Compliance Guides • 5 min read
DPDP Consent and Notice Requirements for Consumer Apps
An operational guide for Heads of Compliance on implementing explicit, multi-lingual itemised notices and capturing granular, unbundled consent under the DPDP Act 2023 and Rules 2025.
Last updated:
Overview
High user volume digital B2C platforms face massive consent management challenges under India's new privacy regime. Heads of Compliance must transition their organizations from gap assessments to full operational readiness. The core challenge is capturing, tracking, and managing millions of user consent interactions across web and mobile journeys in strict accordance with the DPDP Act. This requires establishing undeniable audit trails for the Data Protection Board without introducing friction that degrades user acquisition metrics.
What The DPDP Act Says: Lawful Purpose
Section 4 of the Digital Personal Data Protection (DPDP) Act, 2023 dictates that a person may process the personal data of a Data Principal only in accordance with the provisions of the Act and strictly for a lawful purpose. The Act explicitly defines a 'lawful purpose' as any purpose which is not expressly forbidden by law. This processing must be based on either the Data Principal's consent or certain legitimate uses.
Section 5: The Notice Requirement & Language Mandate
Section 5 mandates that every request made to a Data Principal for consent under Section 6 must be accompanied or preceded by a notice given by the Data Fiduciary. This notice must inform the user of three critical statutory elements: (i) the personal data and the purpose for which it is proposed to be processed; (ii) the manner in which they may exercise their rights under sub-section (4) of Section 6 and Section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board. Crucially, Section 5(3) introduces a massive operational requirement for consumer B2C apps: the Data Fiduciary must give the Data Principal the option to access the notice in English and any language specified in the Eighth Schedule to the Constitution of India. The Act illustrates the notice requirement with a banking scenario: If an individual, X, opens a bank account using the mobile app or website of a bank, Y, and opts for processing of her personal data in a live, video-based customer identification process to complete Know-Your-Customer (KYC) requirements, the bank must provide this specific preceding notice.
Section 6: Capturing Valid Consent
Section 6 sets a high bar for the consent itself, requiring it to be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. It must signify an agreement to the processing for the specified purpose and be limited strictly to such personal data as is necessary for that specified purpose. The Act explicitly outlaws bundled permissions for non-essential data access, providing a clear illustration for consumer apps: If an individual, X, downloads a telemedicine app, Y, and the app requests consent for (i) processing personal data for making telemedicine services available, and (ii) accessing her mobile phone contact list, the law protects the user. Even if X signifies consent to both, because the phone contact list is not necessary for making available telemedicine services, her consent shall legally be limited only to the processing of personal data for the telemedicine services.
DPDP Rules 2025: Operationalizing the Itemised Notice
The DPDP Rules 2025 formalize these broad statutory requirements into strict technical specifications for control owners. To satisfy Section 5 and Section 6, Data Fiduciaries must move away from traditional, monolithic privacy policies. The concept of an 'itemised notice' is not a likely future addition; it is an explicit statutory concept directly tied to the Act's notice provisions (informing the specific personal data and purpose) and formalized in the Rules. Organizations must deploy itemised notices that offer a precise, granular breakdown of exact data points being collected and their corresponding purposes. Ultimately, the regulatory framework eliminates the gray area around notice presentation, making explicit, itemised digital consent artefacts a mandatory control point.
Handling Rights and Board Complaints
Under Section 5, it is no longer sufficient to merely ask for data. The preceding itemised notice must explicitly inform the Data Principal about how they can exercise their rights. Furthermore, the notice must clearly outline the manner in which the user may make a complaint to the Data Protection Board. This statutory requirement means B2C apps must integrate rights-management and complaint-redirection mechanisms directly into their core onboarding UI, ensuring users are fully informed before any affirmative action is taken.
Common Misconceptions
The first major misconception is that consent is the absolute only basis for processing personal data under the Act. While consent is the primary basis for processing, Section 4 outlines that processing is also permitted for 'certain legitimate uses.' A second widespread myth is that apps can freely bundle consent for core and non-essential services as long as the user clicks 'Agree'. As illustrated in Section 6, if an app requests access to data not necessary for its core service, the law strictly limits the consent to only the personal data necessary for the specified purpose, outright invalidating the bundled permission.
Implementation Checklist
1. Map existing B2C user journeys to identify every single data collection point and ensure it aligns with a 'lawful purpose' under Section 4. (In-house feasible)
2. Draft explicit itemised notices mapping specific data points to their processing purposes, and ensure these notices are available in English and all languages specified in the Eighth Schedule of the Constitution, per Section 5(3). (In-house feasible)
3. Engineer granular consent capture mechanisms that decouple bundled permissions into separate choices to satisfy Section 6. (Tooling-assisted)
4. Establish an immutable database of consent artefacts for rapid audit trail generation. (Tooling-assisted)
5. Configure a standardized interface for users to review and withdraw permissions seamlessly. (Tooling-assisted)
Complaint Mechanisms and Enforcement Risk
The DPDP Act authorises the Board to impose proportionate financial penalties for non-compliance. Deficiencies in the notice and consent architecture governed by Sections 5 and 6 can attract severe regulatory scrutiny. Crucially, because Section 5 expressly requires Fiduciaries to inform users on how to make complaints to the Board, organizations must anticipate a streamlined pathway for user-initiated disputes. The Board will evaluate the documented control environment and the availability of immediate audit evidence when addressing these complaints, making a defensible, automated architecture critical.
How ComplyDP Helps
For Heads of Compliance managing millions of B2C consumers, manual consent logs are a significant liability. ComplyDP integrates directly into your consumer applications to automate the generation of compliant, multi-lingual itemised notices and immutable consent artefacts without exhausting engineering resources. Our platform delivers a regulator-ready audit trail on demand, providing instant proof of Section 5 and Section 6 compliance during Board inquiries. Begin evaluating your baseline capability today with a free gap assessment at freescan.complydp.com.
Sources
Frequently asked questions
Do we need to collect explicit consent for every single data processing activity?
While consent is the primary basis for processing under Section 6, it is not required for everything. Section 4 of the Act allows processing for 'certain legitimate uses'. However, for most B2C onboarding and application services, capturing free, specific, and informed consent remains legally mandatory.
What exactly needs to be included in a DPDP compliant notice?
Under Section 5 and the Rules 2025, an itemised notice accompanying or preceding a consent request must inform the user of: (i) the specific personal data and purpose of processing; (ii) how to exercise their rights; and (iii) how to make a complaint to the Data Protection Board. Furthermore, under Section 5(3), this notice must be provided in English and any language specified in the Eighth Schedule of the Constitution.
Can we require access to a user's contact list to let them use our core app?
No. Section 6 explicitly states that consent must be limited to the personal data necessary for the specified purpose. If your core service (e.g., a telemedicine app) does not require a contact list to function, making access a condition of service invalidates the consent.
What happens if a user disputes a consent interaction?
Because Section 5 mandates that notices instruct users on how to complain to the Data Protection Board, Fiduciaries should expect disputes to reach regulators. Organizations must be prepared to present undeniable, timestamped audit trails proving that a compliant itemised notice was given and affirmative consent was captured per Section 6.
ComplyDP