What Is the DPDPA?

India's data protection legislation, known as the Digital Personal Data Protection Act, 2023 (DPDPA), received Presidential assent on August 11, 2023. As India's first comprehensive data protection law, the DPDPA replaces the limited provisions previously contained in Section 43A of the Information Technology Act, 2000.

The DPDPA altered the rules for organizations that use clickwrap agreements with users in India. Two features distinguish the law from other consent regimes: the Section 6 requirement that consent be unconditional, prohibiting non-essential processing as a precondition for service access, and the introduction of Consent Managers, registered intermediaries that allow individuals to manage consent across services from a single accessible platform.

Who Does DPDPA Apply To?

The DPDPA applies to every entity, regardless of its location, that processes digital personal data of individuals in India. Both Data Fiduciaries (entities that determine the purpose and means of processing) and Data Processors that process data on their behalf are within scope.

The DPDPA is applicable when you:

  • Process digital personal data of individuals located in India.
  • Offer goods or services from outside India to data principals within India.
  • Process personal data collected offline in India and subsequently digitized.

There is no general small-business exemption, though the Central Government may exempt classes of Data Fiduciaries through notification. Organizations designated as Significant Data Fiduciaries face additional obligations under Section 10, including a Data Protection Officer based in India, an independent data auditor, and periodic Data Protection Impact Assessments. Uniquely, the DPDPA also imposes duties on data principals (Section 15), including not filing false or frivolous complaints.

DPDPA and Clickwrap Agreements

DPDPA imposes specific requirements on how consent is collected through clickwrap agreements. Sections 5, 6, 9, and 11 establish that consent must be free, specific, informed, unconditional, and unambiguous, supported by an itemized notice issued before any consent action. Each condition carries direct implications for clickwrap design, disclosure, and recordkeeping.

How DPDPA Affects Clickwrap Design

Section 6(1) defines consent as a free, specific, informed, unconditional, and unambiguous indication of agreement, given through a clear affirmative action and limited to such personal data as is necessary for the specified purpose. The inclusion of "unconditional," a term largely absent from other data protection statutes, has direct implications for clickwrap interface design.

The unconditional standard, read with the purpose-limitation in Section 6(1), prevents organizations from bundling consent for non-essential processing into a single agreement. A clickwrap flow that requires acceptance of marketing data processing or third-party analytics sharing as a prerequisite for account creation undermines this requirement. Essential-purpose consent must be captured separately from non-essential processing, and users must be able to decline the latter without losing access to the core service.

Consent Managers reshape the consent capture paradigm. Section 6(6) introduces a pathway for Data Principals to give, manage, review, and withdraw consent through a Consent Manager, a registered intermediary that is accountable to the individual under Section 6(7) and registered with the Data Protection Board under Section 6(8). For clickwrap platforms, this means the consent interface cannot be a closed system. Organizations must be technically prepared to receive consent signals from registered Consent Managers, honor consent preferences managed through external platforms, and synchronize consent states across systems.

Section 6(4) requires that withdrawing consent be as easy as giving it. If consent is captured through a single button click, the withdrawal mechanism cannot require navigating multiple settings pages or submitting a manual request. Under Section 6(5), the consequences of withdrawal are borne by the Data Principal, and processing carried out before withdrawal remains lawful.

Section 9 prohibits processing that is detrimental to the well-being of a child and bans tracking, behavioural monitoring, and targeted advertising directed at children. Section 9(1) also requires verifiable parental consent before processing the personal data of a child, so any clickwrap flow involving users who may be minors must include age verification before data collection begins.

What Must Be Shown Under DPDPA

Section 5 requires Data Fiduciaries to provide an itemized notice before requesting consent. The notice is not a general privacy policy. It must be specific, granular, and presented as a discrete step in the clickwrap flow. The itemized notice must contain:

  • The personal data the Data Fiduciary intends to collect and the specific purpose for which it will be processed.
  • The manner in which the Data Principal may exercise the right to withdraw consent under Section 6(4) and the right of grievance redressal under Section 13.
  • The manner in which the Data Principal may make a complaint to the Data Protection Board.

Section 5(2) specifies that if consent has already been given for the same processing activity and the Data Fiduciary retains records, the notice need not be repeated. However, any new purpose or new category of data requires a fresh notice and fresh consent.

The DPDPA does not mandate a specific format, but the requirement that the notice be "itemized" implies a structured, line-by-line disclosure rather than a narrative privacy policy.

What Records You Must Keep Under DPDPA

Section 8(3) requires Data Fiduciaries to maintain the accuracy, completeness, and consistency of personal data, particularly where it is used to make decisions affecting the data principal or is disclosed to another Data Fiduciary. The burden of demonstrating that valid consent was obtained rests entirely on the Data Fiduciary, and Significant Data Fiduciaries face elevated documentation obligations under Section 10, including periodic Data Protection Impact Assessments.

A defensible clickwrap consent record under the DPDPA must capture:

  • Subject identity - Verified through the authentication mechanism in place at the consent action.
  • Action timestamp - The exact date and time of each consent or withdrawal event.
  • Itemized notice - The Section 5 disclosure presented before the consent request, including each data item and its purpose.
  • Terms version - The version of the terms or privacy notice in effect at the time of consent.
  • Consent mechanism - Whether consent was given directly or via a registered Consent Manager, and which interface element captured it.
  • Children's data evidence - Where applicable, evidence of verifiable parental consent.

When consent is given, modified, or withdrawn through a Consent Manager, the Data Fiduciary must maintain synchronized records that reflect the current consent state across both systems. Section 8(7) further requires Data Fiduciaries to erase personal data when the specified purpose has been fulfilled or consent is withdrawn, unless retention is required by law. The clickwrap system must link each consent record to the corresponding personal data holdings so that withdrawal triggers an auditable erasure workflow.

DPDPA and Clickwrap Agreements

Key Provisions of DPDPA

Free, Specific, Informed, Unconditional, Unambiguous Consent
Consent must be free, specific, informed, unconditional, and unambiguous, given by clear affirmative action signifying agreement. It must be limited to the personal data necessary for the specified purpose and may not be bundled with other consents as a condition for accessing services.
Consent Managers
The DPDPA introduces the concept of Consent Managers, registered entities that enable data principals (individuals) to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Consent Managers must be registered with the Data Protection Board and meet prescribed technical and operational standards.
Data Fiduciary Obligations
Data Fiduciaries (entities determining the purpose and means of processing) must process personal data only for lawful purposes for which consent was obtained, ensure accuracy and completeness, implement reasonable security safeguards, and delete personal data when the purpose is fulfilled or consent is withdrawn.
Significant Data Fiduciary
The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries based on volume and sensitivity of data processed, risk to data principals, impact on sovereignty, and other factors. Significant Data Fiduciaries must appoint a Data Protection Officer based in India, appoint an independent data auditor, and conduct periodic Data Protection Impact Assessments.
Legitimate Uses Without Consent
Personal data may be processed without consent for certain legitimate uses: voluntary provision of data by the individual for a specified purpose, State-related functions, compliance with legal obligations, medical emergencies, employment purposes, and public interest as prescribed.
Right to Erasure
Data principals have the right to request erasure of personal data that is no longer necessary for the purpose for which it was collected, unless retention is required by law. Data Fiduciaries must erase personal data when the specified purpose has been fulfilled or consent is withdrawn.
Cross-Border Transfer Framework
Personal data may be transferred outside India to any country or territory not restricted by the Central Government through notification. The Government maintains a negative list approach: transfers are permitted unless specifically prohibited to certain jurisdictions.
Duties of Data Principals
Uniquely, the DPDPA imposes duties on data principals (individuals), including not filing false or frivolous complaints, not providing false personal data, and not impersonating another person when providing data. Violation of these duties may result in penalties.

Penalties for DPDPA Non-Compliance

Tier 1 (Highest) Up to INR 250 crore (approximately USD 30 million)
Schedule entry 1: Failure of a Data Fiduciary to take reasonable security safeguards to prevent a personal data breach under Section 8(5) may attract a financial penalty extending to INR 250 crore. This is the highest single-breach penalty under the DPDPA Schedule.
Tier 2 (High) Up to INR 200 crore (approximately USD 24 million)
Schedule entries 2 and 3: Failure to give the Board or the affected Data Principal notice of a personal data breach under Section 8(6)(a), and breach of additional obligations relating to children under Section 9, may each attract a financial penalty of up to INR 200 crore.
Tier 3 (Significant Data Fiduciary) Up to INR 150 crore (approximately USD 18 million)
Schedule entry 4: Breach of the additional obligations imposed on Significant Data Fiduciaries under Section 10 (including the appointment of a Data Protection Officer in India, an independent data auditor, and periodic Data Protection Impact Assessments) may attract a penalty of up to INR 150 crore.
Tier 4 (Default) Up to INR 50 crore (approximately USD 6 million)
Schedule entry 7: Breach of any other provision of the DPDPA or rules made thereunder may attract a financial penalty of up to INR 50 crore. This is the default penalty for breaches not specifically enumerated in the Schedule.

Frequently Asked Questions

Consent Managers are a novel concept under the DPDPA: registered intermediaries that manage consent on behalf of individuals. For clickwrap platforms, this means consent may not always be captured directly through the organization's own interface. Platforms must be technically prepared to accept and honor consent signals from registered Consent Managers, maintain interoperability with these systems, and recognize that users may use external tools to review, modify, or withdraw consent previously given through a clickwrap flow.
Yes. The DPDPA applies to personal data collected before its commencement if the processing is for a digital purpose. This means organizations must review their existing data holdings and ensure they have compliant consent or an applicable legitimate use basis. For clickwrap platforms, this may require retroactive consent campaigns: presenting existing users with updated consent notices that meet DPDPA standards.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
PIPL
Personal Information Protection Law (PIPL) - China
China · Active 2021
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.