Privacy guide

What DPDP says about consent. Most companies get it wrong.

DPDP consent explained simply: clear purpose, separate choices, withdrawal, proof and why bundled consent is risky.

The simple answer

Consent under DPDP should be clear, specific and linked to a purpose. A user should know what they are agreeing to, not just tap one button to make a banner disappear.

The practical problem is bundled consent: one checkbox or one button silently covering service updates, marketing, analytics, ads, partner sharing and profiling.

What to check

1
Name the exact purpose at collection.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
Separate necessary service use from marketing.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Make withdrawal possible.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Keep proof of what the user saw.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

5
Avoid making consent broader than needed.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

One button cannot mean everything.

State of Privacy found consent patterns that looked simple but hid many downstream uses. DPDP readiness requires purpose-by-purpose thinking.

What to do next

1
Audit forms and cookie banners.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Write purposes in plain English.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Build consent logs that can be shown later.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

What is valid consent under DPDP?

It should be free, specific, informed, unambiguous and linked to a clear purpose.

Can one checkbox cover everything?

That is risky if it hides different purposes like marketing, ads and service messages together.

Can users withdraw consent?

Yes. A practical withdrawal path is part of responsible consent design.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience