

The DPDP Act allows only two lawful grounds to process personal data, and for most businesses the ground that matters is consent. That makes the DPDP consent notice format and your DPDP consent form the single most important pieces of your compliance setup: if the notice is invalid, the consent is invalid, and everything you do with that data becomes a violation.
Under the Act, consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The notice is how you make it "informed". And with consent rules becoming mandatory on 13 November 2026, this is the first thing every business needs to fix.
No cost. No obligation. Get your compliance gap report.
Beyond the notice text, the mechanics of how consent is taken matter just as much.
The notice must be shown before or at the moment you collect the data. Asking afterwards, or assuming consent from usage, does not count.
Consent needs a clear affirmative action from the user. Pre-ticked boxes, silence, or bundled "I agree to everything" checkboxes are all invalid.
If a user gave consent with one click, they must be able to withdraw it just as easily. A hidden, multi-step opt-out process is a violation.
Taking consent isn't enough, you must be able to prove it. Every consent event should be logged with these four fields.
| Record Field | What to Store | Why It Matters |
|---|---|---|
| Identifier | Who gave consent (user ID, email, or phone) | Links the consent to a specific Data Principal |
| Timestamp | Exactly when consent was given or withdrawn | Proves timing: before or at collection |
| Method | How consent was given (checkbox, button, form) | Proves it was a clear affirmative action |
| Notice version | Which version of the notice the user saw | Proves consent was informed at that point in time |
These records tie into your wider systems too: retention schedules (see DPDP data retention policy) and the security safeguards that keep them tamper-resistant.
Consent rules become mandatory on 13 November 2026, and full enforcement begins 13 May 2027. Building compliant notices, forms, and consent records typically takes 2-6 months, so this work needs to start now.
Consent is one obligation among many. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.
An itemized data list, the specific purpose for each item, the user's rights including withdrawal, the grievance contact, and the Board complaint route. It must be standalone, in plain language, and available in English plus any of the 22 scheduled Indian languages.
Before or at the time of collecting personal data. Consent taken afterwards, or buried inside terms and conditions, does not meet the requirement of free, specific, informed, unconditional, and unambiguous consent.
No. Consent must come from a clear affirmative action. Pre-ticked boxes, silence, or bundled acceptance don't count, and withdrawal must be as easy as giving consent in the first place.
For every consent: an identifier for who consented, a timestamp, the method used, and the version of the notice they saw. These records are your evidence if the Data Protection Board ever asks.
Our free audit reviews your consent flows, notices, and records, and hands you a gap report with a fix roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.