Consent & Notice
Build consent flows that meet the Act - not ones that look like they do.
The problem
Most Indian companies have a single checkbox that says "I agree to the Terms & Conditions and Privacy Policy." Under the DPDP Act, this is non-compliant in at least four ways.
First, consent must be purpose-specific. A single checkbox bundling transactional communications, marketing emails, analytics tracking, and third-party data sharing into one "I agree" is not specific consent. Each purpose needs its own consent mechanism.
Second, the privacy notice must be standalone. Rule 3 explicitly requires the notice to be presented independently of your Terms of Service - not merged into them, not linked from a footnote inside them.
Third, consent must be unconditional. You cannot make access to your core service conditional on consent to unrelated data processing. If your app requires location permission to create an account, and location is not essential to the service, the consent is invalid.
Fourth, withdrawal must be as easy as giving consent. If consent requires one tap, withdrawal must also require one tap. An email to support@company.com is not equivalent to a checkbox.
Most companies discover these problems after a prospect's legal team reviews their consent flow during procurement - or after a DPBI investigation.
What ComplyDP does
Privacy notice builder
Generate standalone privacy notices that meet Rule 3 requirements. Itemised data categories, purpose-specific descriptions, named recipients, retention periods, and rights disclosure - structured so you fill in your specifics and the output is compliant by default. Available in English and scheduled Indian languages.
Purpose-specific consent forms
Design consent flows with separate opt-in controls for each processing purpose. No pre-ticked boxes. Each consent checkbox maps to a specific data category, purpose, and set of recipients - exactly as the Act requires.
Consent record vault
Every consent event is logged with a timestamp, the specific purposes consented to, the version of the notice shown, the language of the form, and the method of consent. These records are your audit trail if the DPBI asks to see proof of valid consent.
One-click withdrawal
A consent preferences dashboard where users can toggle purposes on and off - matching the 'as easy as giving consent' requirement. When a user withdraws consent, the system logs the withdrawal and triggers downstream processing cessation.
Multilingual support
Privacy notices and consent forms in English and constitutionally scheduled Indian languages. Not machine-translated boilerplate - structured templates where legal terminology is accurately localised.
How it works
- 1
Map your processing activities
List every category of personal data you collect, the purpose for each, and who you share it with. ComplyDP's guided flow walks you through this in 15-20 minutes.
- 2
Generate your notice and consent forms
The platform builds a Rule 3-compliant privacy notice and purpose-specific consent forms based on your inputs. Review, customise, and deploy.
- 3
Deploy and collect consent
Integrate the consent forms into your app, website, or checkout flow. Every consent event is automatically logged in the consent record vault.
- 4
Manage and prove
Users manage their preferences through the withdrawal dashboard. You can export consent records for audit, regulator response, or vendor qualification at any time.
What the Act requires
| Section | Requirement |
|---|---|
| Section 5 | Privacy notice must be given before or at the time of collecting personal data |
| Section 6 | Consent must be free, specific, informed, unconditional, and unambiguous |
| Section 6(4) | Withdrawal of consent must be as easy as giving consent |
| Rule 3 | Privacy notice must be standalone, separate from Terms of Service |
| Rule 3 | Notice must be available in English or any of 22 scheduled languages |
| Rule 3 | Notice must itemise data categories, purposes, recipients, and rights |
Frequently asked questions
Do privacy policies count as DPDP notice?▼
No. Rule 3 requires the privacy notice to be a standalone document presented independently of Terms of Service. Your existing privacy policy may contain some of the required information, but it must be restructured as an independent notice with itemised data categories, specific purposes, and contact details - not buried inside a longer legal document.
What is valid consent under DPDP?▼
Consent must be free (not coerced), specific (tied to a particular purpose), informed (the person understands what they are consenting to), unconditional (not bundled with service access for unrelated processing), and unambiguous (given through clear affirmative action - not pre-ticked boxes or inferred from silence).
Does the notice need to be in local languages?▼
Yes. The notice must be available in English or any of the 22 languages in the Eighth Schedule to the Indian Constitution, based on the Data Principal's preference. If your user base includes Hindi, Marathi, Tamil, or Telugu speakers, you should offer notices in those languages.
What if we collected data before DPDP commencement?▼
You must issue a retrospective privacy notice to all existing users informing them about your data processing activities and their rights under the Act. The notice must give them the opportunity to withdraw consent. Processing based on pre-DPDP consent can continue only if the notice is issued and the user does not withdraw.
Can consent be withdrawn?▼
Yes, at any time. Withdrawal must be as easy as giving consent. Once withdrawn, you must stop processing for that purpose. Withdrawal does not affect the lawfulness of processing done before withdrawal. You must delete data collected for that purpose unless a separate lawful basis for retention exists.
Find out where you stand
10-minute diagnostic. 43 controls. No demo call required.