Frequently asked questions

All your questions about digital consent under DPDP answered in one convenient place

Consent FAQ
DPDP Act FAQ
Product FAQ
What is a Consent Manager?

Under the DPDP Act, a Consent Manager is a person registered with the Data Protection Board who acts as a single point of contact to enable a user to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

In simpler terms, a Consent Manager ensures that individuals have full control over their personal data and how it is processed.

For businesses, a Consent Manager can generally be understood as a specialized software that helps in compliance with data protection laws like the DPDP Act by managing user consent efficiently and transparently. A Consent Manager integrates with businesses to:

  • Collect and manage consent across multiple channels.
  • Store consent records in a unified and interoperable system.
  • Provide users with infrastructure to exercise their data rights, including access, correction, and deletion.
  • Ensure internal and third-party systems process data based on valid consent and delete it where necessary.
How does a Consent Manager work?

A Consent Manager works by automating and centralizing consent management across an organization’s systems. The process typically involves:

  1. Consent Collection: Gathering user consent via websites, apps, email, or other touchpoints, with clear and specific notices.
  2. Secure Storage: Storing consent records with timestamps and purpose information for easy audits.
  3. Consent Check Integrations: Connecting with CRM, marketing tools, and other systems to ensure no data is processed without valid consent.
  4. User Rights Management: Allowing users to review, withdraw, or modify their consent through an accessible platform.
  5. Compliance Support: Generating detailed audit trails and ensuring data retention and deletion practices align with legal requirements.

By simplifying these tasks, a Consent Manager ensures compliance while building trust with users.

What does an Ideal Consent Notice look like?

An ideal consent notice is clear, concise, and compliant with legal requirements. Under the DPDP Act, it should:

  1. Be Specific and Informative: Clearly state what personal data is being collected, why it is needed, and how it will be used.
  2. Use Simple Language: Avoid jargon and present information in a way that is easy to understand, with local language options if required.
  3. Highlight Rights: Inform users about their rights to withdraw consent, access their data, and file grievances.
  4. Seek Explicit Action: Require users to give affirmative consent, such as ticking a box or clicking a button.
  5. Include a Contact Point: Provide information on how users can contact the organization for further assistance.
  6. Provide Local Language Options: Ensure that users can access the notice in the 22 local languages mentioned in the Eighth Schedule of the Indian Constitution.
How can I prove user consent was taken legally?

To prove that user consent was taken legally under the DPDP Act, you must maintain verifiable records that demonstrate compliance with legal requirements. This includes:

  1. Timestamped Records: Keep logs of when, where, and how the user consented, including the exact time and date.
  2. Consent Artefacts: Store digitally signed consent artifacts that detail the data collected, its purpose, and the user’s explicit agreement.
  3. Clear Audit Trails: Maintain an audit trail showing the consent flow, including the consent notice presented and the user’s affirmative action (e.g., ticking a box, clicking “Accept”).
  4. Consent Notice Details: Ensure the notice provided was compliant, including specifics on data usage, rights, and local language options.
  5. Withdrawal Logs: Track and document any instances of consent withdrawal, including how the request was processed and acknowledged.

Using a Consent Manager simplifies this process by automatically storing and organizing these records in a secure and accessible format, ensuring readiness for audits or regulatory reviews.

Why should I onboard a Consent Manager?

Onboarding a Consent Manager Solution offers several advantages, including:

  1. Ensured Compliance: Automates consent collection, management, and audit trails to meet DPDP Act requirements.
  2. Enhanced Customer Trust: Provides transparency by allowing users to manage their consent preferences.
  3. Operational Efficiency: Streamlines consent-related workflows, ensuring consistency across platforms.
  4. Audit Preparedness: Maintains detailed records of all consent interactions for seamless audits and regulatory reviews.
  5. Interoperability: Store all consents in one place using our trusted and interoperable consent records.

By ensuring accurate consent tracking and secure management, a Consent Manager helps mitigate compliance risks and potential regulatory penalties up to â‚č250 Crore.

Can I process personal data without user consent?

Yes, the DPDP Act permits processing personal data without user consent in specific scenarios, referred to as "legitimate uses" which include:

  1. Voluntary Sharing of Data: When users voluntarily provide their data for a specific purpose, businesses can process it until consent is withdrawn.
  2. Employment-Related Processing: Employers may process employee data for activities like background checks, health insurance, or safeguarding confidential information.
  3. Compliance with Judicial Orders and Laws: Data can be processed to comply with legal obligations or court orders.
  4. Health Emergencies: Personal data can be processed during health crises or emergencies to protect life and public health.
  5. Disasters and Public Order Breakdown: Processing is allowed for safety, rescue, and disaster management during emergencies.
  6. Research and Statistics: Data can be used for research or statistical purposes, provided it doesn’t impact individual rights or make decisions about specific individuals.
  7. Enforcing Legal Rights and Investigations: Data can be processed for preventing, detecting, or prosecuting violations of the law.

While consent is the cornerstone of the DPDP Act, these exceptions aim to balance compliance with practical necessities. However, businesses must still adhere to obligations like data security, breach notification, and grievance redressal. There are broader exemptions to DPDP obligations as well.

Are there any situations where the DPDP Act will not apply? OR What are the exemptions to the DPDP Act?

Yes, the DPDP Act provides exemptions in certain cases where compliance obligations may be waived. These include:

  • Business Process Outsourcing (BPO): Indian companies processing foreign customer data under contract with an overseas business.
  • Corporate Mergers & Restructuring: Data processing during mergers, acquisitions, or approved corporate restructuring.
  • Financial Assessments: Banks and financial institutions can process personal data to assess loan defaulters.
  • Legal & Judicial Proceedings: Processing personal data for disputes, legal claims, or regulatory investigations.
  • Law Enforcement & Investigations: Data can be processed for preventing, detecting, or prosecuting legal violations.
  • Research & Statistics: Personal data may be used for research or analysis if it does not impact individuals.

Additionally, government bodies are exempt when processing data for public services, national security, or law enforcement. Children’s data can also be processed by schools, hospitals, and public welfare programs under certain conditions.

While these exemptions remove consent obligations, businesses must still follow data security and breach notification requirements.

How can I take consent of children and people with disabilities?

To take consent for processing the personal data of children and persons with disabilities under the DPDP Act, follow these steps:

  1. Verify User Age: Confirm if the user is a child (under 18 years) or a person with a disability. Use reliable age verification mechanisms such as DigiLocker or AI-based age estimation.
  2. Verify Guardian Identity: Validate the identity and age of the parent or lawful guardian to ensure they are adults and authorized to provide consent.
  3. Collect Verifiable Consent: Obtain explicit, verifiable consent from the parent or lawful guardian using secure methods like DigiLocker’s Age Token or Aadhaar-based verification.
  4. Prohibit Harmful Activities: Avoid processing that could harm the child’s or the individual’s well-being, including targeted advertising or behavioral monitoring.

By adhering to these steps, you ensure compliance with the DPDP Act while protecting the rights of children and persons with disabilities.

What is the penalty for processing personal data without Consent?

Under the DPDP Act, processing personal data without obtaining valid consent can result in a penalty of up to â‚č50 crores per instance. Violations that may attract this penalty include:

  1. Not obtaining free, specific, and explicit user consent.
  2. Failure to display compliant consent notices.
  3. Sharing user data with third parties without consent.
  4. Not maintaining verifiable consent records.
  5. Indefinite storage of data after consent withdrawal.

The penalty amount is determined by the Data Protection Board based on factors such as the nature, duration, severity, recurrence of the violation, and any mitigation efforts by the business.

How can I take consent for personal data collected prior to the DPDP Act’s enactment?

For personal data collected before the DPDP Act’s enactment, you must issue a one-time notice to the data principal. This notice should:

  1. Inform the individual about the data collected and its purpose.
  2. Provide details on how they can exercise their rights, such as withdrawing consent or requesting data erasure.
  3. Offer clear instructions for filing grievances with your organization or the Data Protection Board.

If the individual withdraws consent after receiving the notice, you must stop processing their data and delete it promptly. This step ensures compliance with the DPDP Act while respecting user rights.

Can the one-time notice be sent in bulk to multiple users?

Yes, the one-time notice can be sent in bulk using the Bulk Upload feature via Excel sheets. By uploading a list of users, the system can automatically trigger the one-time notice for each user, ensuring compliance and efficient delivery without requiring individual manual intervention.

How can I keep track of collected and pending consents?

You can track collected and pending consents using the Consent Register API, which logs user responses in real-time. Additionally, businesses can maintain a consent dashboard to monitor status updates and ensure compliance. Webhooks for consent status updates are also planned.

Do I need to take consent of offline users?

Yes, if personal data is being collected from offline users and later digitized for processing, their consent must still be obtained in compliance with the DPDP Act. Businesses must ensure that consent is recorded in a manner that meets regulatory requirements.

How can I collect valid consent for personal data collected physically or in offline mode?

For offline data collection, consent can be captured through paper-based consent forms with a digital acknowledgment, OTP-based authentication, or biometric verification at the time of onboarding. Businesses can also send a digital consent request link via SMS or WhatsApp once the data is entered into the system.

Do I need to take consents for cookies on my website?

The requirement to take consent for cookies under the DPDP Act is currently uncertain. However, if cookies are interpreted as “personal data” under the Act (as they can identify and profile users), the following steps may be necessary for compliance:

  1. Display a Cookie Notice: Clearly explain the use, types, and purposes of cookies, ensuring the notice is available in local languages.
  2. Obtain Explicit Consent: Use unambiguous actions, such as an “Accept Cookies” button, to collect clear, explicit, and informed consent.
  3. Provide an Opt-Out Option: Allow users to easily reject or withdraw their consent for cookies at any time.
  4. Use a Consent Manager: Integrate a Consent Manager to streamline cookie consent collection and ensure compliance with DPDP Act standards.

Until further clarification or enforcement under the DPDP Act, aligning cookie practices with global standards like GDPR can help mitigate compliance risks.

What is a consent artefact?

A consent artefact is a digital record that serves as proof of user consent under the DPDP Act. It typically contains details such as the data principal’s identity, the purpose of data processing, the scope of consent given, timestamps, and any conditions for revocation. This artefact ensures transparency and accountability in consent-based data processing and can be used for audits or regulatory compliance.

How can I maintain oversight over user data shared with third parties?

You can maintain oversight over user data shared with third parties by integrating Leegality’s consent UI across platforms, including third-party applications. If onboarding happens through physical forms, a consent link can be sent as soon as the data is registered in your Core Systems. For users without smartphones, alternative methods like OTP-based flows or biometric authentication can be implemented, ensuring consent is captured effectively, even in rural areas.

Can I build a Consent Manager myself?

Building a Consent Manager in-house is challenging due to the complexities of ensuring compliance, managing consent records, and integrating with various systems. Additionally, we may become a registered Consent Manager under the law, which would provide greater authenticity and regulatory certainty to your consent management process.

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.