We have all become expert consent-givers without ever actually consenting to anything. Every app installation, every new website, every loyalty programme signup comes with a wall of text we scroll past and a button we tap. Technically, we agreed. Practically, we have no idea what we agreed to. The DPDPA 2023 takes direct aim at this habit — not by making consent optional, but by making it mean something.
Under the Act, consent has to be free, specific, informed, unconditional, and unambiguous. Each of those words has weight. “Specific” means a food delivery platform cannot use your location data for purposes beyond delivering your order — not for targeted advertising, not for market research — unless they ask separately and you agree separately. “Informed” means the notice provided before seeking consent must be in plain language, and under the new rules, available in multiple Indian languages. A company cannot bury its data practices in legalese and call it disclosure. The law expects a standard that a reasonably ordinary person can actually understand.
One of the more thoughtful provisions here is the acknowledgment that consent can be withdrawn. If you gave a retailer permission to use your purchase history for personalised offers and later change your mind, you have the right to pull that consent back. The fiduciary must then stop using your data for that purpose and delete what they no longer have a legitimate reason to hold. This shifts consent from a one-time transaction at signup into an ongoing relationship — which is a fundamentally different way of thinking about data, and one that businesses collecting data at scale will need to build their systems around.