DPDP Sections • 5 min read
DPDP Act Section 6 Explained Valid Consent And Withdrawal Rules
A definitive guide for B2C startup founders on Section 6 of the DPDP Act. Learn how to collect legal consent, implement withdrawal mechanisms, pass investor due diligence, and avoid deal blockers.
Last updated:
The Section 6 Mandate In Plain Language
Section 6 of the Digital Personal Data Protection Act, 2023, dictates exactly how your startup must capture and manage user consent. For digital B2C founders in e-commerce, media, or gaming, this section transforms consent from a generic terms of service checkbox into a granular, verifiable action. It mandates that consent is the primary basis for processing, except where Section 7 legitimate uses apply. You cannot bundle consent for core app functionality with marketing or analytics. Furthermore, you must provide users an easy way to withdraw their consent and maintain audit logs to prove you obtained it legally. This forces a shift from passive data collection to active consent management.
Exact Statutory Text And The Rules 2025 Context
Under Section 6(1), consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative action. It strictly limits processing to data that is necessary for the specified purpose. The Act provides an illustration stating that a telemedicine app cannot condition its services on accessing a user contact list, as the contact list is not necessary for telemedicine. This means every data point collected must have a demonstrable functional necessity.
Section 6(4) introduces a significant operational hurdle for product engineering. It states that the Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. If consent is gathered in a single tap, withdrawal cannot require a phone call or an email to support.
Section 6(10) shifts the legal burden entirely to your startup. If challenged, the Data Fiduciary is obliged to prove that a notice was given and consent was given in accordance with the Act and the DPDP Rules, 2025. The Rules, 2025 enforce this by detailing how itemised notices must precede this consent, tying the user consent directly to specific processing purposes and generating an auditable trail.
Who This Binds And Why Founders Cannot Wait
Section 6 binds your startup directly if you determine the purpose and means of processing user data, making you a Data Fiduciary. The DPDP Act covers digital personal data processed within India, and processing outside India connected to offering goods or services to Data Principals in India. This applies regardless of your startup runway or user base size. There are no exemptions for early stage companies scaling their first product.
Many Seed and Series B founders view privacy compliance as a future problem. However, Section 6 compliance has become a hard deal blocker in investor due diligence and enterprise sales. When enterprise clients send you a security questionnaire, they expect a SOC2-style posture for data privacy. They want to see verifiable proof that your B2C app is not polluting their B2B integrations with non-compliant data. If an investor due diligence checklist asks for your consent logs and you only have a generic privacy policy link, it signals operational immaturity. Waiting until the Rules bite means scrambling to re-engineer your entire onboarding flow while a critical funding round or major enterprise contract stalls.
How To Comply With Section 6 Step By Step
Compliance requires specific engineering and operational workflows. Manual spreadsheets cannot scale for B2C data volumes. Here is how your team must structure your Section 6 compliance to achieve enterprise readiness.
1. Decouple your consent flows. Your product team must stop bundling terms of service with marketing and analytics consent. Ensure the initial request maps directly to the itemised notice required under the Rules, 2025. The artifact here is an updated user interface flow mapping data collection precisely to specific purposes without forced bundling.
2. Build a parity withdrawal mechanism. Your engineering team needs to create a user dashboard or toggle system. If a user gave consent in one click during checkout, they must be able to withdraw it in one click from their profile. The artifact is a working, tested withdrawal interface in your application settings that automatically halts downstream data processing.
3. Establish a burden of proof ledger. You cannot just flip a database boolean when a user says yes. Section 6(10) requires you to prove what they saw and when they agreed. You must log the timestamp, the specific itemised notice version presented under the Rules 2025, the channel of engagement, and the exact affirmative action taken. The artifact is an immutable, queryable consent log ready for investor due diligence or regulatory audit.
4. Prepare for Consent Managers. Section 6(8) and 6(9) introduce Consent Managers registered with the Board. These entities will allow users to manage their consent across multiple platforms centrally. Your technical architecture must be capable of receiving and executing consent withdrawal signals from these external managers via secure API endpoints.
Penalties For Getting Section 6 Wrong
The burden of proof rests entirely on the Data Fiduciary. If a user complains and you cannot produce a compliant audit trail showing free and specific consent, you face severe financial exposure. Under the Schedule to the DPDP Act, failure to fulfill the general obligations of a Data Fiduciary, including Section 6 consent requirements, carries a penalty ceiling of up to 50 crore rupees. When the Data Protection Board investigates, they will weigh your failure to build withdrawal mechanisms or maintain logs as aggravating factors, treating them as structural negligence rather than isolated errors.
Interaction With Other DPDP Sections
Section 6 is deeply connected to Section 5, which mandates the detailed itemised notice you must provide before or at the time of requesting this specific consent.
It interacts with Section 7, which defines the limited legitimate uses where consent is not required, such as responding to medical emergencies or fulfilling statutory legal obligations.
It directly impacts Section 8 obligations, requiring you to protect the data you have collected and delete it once the consented purpose is fulfilled or the consent is withdrawn by the user.
The Countdown To Enforcement
Founders must prioritize time-to-compliant execution immediately. There are exactly 310 days remaining until the DPDP hard compliance deadline of 13 May 2027. Re-engineering frontend user flows and backend consent logs takes months of engineering effort that distracts from core product development. To check if your current user onboarding and data logs satisfy this critical mandate, run a section level gap check at freescan.complydp.com.
Sources
- Digital Personal Data Protection Act, 2023 - Section 6
- Digital Personal Data Protection Rules, 2025
Frequently asked questions
Does my startup really need to build a new consent dashboard?
Yes. Section 6(4) of the DPDP Act mandates that the ease of withdrawing consent must equal the ease of giving it. If users agree in a single click during app onboarding, they must be able to revoke that consent just as easily, usually requiring a dedicated user preference center or dashboard.
Can we force users to agree to marketing tracking to use our B2C app?
No. Section 6(1) dictates that consent must be limited to personal data necessary for the specified purpose. The Act explicitly uses an illustration showing that an app cannot demand access to unrelated data, like a contact list for a telemedicine app, as a condition of providing service.
What happens if a user withdraws consent for data we already processed?
Section 6(5) clarifies that withdrawing consent does not affect the legality of processing that occurred before the withdrawal. However, your startup must cease processing that data for future activities, and the user bears the consequences of withdrawal, such as losing access to personalized features.
How do we prove we collected consent legally during investor due diligence?
Section 6(10) places the burden of proof entirely on the Data Fiduciary. You must maintain immutable logs recording the timestamp, the explicit affirmative action taken by the user, and the exact version of the itemised notice they viewed under the DPDP Rules 2025.
When do we have to comply with these consent rules?
Founders should aim for immediate time-to-compliant readiness to unblock enterprise deals and clear due diligence. There are exactly 310 days remaining until the DPDP hard compliance deadline of 13 May 2027, and re-engineering user flows takes substantial product team effort.
ComplyDP