how to collect a consent how to collect a consent

How to collect consent under DPDPA – 2026 Guide

Summary

  • Build your consent Consent Collection system as per BRD-CMS guidelines and collect consent
  • Connect with a government-registered Consent Manager so people can manage their consent across multiple businesses from one dashboard. The Digital Personal Data Protection Act, 2023 requires businesses to obtain clear, informed, and specific consent before collecting personal data.
  • Map every place your business collects personal data, including your website, mobile apps, employee portals, and offline forms. Scan your website for first- and third-party cookies.
  • Display a cookie consent banner that lets visitors choose which categories to accept. Identify every data collection point in the customer journey, including registration, lead generation, loan applications, careers pages, and profile updates.
  • For each collection point, document the personal data you collect and explain why you collect it using clear, simple language.
  • Display a consent notice before collecting personal data. Start processing data only after the person gives consent. Make your consent notice WCAG-compliant and available in the languages your customers use. Include contact details for your Data Protection Officer, Consent Manager, and grievance redress team.
  • Store every consent record in a secure, tamper-proof, machine-readable consent repository for at least seven years.
  • Build a self-service preference centre so people can view and update their consents whenever they want.

If your business collects personal data in India through a website, mobile app, or any other channel, you must comply with the Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules, 2025. The law requires you to clearly explain what personal data you collect, why you collect it, and obtain informed consent before processing it. This guide simplifies the consent collection process into nine practical steps that business, legal, and technical teams can follow to build a DPDPA-compliant consent management process.

Step 1: Find Out Where your Business Need to Collect Consent

Identify every point where your business collects personal data from individuals. This includes your website, mobile apps, employee portals, customer support channels, and offline forms that are later digitized.

Step 2: Scan and Collect Consent for Cookies

Map every place where your business collects personal data, including your website, mobile apps, employee portals, support channels, and digitized paper forms. Create a complete inventory of every data collection point, because you can’t protect data you don’t know exists.

Scan your website to identify every cookie, including those added by third-party services like analytics and advertising tools. Then implement a cookie consent banner that clearly explains each cookie category and lets visitors choose what they accept. Record every consent decision with a timestamp and ensure non-essential cookies remain blocked until the visitor gives consent.

Step 3: Identify places where you should Collect Consent

Review your customer journey and identify every page or form that collects personal data. This includes registration, lead generation, loan applications, careers pages, contact forms, and profile updates. Treat each collection point separately, as the data collected and its purpose may differ.

Step 4: List the Exact Data You need to Collect Consent

For each collection point, document every personal data field you collect, such as name, email address, phone number, or identity details. Collect only the information required for the stated purpose, and remove any fields that are not genuinely necessary.

Step 5: Work With Your Legal Team to Write Honest, Simple Consent Statements

Work with your legal team to define the specific purpose for collecting personal data at every collection point. Write each purpose in clear, simple language and request consent separately for each one instead of combining multiple purposes into a single consent option. Here is the difference between a wrong and a right approach.

Example of a wrong statement: “By submitting this form, you agree to our terms and allow us to use your information as described in our privacy policy and for any other business purposes.” This is wrong because it is vague, it bundles multiple unrelated purposes together, and it hides the real reasons behind a link that almost nobody reads.

Example of a right statement: “We will use your phone number to send you an OTP to verify your identity. We will use your email address to send you your loan approval status. You can choose separately whether we may also send you offers on other products.”

Clearly define each purpose, link it to the specific personal data you collect, and allow people to consent to each purpose independently. Document every purpose statement, along with its approval date and approver, to demonstrate compliance if requested by a regulator.

Step 6: Build a DPDPA-Compliant Notice and Show It Before You Collect Anything

Display a consent notice before collecting any personal data. Show the notice, obtain consent, and only then begin collecting and processing the data. Do not collect or process personal data before the individual has given consent.

Step 7: Make Sure Your Notice Is Accessible to Everyone

Design consent notices that are easy to understand and accessible to everyone. Follow WCAG accessibility guidelines, provide notices in the languages your customers use, and include contact details for your Data Protection Officer, grievance redress team, and, where applicable, your registered Consent Manager.

Step 8: Store Consent Records Safely for at Least Seven Years

Record every consent event—whether given, refused, or withdrawn—in a structured, machine-readable format. Store these records in a secure, tamper-evident consent repository that maintains a complete history of every change. Retain consent records for at least seven years and protect them from unauthorised access, as they serve as key evidence of your compliance.

Step 9: Build a Preference Centre So People Can Manage Their Own Consent

People change their minds, move cities, switch jobs, and stop wanting certain types of communication, and the law expects your business to make it just as easy to withdraw consent as it was to give it in the first place. A preference centre is a simple, self-service page where a logged-in customer can see every consent they have given, understand what each one means in plain language, and switch any of them on or off whenever they want. This single page does double duty: it builds trust with your customers because they feel in control, and it keeps your consent repository automatically up to date because every change flows straight back into your records.

Step 10: Connect With Government-Approved Consent Managers

Understand the role of a Consent Manager under the DPDP Rules. A registered Consent Manager allows individuals to view, grant, withdraw, and manage their consents across multiple organisations from a single platform. Your business can build an internal consent management system, but if you want to operate as a recognized Consent Manager, you must register with the Data Protection Board of India and comply with the eligibility and operational requirements defined under the DPDP Rules.

Bringing It All Together

The biggest shift the DPDPA asks of every business is a change in mindset rather than just a change in technology. Instead of collecting data first and explaining yourself later, you now need to explain yourself first, in plain language, and only collect data once someone has genuinely understood and agreed to your request. Every step in this guide, from mapping your assets to connecting with a Consent Manager, exists to support that one simple promise: people should always know what is happening to their information, and they should always be the ones who decide.

Start small if the whole picture feels overwhelming. Pick your single highest-traffic collection point, such as your registration page, and work through all nine steps for just that page first. Once you see how the process works end to end on one page, repeating it across the rest of your business becomes far less daunting, and your organisation will be well on its way to meeting the standards the Digital Personal Data Protection Act, 2023 and its 2025 Rules

FAQ

1. What is the DPDPA, and who does it apply to?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s primary data privacy law. It applies to any organisation that collects or processes the personal data of individuals in India, regardless of where the organisation is located. This includes websites, mobile apps, employee systems, and other business processes that handle personal data.

2. Do small businesses also need to follow these consent rules?

Yes. The DPDPA applies to businesses of all sizes that collect or process personal data. While the scale of your compliance may vary, every business must obtain clear and informed consent before processing personal data.

3. What is the difference between a privacy policy and a consent notice?

Understand the difference between a privacy policy and a consent notice. A privacy policy explains your organisation’s overall data practices, while a consent notice explains why you are collecting specific personal data at the point of collection. Display the consent notice before collecting personal data, as a privacy policy alone is not sufficient under the DPDPA.

4. Can I collect consent for multiple purposes using a single tick box?

No. Collect consent separately for each distinct purpose. This allows people to agree to some purposes and decline others. Do not combine unrelated purposes, such as service delivery and marketing, into a single consent option.

5. What happens if someone withdraws their consent?

Allow people to withdraw consent as easily as they gave it. Once they withdraw consent, stop processing their personal data for that purpose as soon as reasonably possible and record the withdrawal with a timestamp in your consent repository.

6. How long do we need to keep consent records?

Store all consent records—including consent given, denied, and withdrawn—in a secure, tamper-evident system for at least seven years. Maintain these records as evidence to demonstrate compliance during regulatory reviews.

7. Do we need to translate our consent notices into regional languages?

Provide consent notices in the languages your customers understand. Offering notices in commonly used Indian languages helps people make informed decisions and ensures everyone can understand what they are consenting to.

8. What is a Consent Manager, and is it recommended for every business?

Integrate with a government-registered Consent Manager so people can view and manage their consents across multiple businesses from a single platform. Most businesses only need to support integration with registered Consent Managers rather than becoming one themselves.

9. Is cookie consent the same as DPDPA consent?

Treat cookie consent as part of your broader DPDPA consent process. Clearly explain what each cookie category does, let visitors choose which categories to accept, record their choice, and honour it immediately.

10. What should we do first if we have not started DPDPA compliance yet?

Start with your highest-traffic data collection point, such as your registration or sign-up page. Document the data you collect, display a compliant consent notice, and record consent. Once the process works for one page, repeat it across the rest of your business.

This article is for general guidance only and does not constitute legal advice. Always consult a qualified data protection lawyer to confirm how the DPDPA applies to your specific business.