The purpose of a Consent Notice is to provide a clear and accurate account of the details necessary to enable the Data Principal to make an informed decision.
WHY MUST A CONSENT NOTICE BE MAINTAINED?
- Section 5 of the DPDP Act mandates that every request for consent must be accompanied or preceded by a notice. A Consent Notice ensures the Data Principal is fully informed before making a decision, ensuring the organisation does not overstep its legal boundaries.
- Section 6 specifies that consent must be “free, specific, informed, unconditional, and unambiguous with a clear affirmative action.” A robust Consent Notice is the mandatory legal mechanism that renders the consent “informed” and “specific.”
- Furthermore, under Rule 3 of the 2025 Rules, Data Fiduciaries are required to present the notice independently of other information [like general Terms of Service] and provide it in clear, plain language, ensuring it is accessible in English and any language specified in the Eighth Schedule to the Constitution
WHAT MUST A CONSENT NOTICE CONTAIN?
- The specific categories and description of Personal Data being collected and processed,
- The lawful purpose and legal bases for processing of the Personal Data,
- The name and particulars of the Data Fiduciary, Processor and sub-Processor [if any],
- Data sharing and the transfers of Personal Data abroad [cross-border data transfers] [if any],
- A specific description of the goods or services to be provided or uses to be enabled by such processing,
- The manner in which Data Principals may exercise their rights [including the right to correction, completion, updating, and erasure],
- The exact manner in which Data Principals may withdraw their Consent,
- The name and contact particulars of the designated Grievance Officer, or the Data Protection Officer [in case of an SDF],
- The escalation matrix of the organisation and the mechanism for grievance redressal and how a complaint can be escalated to the Data Protection Board,
- The period and purposes of Data retention, and
- The technical and organisational security measures taken for Data protection [including data breach measures].
A serviceable consent notice for a toolkit can follow a simple skeleton: a short statement of who is collecting the data; an itemised list of what is being collected; a plain-language explanation of why and what it enables; the rights the individual has and how to exercise them; how to withdraw consent; how to contact the organisation and how to complain to the Data Protection Board; and a clear, unticked affirmative action to give consent, with language options [as under Schedule VIII of the Constitution] available.
HOW TO DRAFT A CONSENT NOTICE?
The following steps should be followed to draft effective Consent Notices:
I. Identify the Data and Specific Purpose
- Firstly, all the Personal Data being collected must be categorised and explicitly listed. Specific fields [such as “Name, Mobile Number, and Payment Details”] should be used. Broad categories [like “User Information”] should be avoided.
- This should be followed by a brief description “Purpose[s]” of Processing the Personal Data.
- Further, the goods or services directly enabled by this processing must be specified.
- The Parties: Data Fiduciaries [including any Joint-Fiduciaries] and Processor[s] [including any Joint/Sub Processors] must also be introduced and specified.
II. Structuring the Notice and Language
- The notice must be drafted in “clear and plain language”, aka the language which is understood by the general public. Technical jargon, legalese, or ambiguous phrasing must be strictly removed.
- Further, the notice must be translated and made accessible in English and all applicable languages specified in the Eighth Schedule to the Constitution, giving the Data Principal a choice of language.
III. Designing the Consent Mechanism
- Obtaining the consent requires a “clear, specific, affirmative action”. Pre-ticked boxes, implied consent, or bundled consent can invalidate the consent.
- The “Use of Consent” must be specified. That is to say, if Personal Data is collected for multiple distinct purposes, separate choices must be provided for each purpose.
- The provision of goods or services must not be made conditional upon consent for processing Personal Data that is unnecessary for that specific service [“Unconditional Consent”].
IV. Specifying the Data Principal Rights
- At this stage, it is essential to specify the “Data Principal Rights” available to them as under the DPDP Act.
- In line with this, the “Procedure” for exercising these Rights must be explained.
- If cookies or similar technologies are used, the types of cookies utilised, their purpose, and the methods available for Data Principals to manage their preferences must also be specified.
V. Withdrawal and Grievance Redressal
- It is essential to outline the “Withdrawal Procedure” to explain exactly how a Data Principal can withdraw their Consent with the same ease with which it was given.
- Further, the “Grievance Officer Details” must be prominently displayed within the Policy. In case the organisation is classified as an SDF, the particulars “Data Protection Officer” must be specified in lieu of a standard Grievance Officer.
- Additionally. the “Complaint Procedure” must also be specified. For example, a clear explanation of how the Data Principal can contact the officer [via email, portal, or physical address] and the expected timeframe for resolution must be added.
- The hierarchy of grievance redressal [“Escalation Matrix”], and the procedure for escalating unresolved issues to the Data Protection Board of India [as a right under the DPDP Act] must be also be specified.
V. Cross Border Data Transfers
- It is essential to specify the conditions for “Data Transfers Outside India”, as written consent is required for any transfers outside India, and that transfers must comply with the DPDP Framework and data protection regulations of the relevant jurisdictions regarding international data flows.
- Similarly, the “Processor Location” must be specified for transfers outside India.
VI. Personal Data Retention and Erasure
- Consequently, the “Retention Period” of the Personal Data must be clearly stated, as per the category of the Data.
- Further, the “Retention Justification” must also be specified. For example, Personal Data may be retained to comply with legal requirements.
VII. Security Measures and Breaches
- The Consent Notice must specify the “Security Measures” required, including encryption, pseudonymisation, technical safeguards and regular security audits.
- At the same time, it must include a strict timeframe [such as within 24 hours] for “Data Breach notifications”, mandating the Processor to notify the Controller of any personal data breach. This ensures the primary organisation can meet its own regulatory reporting deadlines.
VIII. Notice Management and Legacy Data
- It is essential to note that for “Legacy Data” [Personal Data processed where consent was provided before the DPDP Act commenced], an updated Consent Notice must be provided as soon as is reasonably practicable to ensure continued lawful processing.
- Consequently, the notice version and the timestamp of when the Data Principal interacted with it must be meticulously logged to provide a verifiable audit trail for regulatory compliance.
In essence, a Consent Notice is a foundational component of an organisation’s privacy compliance framework under the DPDPA. Beyond fulfilling statutory obligations, it reflects the organisation’s broader commitment to transparency, accountability, and responsible handling of Personal Data. As regulatory expectations and public awareness surrounding privacy rights continue to evolve, Data Fiduciary and Processor organisations must ensure that their consent mechanisms remain clear, purpose-specific, accessible, and aligned with the principles of lawful and fair Data processing.


![Digital Personal Data Protection Toolkit [Part 2]: Data Processing Agreements](https://metaboard-assets.s3.ap-south-1.amazonaws.com/articles/article-1777306369699.webp)


![Digital Personal Data Protection Toolkit [Part 3]: Privacy Policies](https://metaboard-assets.s3.ap-south-1.amazonaws.com/articles/article-1780000045236.webp)