Consent journey design under the DPDP Act

Consent should be a choice, not a scavenger hunt.

Consent journey design under the DPDP Act requires legal, product and design teams to work from the same facts. India Code identifies the Digital Personal Data Protection Act, 2023 as Act 22 of 2023, enacted on 11 August 2023, and lists Section 6 on consent, Section 5 on notice and related provisions on processing and obligations. India Code also lists DPDP Rules, 2025 material and notifications dated 13 November 2025, with a corrigendum dated 11 December 2025. The current official material should be checked before final timing or rule claims are made.

A consent journey is not just a button. It includes the notice shown before the decision, the language used, the action taken by the user, the record stored, the withdrawal route, and the way downstream systems respect the decision.

What to review

Review where consent is requested and why. Identify the data, purpose, user group, product screen, backend event, record storage and withdrawal path. If one screen bundles multiple purposes, check whether the design gives the user a meaningful decision.

Review the consent record. Teams should know what was shown, when it was shown, what the user did, which version applied and how the decision affects systems. A design can look clean but fail if the backend cannot produce a reliable record.

Review withdrawal. A consent journey is incomplete if withdrawal is harder to find than consent. Product, support and engineering teams should understand what changes after withdrawal and which systems must be updated.

Implementation steps

1. Map every consent request to a specific purpose, screen, user group and data flow.
2. Align the consent language with the notice, inventory and purpose map.
3. Record consent events with version, timestamp, user reference, purpose and source.
4. Design withdrawal so users can find it and teams can operationalise it.
5. Test whether downstream systems respect consent and withdrawal decisions.
6. Review consent journeys after product, vendor, analytics or marketing changes.

Good consent design should feel ordinary to the user and precise to the organisation. It should not require legal interpretation at the point of use.

Common mistakes

• Designing a clear button without ensuring the backend can record the decision accurately.
• Bundling unrelated purposes into one consent request without operational clarity.
• Providing withdrawal text but no working route for product, support and systems to act on it.

How DataNuance can help

DataNuance can review consent journeys for Indian digital products, including notices, UI text, event records, withdrawal paths, vendor impact and implementation evidence.

For a DPDP consent journey review, contact DataNuance.

FAQs

What is a consent journey?

It is the full user and system path for requesting, recording, acting on and withdrawing consent.

Is a checkbox enough?

No. The organisation also needs clear notice, purpose mapping, records and operational effect.

What should consent records capture?

They should capture version, time, purpose, user reference, source journey and any later withdrawal.

When should consent journeys be retested?

Retest them after product, vendor, marketing, analytics, notice or backend changes.

Sources

• Digital Personal Data Protection Act, 2023 on India Code: https://www.indiacode.nic.in/handle/123456789/22037?view_type=browse
• MeitY Digital Personal Data Protection Rules, 2025 page: https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa?pageTitle=Digital-Personal-Data-Protection-Rules-2025.pdf