice Requirement under the DPDP Act?

As per Section 5(2) of the DPDP Act: If you collected someone’s personal data before the Act came into effect — and are still using it — you need to mandatorily notify them.
The law says Data Fiduciaries must, “as soon as reasonably practicable,” send a notice informing the individual of:

• What personal data you have; 
• What you’re using it for;
• What user rights they now have under the DPDP Act (like access, correction, and erasure);
• How they can seek grievance redressal from the Data Protection Board (DPDP Enforcement Authority) if something goes wrong.

Even if the data was collected years ago. Even if it came from a paper form or a third-party channel. If it’s still being digitally processed now — and was collected without a DPDP-compliant notice — this retroactive obligation applies.

Scope and Applicability: Who Needs to Notify?

If you're a Data Fiduciary — any organization that determines the “why” and “how” of personal data processing — this requirement applies to you. That includes banks, insurers, telecom companies, lenders, healthcare providers, e-commerce players, fintechs, and even startups.

It applies to any personal data you collected before the DPDP Act came into effect, if you’re still using it today. That includes:

• Data collected with implied or bundled consent — e.g. checkbox in a long terms & conditions form;
• Data collected indirectly — via channel partners, field agents, or third-party lead sources; and of course; and 

In each of these cases, you’re required to send a one-time notice informing the individual about their rights, your processing purpose, and how they can take action.  As soon as you satisfy the one time notice obligation, you may continue processing this data unless the user withdraws consent after receiving the notice.

This is what makes Section 5(2) unique — it gives businesses a compliance window to retrofit their old consents under the new law, without halting operations.

What if you never took Consents before the DPDP Act?

The one time notice rule lets you validate consents collected prior to the Act. However, the DPDP Act does not explicitly allow you to validate or continue processing personal data with a one time notice:

• If data was collected without any consent;
• If you took consent but do not have the documentation to prove it; or
• If the data was sourced indirectly or from third parties where the user was never informed.

It is possible that the one time notice will suffice for these scenarios as well. However, the law is unclear on this point and the Draft DPDP Rules do not provide any guidance either. Therefore, if you have not taken consent from your users/customers before the act started out - you should obtain fresh valid consent to ensure full compliance and avoid risks.

Crafting the Notice: Do it Once, Do it Right

Done well, your one-time notice can become a bastion of transparency and trust while tying up decades of compliance loose ends in one go. So how should you craft it?

Keep It Simple and Human

The law doesn’t reward dense legalese. In fact, it explicitly discourages it. Your notice must use plain, understandable language — written for a layman, not a compliance officer.

Avoid

• Technical jargon;
• Cross-referenced links to sprawling policy pages; and
• Legal catch-alls like “including but not limited to…”

Instead:

• Use short sentences and plain language;
• Be specific about the data, its purpose and other details; and

Cover All Mandated Points

The DPDP Act requires the notice to include the following:

• What categories of personal data you’re collecting;
• The purpose for which each data type is being processed
• How the user can withdraw consent 
• How the user can file a grievance or complaint with your organization
• How they can escalate to the Data Protection Board
• What rights they have under the DPDP Act
• Who you are — your name, contact details, and role as the Data Fiduciary

This is not optional. Missing any of the above may render your notice non-compliant.

Make It Accessible — in Every Sense

Language: The law expects you to provide the notice in all the 22 languages under the Eighth Schedule of the Constitution.

Format: Use text, audio, or even video if required — especially when working with low-literacy or rural populations.

Clarity: Ensure the notice works equally well across devices — phone, desktop, feature phone, or even paper.

Choose the Right Delivery Channel

There’s no one-size-fits-all channel — delivery should match user context. It is advised you use channels which allow for bulk messaging:

• Email: For users who’ve signed up digitally;
• SMS or WhatsApp: For mobile-first users or those onboarded via agents;
• In-app banner or pop-up: For existing app users;

What matters is that the notice reaches the user, is easy to access, and can be proven later.

What Happens After the Notice is Sent?

Once the one-time notice has been delivered, if the user withdraws consent you must stop processing until you collect fresh consent in line with current DPDP standards. 

However, if the user does not withdraw consent or respond to your notice — you’re done!

You only need to reengage with the user if your processing materially changes. Here’s when you must re-engage:

• You start using the data for a new purpose that wasn’t disclosed in the original notice;
• You begin collecting a new category of personal data from the same user;
• The user requests a copy of their rights or data details, in which case your systems should already support this via a self-service dashboard or support flow.

Business Implications: Turning the One-Time Notice into a Systemic Capability

On paper, the DPDP’s one-time notice sounds simple. In practice, implementing it across a large, multi-channel, multi-team organization can be quite challenging.

The good news? Once set up right, this is a low-maintenance compliance layer that reduces long-term friction and boosts transparency. But it does require upfront effort and cross-functional coordination. Here’s what that looks like:

1. Audit All Personal Data Stored Internally:

• Where is personal data being collected?
• Is it through your app, website, onboarding API, partner integrations, or paper forms?
• Which teams own these collection flows?

Every collection touchpoint needs to be mapped, catalogued, and tied to a standardized notice delivery system. For detailed guidance refer to our Guide to Data Mapping.

2. Centralize Privacy Policies and Disclosures:

You can’t deliver a consistent one-time notice if your organization has five versions of a privacy policy floating around. Now is the time to:

• Consolidate all data-related disclosures;
• Remove internal inconsistencies;
• Standardize notice formats and language across channels.

The DPDP Act doesn’t require legalese. It requires clarity.

3. Build a Notice Orchestration Layer:

If your organization collects data across multiple teams, tools, or business lines, you’ll likely need a backend service that:

• Triggers the correct notice based on the type of data collected and user context;
• Logs when the notice was delivered;
• Ensures no duplicate notices are sent;
• Tracks responses to the notice especially withdrawals of consent; and
• Tracks if the notice needs to be re-sent due to material changes in processing.

This orchestration layer may live inside your CRM, onboarding engine, or as a standalone microservice.

4. Leverage Consent Management and Other Privacy Tools

Finally, your one-time notice isn’t just about what the user sees — it’s also about what you can prove later. Invest in tools that:

• Log when the notice was delivered;
• Store a snapshot of the notice contents at that point in time;
• Link it to the specific user and dataset; and
• Enable easy access for audits, data principal requests, or breach reporting.

Modern Consent Infrastructure platforms can handle much of this heavy lifting — and drastically reduce compliance effort and risk. Book a demo for Leegality Consent Infrastructure to see these functionalities in action.

One Notice Many Wins

The one-time notice is a wonderful compliance opportunity for businesses to bring legacy data under the DPDP fold.

Handled well, it signals a shift from passive disclosure to proactive transparency. It tells your users: We take your data seriously. We’re ready for the new rules. And we’re doing it right.

But it’s a narrow window. The law requires the notice to be sent “as soon as reasonably practicable” after the Act comes into effect. That’s not legalese for ‘someday’; the law expects you to act swiftly. Delaying action means greater audit risk, weaker consent trails, and scrambling later when the regulator comes knocking.

Starting early — with centralised data assessments, standardized notices, and the right delivery infrastructure — is the easiest way to stay ahead. Take the lead in DPDP Compliance with Leegality Consent Infrastructure. Book a demo today!