DPDP: Handling Consent Withdrawal in India

How to Handle Consent Withdrawal Under DPDP

Yes, Data Principals (individuals whose data is processed) have a clear right to withdraw their consent under the Digital Personal Data Protection (DPDP) Act. Your business must provide an easy, accessible mechanism for this withdrawal and cease processing their personal data upon receiving such a request.

This right is fundamental to the DPDP Act. It means you cannot simply collect consent once and assume indefinite permission. You must respect the Data Principal's ongoing control over their personal data.

What This Means Right Now

While the full enforcement date for DPDP is awaited, the principle of consent withdrawal is a core tenet that businesses must prepare for immediately. Failure to implement robust consent management systems, including withdrawal mechanisms, will lead to non-compliance when the Act is enforced.

The practical reality is that you need to be able to identify all personal data processed for a specific purpose, link it back to a consent record, and then cease that processing if consent is withdrawn. This requires a granular understanding of your data flows.

What You Actually Need to Do

1. Establish Clear Withdrawal Channels: Provide multiple, easily accessible ways for Data Principals to withdraw consent. This could be via a dedicated portal, email, phone, or even physical mail, depending on your business model.
2. Automate or Streamline Processing Cessation: Upon withdrawal, you must immediately cease processing the relevant personal data. This requires identifying all data associated with the withdrawn consent and ensuring no further processing occurs for that specific purpose.
3. Delete Data (Where Applicable): If consent was the sole lawful basis for processing, and no other legal obligation requires retention, you must delete the data. The DPDP Act grants Data Principals the Right to Erasure, which often accompanies consent withdrawal.
4. Communicate Impact of Withdrawal: Clearly inform the Data Principal of the consequences of their withdrawal. For example, if withdrawing consent means they can no longer access a specific service, this should be communicated transparently.
5. Maintain Records of Withdrawal: Keep a verifiable record of consent withdrawals, including the date, time, and the scope of data processing affected. This record is crucial for demonstrating compliance to the Data Protection Board of India (DPBI) if audited.

What It Costs to Implement Consent Withdrawal Mechanisms

Implementing robust consent withdrawal mechanisms under DPDP is not a standalone task. It requires understanding your data flows, identifying all processing activities reliant on consent, and building systems to manage these requests. This work is integrated into broader DPDP readiness initiatives.

Sushant Pasamarty of Meridian Bridge Strategy notes, "The cost largely depends on the complexity of your data ecosystem and how many processing activities rely solely on consent. Businesses with extensive customer data and multiple service lines will require more comprehensive solutions."

When to Start

Given that consent withdrawal is a foundational right under DPDP, you should start planning and implementing these mechanisms now. Retrofitting systems after enforcement will be more expensive and risk immediate penalties. Proactive preparation ensures a smoother transition.

Next Step

Understanding where and how Data Principals might withdraw consent, and what systems need to change, is a critical first step. Use our free calculator to get an initial estimate of your DPDP compliance costs, then book a call with Sushant Pasamarty to discuss your specific needs and scope the right engagement for your business.