DPDP: Fresh Consent for Existing Customers?
Do existing customers need to provide fresh consent under India's DPDP Act? Get direct answers, actionable steps, and MBS service costs.
DPDP: Do Existing Customers Need Fresh Consent?
Yes, for specific data processing activities, existing customers will likely need to provide fresh, explicit consent under India’s Digital Personal Data Protection Act, 2023 (DPDP Act).
This isn't a blanket requirement for all data. The need for fresh consent hinges on the legality and scope of your current data processing activities when measured against the DPDP Act’s stricter standards. Sushant Pasumarty, founder of Meridian Bridge Strategy (MBS), elaborates below on what this means for Indian businesses.
The Current Enforcement Reality
While the DPDP Act is not yet fully enforced, businesses must prepare for a future where 'deemed consent' is significantly narrowed, and explicit, informed consent is the norm. The key shift is from an 'opt-out' to an 'opt-in' paradigm for many processing activities. Your existing customer data collected under previous legal frameworks may not meet the new DPDP standards for 'lawful purpose' and 'specific consent'.
What to Do for Existing Customers
To prepare for DPDP compliance regarding existing customer data, follow these steps:
- Data Inventory & Mapping: Understand every piece of personal data you hold for existing customers, where it came from, how it's used, and who has access. This is the foundational step.
- Lawful Basis Assessment: For each data processing activity, determine if your current basis (e.g., contract, legitimate interest, consent) aligns with the DPDP Act's definitions, particularly 'lawful purpose'.
- Consent Gap Analysis: Identify where existing consent mechanisms (if any) fall short of DPDP requirements. This includes clarity, specificity, revocability, and unbundled consent. Many legacy consents will not meet the new bar.
- Implement a Consent Management Platform (CMP): A robust CMP is essential to capture, manage, and track explicit consent granularly, especially for non-essential processing activities like marketing.
- Develop Re-Consent Strategies: Plan how you will approach existing customers to obtain fresh consent where necessary. This requires clear communication and a streamlined user experience to minimize friction and data loss.
- Review & Update Privacy Policies: Ensure your privacy notices clearly articulate data processing activities in plain language, detailing purposes, data types, and data fiduciary contact information.
The Cost of DPDP Compliance for Existing Customer Consent
MBS offers structured services to help Indian businesses address DPDP compliance, including the critical aspect of fresh consent for existing customers. These services are designed to provide clear deliverables and fixed price ranges.
| Tier | Includes | Price | Duration |
|---|---|---|---|
| Data Mapping | Map every personal data flow | ₹1.5L – ₹3L | 1-2 weeks |
| DPDP Readiness Audit | Data Mapping + Gap Analysis | ₹2L – ₹6L | 2-4 weeks |
| DPDP Workshop | Audit + Recommendations + 90-day roadmap | ₹5L – ₹10L | 4-6 weeks |
| Full DPDP Consulting | Workshop + Implementation + DPO + Readiness Opinion | ₹7L – ₹12L | 3-6 months |
Sushant Pasumarty and the MBS team tailor these engagements to your specific business needs. For instance, a Data Mapping engagement (starting at ₹1.5L) is often the first step to understand your existing customer data landscape, which informs any re-consent strategy.
When to Start
You should start immediately. Even without full enforcement, the principles of the DPDP Act are clear. Preparing your systems, processes, and customer communication strategies takes time. A phased approach, beginning with a Data Mapping exercise, allows for an efficient transition.
Your Next Step for DPDP Consent
Understanding your specific obligations for existing customer consent under the DPDP Act requires a detailed assessment of your current data practices. Meridian Bridge Strategy specializes in guiding Indian businesses through this process.
Frequently Asked Questions
Is 'deemed consent' still valid for existing customers under DPDP?
The DPDP Act significantly narrows the scope of 'deemed consent'. While it exists for certain 'legitimate uses', for most processing, especially marketing or analytics, explicit, informed consent will be required. Previous deemed consents under older laws may not meet DPDP standards.
What happens if I don't get fresh consent from existing customers?
Processing personal data without a valid lawful basis, including proper consent, could lead to non-compliance. This may result in significant penalties, reputational damage, and loss of customer trust once the DPDP Act is fully enforced.
How do I know which existing customer data needs fresh consent?
This requires a comprehensive Data Mapping and Lawful Basis Assessment. You need to identify all personal data, its purpose, and the legal basis for processing. Where the current basis doesn't meet DPDP's explicit consent requirements, fresh consent will be needed. MBS offers a 'DPDP Readiness Audit' (₹2L – ₹6L) to help with this.
Related Guides
DPDP Compliance: Mandatory for Indian Startups?
Indian startups need to know DPDP compliance. Get a direct answer, learn current enforcement realities, and see MBS service costs.
DPDP Fines for Small Businesses: What You Need to Know
Indian small businesses face DPDP fines up to ₹250 Cr. Learn direct answers, enforcement reality, and steps to comply.
DPDP Act: Foreign Companies in India – Guide by MBS
Does India's DPDP Act apply to your foreign company? Learn the applicability criteria, current enforcement, and compliance steps from Sushant Pasumarty of MBS.
Check Your DPDP Cost
Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.
Estimate My DPDP Cost →