LEGAL EXPLAINER • 6 min read
DPDP Consent and Notice Requirements for Consumer Apps Under Act 2023 and Rules 2025
An in-depth analysis of consent and notice obligations under the DPDP Act 2023 and DPDP Rules 2025, detailing operational requirements for consumer platforms, lawful purpose standards, strict limitations on data collection, and practical examples.
Last updated:
Overview: The Consent Challenge for B2C Enterprises
For large consumer digital platforms handling millions of users, the Digital Personal Data Protection (DPDP) Act 2023 and the DPDP Rules 2025 transform how consumer data is collected and managed. The shift from vague, bundled privacy policies to granular, auditable consent is a major operational hurdle. Your compliance teams and control owners require regulator-ready evidence that every data point collected maps to a specific, lawful purpose. Relying solely on the bare Act is outdated; consumer apps must now bridge the statutory principles of the Act with the operational mandates of the Rules 2025. This article outlines the strict statutory requirements for consent and notice under Sections 4, 5, and 6 of the DPDP Act, alongside the "manner prescribed" by the Rules 2025, explaining how applications can build an evidence-ready compliance posture.
Section 4: Establishing a Lawful Purpose
Before requesting any data, businesses must establish a valid legal ground. Section 4(1) of the DPDP Act establishes that a person may process the personal data of a Data Principal only in accordance with the provisions of the Act and for a "lawful purpose." The Act strictly defines a lawful purpose under Section 4(2) as any purpose which is not expressly forbidden by law. This means that before an app even presents a notice or requests consent, the underlying business objective must be legally sound. To legally process this data, fiduciaries must rely on one of two grounds: either the Data Principal has given their explicit consent, or the processing falls under certain "legitimate uses." While legitimate uses offer an alternative, for most large-scale B2C applications, user consent governed by the Rules 2025 will serve as the primary legal basis for processing consumer data.
Section 5 and Rules 2025: The Notice Obligation
Section 5 mandates that every request made to a Data Principal for consent under Section 6 must be accompanied or preceded by a notice given by the Data Fiduciary. This notice serves as the foundation for transparency and must inform the Data Principal of three specific items. First, the personal data being collected and the exact purpose for which it is proposed to be processed. Second, the manner in which the user may exercise their rights under sub-section (4) of Section 6 (regarding the withdrawal of consent) and Section 13. Third, the exact manner in which the Data Principal may make a formal complaint to the Data Protection Board. Crucially, Section 5 dictates that this information must be provided "in such manner and as may be prescribed." This statutory hook makes Act-only compliance insufficient; businesses must strictly adhere to the DPDP Rules 2025, which prescribe the exact operational formats, language, and presentation mechanisms for these notices.
The Act illustrates this Section 5 requirement with a clear banking scenario. Suppose "X", an individual, opens a bank account using the mobile app or website of "Y", a bank. To complete the Know-Your-Customer (KYC) requirements mandated under law for opening a bank account, X opts for the processing of her personal data by Y in a live, video-based customer identification process. In this scenario, Y shall provide the requisite notice outlining the data, purpose, rights, and complaint mechanisms - presented exactly in the manner prescribed by the DPDP Rules 2025 - before or alongside the request for this specific video KYC data processing.
Section 6: Quality and Limitations of Consent
Section 6(1) dictates the strict quality standards that consent must meet to be legally valid. The consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. It must signify an agreement to the processing of her personal data for the specified purpose. Crucially, the Act limits consent strictly to such personal data as is necessary for such specified purpose. Overbroad consent requests are statutorily invalid, and the Rules 2025 reinforce the operational necessity of itemised consent interfaces.
The DPDP Act provides a clear illustration to highlight this strict necessity limitation. Suppose X, an individual, downloads Y, a telemedicine app. The app Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list. Even if X explicitly signifies her consent to both requests, the law restricts this. Since the phone contact list is not necessary for making available telemedicine services, her consent shall be limited solely to the processing of her personal data for making available telemedicine services. Any data collected beyond this boundary is processed without valid consent, regardless of the user's initial agreement.
Operationalising Notice and Consent for Apps
To comply with the combined force of the DPDP Act 2023 and Rules 2025, consumer apps can no longer rely on pre-ticked boxes or long, jargon-heavy privacy policies. Because Section 6 requires a "clear affirmative action" and Section 5 requires notices in a "prescribed manner," Data Fiduciaries must implement itemised, just-in-time notices as dictated by the Rules. When a user signs up or interacts with a new feature, they must be presented with granular choices detailing exactly what data is used for what specific purpose. Furthermore, when a user exercises their right to withdraw consent, that signal must propagate across all backend systems, halting processing immediately. Tracking these granular consent artefacts, tying them to the prescribed notice presented, and maintaining strict version control is a significant engineering challenge.
Common Misconceptions About DPDP Compliance
Several myths persist regarding the DPDP framework. First, many assume explicit consent is the absolute only basis for processing data. This is incorrect; Section 4(1)(b) explicitly outlines that processing is also permitted for certain legitimate uses without explicit consent. Second, there is a dangerous misconception that broad, unconditional consent allows a company to collect whatever data it desires, as long as the user clicked "agree." As Section 6 illustrates with the telemedicine example, even if a user explicitly signifies consent to hand over unnecessary data (like the phone contact list), that consent is statutorily invalid if the data exceeds what is strictly necessary. Finally, viewing compliance solely through the lens of the DPDP Act 2023 is outdated; ignoring the "manner prescribed" by the DPDP Rules 2025 renders notices legally defective.
Implementation Checklist for B2C Enterprises
1. Map existing data collection touchpoints to identify and eliminate bundled flows, ensuring all purposes are lawful and not expressly forbidden by law. 2. Draft clear, itemised notices per Section 5, ensuring users are informed of the data, purpose, rights, and complaint mechanisms strictly in the "manner prescribed" by the DPDP Rules 2025. 3. Audit data collection points to ensure no app requests data that is unnecessary for its core service, adhering to Section 6 limitations on necessary data. 4. Implement interface systems to capture free, specific, informed, unconditional, and unambiguous consent via a clear affirmative action. 5. Set up withdrawal synchronization to ensure consent changes immediately halt processing in all downstream database systems.
How ComplyDP Helps
ComplyDP provides the infrastructure to manage millions of consent artefacts in full compliance with both the DPDP Act 2023 and the prescriptive formatting of the DPDP Rules 2025. Our platform integrates directly with your existing backend systems, ensuring every itemised notice, user acceptance, and withdrawal is securely logged and immediately enforceable across your data architecture. This creates an immutable, regulator-ready audit trail that simplifies compliance reporting and ensures tight alignment with Sections 4, 5, and 6. For a clear view of your current exposure, test your readiness at freescan.complydp.com.
Frequently asked questions
How do the DPDP Rules 2025 impact consent notices?
While Section 5 of the DPDP Act 2023 establishes what a notice must contain (data, purpose, rights, and complaint mechanisms), it mandates that this be done 'in such manner and as may be prescribed.' The DPDP Rules 2025 provide these prescribed operational details, dictating exactly how notices must be formatted and presented to users.
Is consent the absolute only way to process consumer data?
No. Under Section 4 of the DPDP Act, personal data can be processed either on the basis of consent or for certain legitimate uses.
Can an app require access to data not needed for its core service?
No. Section 6 explicitly limits consent to only the personal data that is necessary for the specified purpose, rendering consent for unnecessary data legally invalid even if the user agrees. The Act illustrates this by prohibiting a telemedicine app from accessing a contact list.
How does the DPDP Act define a lawful purpose?
Section 4(2) defines a 'lawful purpose' as any purpose which is not expressly forbidden by law.
What constitutes valid consent under the DPDP Act?
According to Section 6, valid consent must be free, specific, informed, unconditional, and unambiguous, and it must be provided through a clear affirmative action.
How does the DPDP Act illustrate the notice requirement for financial apps?
The Act uses an illustration where an individual opens a bank account via an app. If the user opts for a live, video-based customer identification process for KYC, the bank must provide a notice detailing the data collected, purpose, user rights, and Board complaint mechanisms - delivered in the manner prescribed by the Rules 2025 - before or alongside the request.
ComplyDP