What is verifiable consent under DPDP?

Pre-ticked boxes and buried opt-ins no longer qualify as valid consent under India's Digital Personal Data Protection Act (DPDP). The law requires verifiable consent — a higher standard that demands clear, explicit, and documented user agreement before collecting personal data.

What makes consent "verifiable"?

Verifiable consent means you can prove that a user gave explicit permission to collect their data. This requires three elements:

• Active affirmation— The user must take a clear action to consent. Pre-ticked boxes, scrolling past a notice, or continuing to use a service does not qualify.
• Specific purpose— Consent must be tied to specific purposes. "We may use your data for marketing and other purposes" is too broad.
• Revocability— Users must be able to withdraw consent as easily as they gave it. If it takes three clicks to opt in, it should take three clicks to opt out.

"If you can't prove a user consented, the consent is invalid."

What this means for legacy consent

Most products built before 2026 collected consent using methods that no longer meet DPDP standards. If your consent mechanism relied on any of the following, you need to re-obtain consent:

• Pre-ticked checkboxes during signup
• Passive acceptance (e.g., "By continuing to use this service...")
• Bundled consent (e.g., one checkbox for multiple purposes)
• Consent buried in lengthy terms and conditions

How to implement verifiable consent

Building a DPDP-compliant consent flow requires both interface changes and backend systems to record and manage consent.

1. Explicit opt-in UI— Use unchecked checkboxes that users must actively tick. Each checkbox should correspond to a specific purpose.
2. Consent timestamp logging— Record when consent was given, which version of your privacy notice the user saw, and which purposes they consented to.
3. Consent withdrawal mechanism— Build a user settings page where users can view and revoke their consent for specific purposes.
4. Audit trail— Maintain a log of all consent actions (granted, withdrawn, modified) for regulatory inspection.

This is not a document problem — it's an engineering problem.