DPDP Consent Notice Format

What a valid consent notice and consent form must contain under the DPDP Act 2023
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Getting the DPDP Consent Notice Format Right Is Half of Compliance

The DPDP Act allows only two lawful grounds to process personal data, and for most businesses the ground that matters is consent. That makes the DPDP consent notice format and your DPDP consent form the single most important pieces of your compliance setup: if the notice is invalid, the consent is invalid, and everything you do with that data becomes a violation.

Under the Act, consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The notice is how you make it "informed". And with consent rules becoming mandatory on 13 November 2026, this is the first thing every business needs to fix.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

What a Valid Consent Notice Must Contain

  • Itemized data list: every category of personal data being collected, listed out clearly, not summarized away
  • Itemized purposes: the specific purpose tied to each data item, so the user knows exactly what they are agreeing to
  • Rights information: how to access, correct, and erase data, and how to withdraw consent
  • Grievance contact: whom to reach with complaints, plus the route to the Data Protection Board of India
  • Plain language, multi-language: English plus any of the 22 scheduled Indian languages
  • Standalone format: the notice cannot be buried inside terms and conditions, it must stand on its own (this pairs with your DPDP-compliant privacy policy)

The Rules of Valid Consent

Beyond the notice text, the mechanics of how consent is taken matter just as much.

Timing: Before or At Collection

The notice must be shown before or at the moment you collect the data. Asking afterwards, or assuming consent from usage, does not count.

No Pre-Ticked Boxes

Consent needs a clear affirmative action from the user. Pre-ticked boxes, silence, or bundled "I agree to everything" checkboxes are all invalid.

Withdrawal as Easy as Giving

If a user gave consent with one click, they must be able to withdraw it just as easily. A hidden, multi-step opt-out process is a violation.

Consent Record Keeping: Your Proof When It Matters

Taking consent isn't enough, you must be able to prove it. Every consent event should be logged with these four fields.

Record FieldWhat to StoreWhy It Matters
IdentifierWho gave consent (user ID, email, or phone)Links the consent to a specific Data Principal
TimestampExactly when consent was given or withdrawnProves timing: before or at collection
MethodHow consent was given (checkbox, button, form)Proves it was a clear affirmative action
Notice versionWhich version of the notice the user sawProves consent was informed at that point in time

These records tie into your wider systems too: retention schedules (see DPDP data retention policy) and the security safeguards that keep them tamper-resistant.

Consent Is the First Deadline to Hit

Consent rules become mandatory on 13 November 2026, and full enforcement begins 13 May 2027. Building compliant notices, forms, and consent records typically takes 2-6 months, so this work needs to start now.

Want the Complete DPDP Picture?

Consent is one obligation among many. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

DPDP Consent Notice: Frequently Asked Questions

Is Your Consent Form Valid Under DPDP? Let's Check, Free

Our free audit reviews your consent flows, notices, and records, and hands you a gap report with a fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.