DPDP Consent & Grievance Framework
What valid DPDP consent looks like, how consent managers work, and the grievance escalation path.
The five tests of valid consent (§6)
Consent must be free, specific, informed, unconditional and unambiguous — given by clear affirmative action, for a specified purpose, limited to data necessary for that purpose.
- Notice must precede or accompany the consent request — in English or any 8th Schedule language
- Each purpose needs its own consent — no bundling marketing with account servicing
- Withdrawal must be as easy as giving consent; processing must stop within a reasonable time
Consent managers (Rules 2025)
Registered intermediaries through which individuals give, review and withdraw consents across fiduciaries from a single dashboard. Registration with the Data Protection Board opens ~November 2026.
- Interoperable, fiduciary-blind consent records
- BFSI parallel: the Account Aggregator framework is the architectural template
- Fiduciaries must honour consent-manager signals like direct consents
Notice requirements
Every consent request needs an itemised notice: what data, what purpose, how to exercise rights, and how to complain to the Data Protection Board.
- Plain language, no dark patterns
- Available in all 22 scheduled languages on request
- Pre-Act legacy consents need fresh notice 'as soon as reasonably practicable'
Grievance redressal path
Data principals must first use the fiduciary's grievance mechanism, then escalate to the Data Protection Board; DPB orders appeal to TDSAT.
- Fiduciary must publish a grievance officer contact and respond within the Rules' timelines
- DPB adjudicates digitally — complaints, summons and hearings are online-first
- Appeals: DPB → TDSAT → Supreme Court