Skip to main content
Home » Data Privacy & DPDPA » Consent Management Under DPDPA: Why Spreadsheets Won’t Survive an Inspection

Consent Management Under DPDPA: Why Spreadsheets Won’t Survive an Inspection

Shashikant Kalsha

July 2, 2026

Blog features image

Consent Management Under DPDPA: Why Spreadsheets Won't Survive an Inspection

Ask most Indian businesses how they track user consent and the honest answer is some combination of a signup checkbox, a terms-of-service page, and — if anyone asks — a database column that says consent = true. Under the Digital Personal Data Protection Act, 2023, that answer is now a liability measured in crores.

What the law actually requires

Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous, signaled by a clear affirmative action. Unpacking each word reveals an operational requirement:

  • Free — no bundling consent with access to a service that doesn't need the data. "Accept all or leave" is out.
  • Specific — one consent per purpose. A single checkbox covering marketing, analytics, and third-party sharing fails.
  • Informed — every consent request must carry a notice describing the data, the purpose, how to withdraw, how to complain, and it must be available in English or any of the 22 scheduled Indian languages.
  • Unconditional and unambiguous — no pre-ticked boxes, no dark patterns, no consent inferred from silence or inactivity.

And the obligation that changes system design the most: withdrawal must be as easy as consent. When a user withdraws, processing must stop, downstream processors must be told, and data no longer needed must go — all provably.

The proof problem

Here is the question that kills spreadsheet-based compliance: *for any given user, at any given moment, can you prove what they consented to, when, through which notice text, in which language, and whether that consent is still valid?*

An inspection or a Data Protection Board inquiry will not ask whether you have a privacy policy. It will ask for the consent record behind a specific complaint — the notice version shown, the timestamp, the affirmative action taken, every purpose attached, and the full lifecycle since: renewals, expiries, withdrawals, and what your systems did about each. A spreadsheet cannot answer that. Neither can a boolean column. What answers it is a consent ledger: an append-only, tamper-evident record tied to notice versions and purposes, queryable in real time by every system that processes personal data.

Consent Managers arrive November 13, 2026

Phase 2 of the DPDP Rules activates Rule 4: Consent Managers — registered platforms through which individuals can give, review, and withdraw consent across many Data Fiduciaries from one place, on the account-aggregator pattern already familiar in Indian fintech.

From November 13, 2026, if you rely on consent, you should assume some of your users will manage it through a registered Consent Manager rather than your own UI. Your systems must be able to ingest externally managed consent state, honor withdrawals that arrive via API rather than your app, and keep your ledger consistent across both channels. Retrofitting that onto a checkbox architecture is far more expensive than building on a consent service from the start.

What good looks like

A DPDPA-grade consent architecture has five layers:

  1. Notice management — versioned notice text per purpose, in every language you serve, with an approval trail.
  2. Capture — consent recorded at the moment of affirmative action, across web, app, call center, and offline channels.
  3. A real-time consent check — a low-latency API every processing system calls before touching personal data. If the answer is no, processing stops.
  4. Lifecycle automation — renewal prompts, expiry, withdrawal propagation to internal systems and vendors.
  5. Evidence — every event hash-chained and exportable for an auditor or the Board.

Build it, or connect it

You can build this — several quarters of engineering plus permanent maintenance as rules evolve. Or you can connect it. Data Adhikaar by Qodequay Technologies ships consent as a fabric: the Sammati agent captures, refreshes, expires, and proves consent across channels; notices are drafted in English plus all 22 scheduled languages; consent checks run at p95 latency under 100 ms; and every event lands in a tamper-evident Evidence Vault. SDKs, 25+ connectors, and an MCP server mean the first passing consent check takes minutes, not months.

November 2026 is the consent deadline that matters. Run the free readiness assessment and find out how far your current consent stack is from provable.

General guidance on the DPDP Act, 2023 — not legal advice.

Author profile image

Shashikant Kalsha

As the CEO and Founder of Qodequay Technologies, I bring over 20 years of expertise in design thinking, consulting, and digital transformation. Our mission is to merge cutting-edge technologies like AI, Metaverse, AR/VR/MR, and Blockchain with human-centered design, serving global enterprises across the USA, Europe, India, and Australia. I specialize in creating impactful digital solutions, mentoring emerging designers, and leveraging data science to empower underserved communities in rural India. With a credential in Human-Centered Design and extensive experience in guiding product innovation, I’m dedicated to revolutionizing the digital landscape with visionary solutions.

Follow the expert : linked-in Logo

Have a project in mind?

Free 30-minute consultation with our team — or see our products in action.

Book a 30-min Consultation