Introduction 

In 2023, a significant milestone was achieved with the enactment of India’s long-awaited data protection law, the Digital Personal Data Protection Act, 2023 (DPDPA), following the landmark Supreme Court case of Justice K.S. Puttaswamy (Retd.) v. Union of India, which upheld privacy as a fundamental right. The journey towards formulating comprehensive data protection laws began post the judgment, leading to multiple iterations of the bill until the final enactment of the DPDPA 2023. 

Central to the Act is the principle that personal data of a Data Principal can only be processed in accordance with the provisions of DPDPA and for a lawful purpose, for which data principal has given its explicit consent. Thus, ‘consent’ emerges as pivotal to processing operations. In the K.S. Puttaswamy case, it was observed that, 

“…. apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual. This is evident from the emphasis in the European data protection regime on the centrality of consent. Related to the issue of consent is the requirement of transparency which requires a disclosure by the data recipient of information pertaining to data transfer and use.”  

Therefore, informed consent plays a critical role in securing the rights of individuals whose personal data is being processed.  

To enforce the provisions of the DPDPA, the Ministry of Electronics and Information Technology (MeitY), on 13th November, 2025 released the Digital Personal Data Protection Rules, 2025 (DPDP Rules). 

This blog aims to explore the mandates related to consent and notice requirements as outlined in the DPDPA and its allied Rules.  

Notice and Consent Requirement Under the DPDPA and the DPDP Rules 

The Digital Personal Data Protection Act, 2023 establishes strict requirements for processing personal data, emphasizing consent as a cornerstone principle. Section 4 (1) of the DPDPA mandates that Data Fiduciaries can process personal data only if the Data Principal provides explicit consent, aligning with global standards for privacy protection. Section 6 (1) of the Act emphasizes that consent must be free, specific, informed, unconditional, and unambiguous, signifying clear agreement to the processing of personal data for the specified purpose and limited to what is necessary for that purpose. These provisions collectively ensure that the consent process is thorough and respects the rights of the Data Principal. 

Moreover, Section 5 provides that, the Data Fiduciary must provide the Data Principal with a notice detailing the personal data processed and its purpose. The notice should also outline the procedure for exercising of rights under sub-section (4) of section 6 (right to withdraw consent) and section 13 (right of grievance redressal). Additionally, it must specify the process for lodging complaints with the Board. This provision of the law thus enables transparency and accountability in data processing practices. 

Rule 3 of the Digital Personal Data Protection Rules 2025 specifies rigorous criteria for consent notices aimed at ensuring informed and specific consent from Data Principals.  

The notice provided by a Data Fiduciary to the Data Principal serves as a crucial tool for ensuring transparency, accountability, and informed consent in the processing of personal data. This notice must adhere to specific requirements to guarantee clarity and accessibility for the Data Principal. 

Notice Requirements Under Rule 3 of the DPDP Rules 

Rule 3 of the DPDP Rules lays down the essential elements every Data Fiduciary must include in a notice issued to a Data Principal. 

Independent and Clear Presentation: The notice must be understandable on its own, without depending on any past or future information shared by the Data Fiduciary. It should stand independently and give clarity without forcing the individual to refer elsewhere. 

Plain Language with Key Details: The notice must use clear and simple language to give the Data Principal a fair understanding necessary to provide specific and informed consent. At a minimum, it must include: 

• An itemised description of the personal data being processed. 

• The specified purpose(s) of processing, along with a clear description of the goods, services, or uses enabled through such processing. 

Easy Access and User Rights: The notice must provide a direct communication link to the Data Fiduciary’s website or app, along with any other available means through which the Data Principal can: 

• Withdraw consent with the same level of ease as when it was given. 

• Exercise their rights under the DPDP Act. 

• File complaints with the Data Protection Board. 

These requirements ensure that individuals are equipped with transparent information, meaningful control, and easy pathways to exercise their rights making consent an informed, user-centric process rather than a passive formality. 

What this Means for the Organizations  

To comply with the Act and DPDP Rules, organizations must provide clear, concise, and easily understandable notices to data principals, itemizing the personal data collected, its processing purpose, and associated services. The notice should outline how data principals can exercise their rights, including withdrawing consent, accessing platforms, and filing complaints, ensuring transparency and ease of action.  

Websites and online platforms that deploy cookies to collect, store, or process personal data must obtain explicit consent from Data Principals. The cookie consent notice/banner must clearly inform users about the types of cookies used, their purpose, and how collected data will be utilized to showcase compliance with DPDP rules. Users must also have a mechanism to withdraw consent at any point (withdrawal should be as easy for the Data Principal as it was to give the consent). These requirements ensure that Data Principals have meaningful control over their personal data, fostering greater transparency and accountability in online data practices. 

To comply with the DPDP Rules, organizations should implement an effective privacy notice and cookie consent strategy that clearly communicates data collection, processing purposes, and user rights. A user-friendly consent management system is essential, ensuring individuals can easily give and withdraw consent. Additionally, organizations must establish processes for handling Data Subject Requests (DSRs), enabling data principals to access, rectify, or erase their data with ease as per DPDPA.  

Conclusion  

The DPDPA, 2023, and the DPDP Rules, 2025, mark a significant step towards strengthening data privacy and empowering individuals with control over their personal data. The emphasis on explicit, informed, and unambiguous consent ensures that the processing of personal data aligns with global standards of transparency and accountability. Through detailed mandates on notice requirements, the DPDP Rules guarantee that Data Principals are equipped with clear and accessible information about how their data will be processed, their rights, and grievance redressal mechanisms.  

For organizations, these mandates are not just legal obligations but also opportunities to foster trust, transparency, and accountability in their data-handling practices. Adhering to these requirements will not only ensure compliance but also enhance user confidence, positioning businesses as responsible stewards of personal data in an increasingly data-driven world.