DPDPA Penalties Up to ₹250 Crore: The Real Cost of Waiting
July 2, 2026
July 2, 2026
Ask most Indian businesses how they track user consent and the honest answer is some combination of a signup checkbox, a terms-of-service page, and — if anyone asks — a database column that says consent = true. Under the Digital Personal Data Protection Act, 2023, that answer is now a liability measured in crores.
Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous, signaled by a clear affirmative action. Unpacking each word reveals an operational requirement:
And the obligation that changes system design the most: withdrawal must be as easy as consent. When a user withdraws, processing must stop, downstream processors must be told, and data no longer needed must go — all provably.
Here is the question that kills spreadsheet-based compliance: *for any given user, at any given moment, can you prove what they consented to, when, through which notice text, in which language, and whether that consent is still valid?*
An inspection or a Data Protection Board inquiry will not ask whether you have a privacy policy. It will ask for the consent record behind a specific complaint — the notice version shown, the timestamp, the affirmative action taken, every purpose attached, and the full lifecycle since: renewals, expiries, withdrawals, and what your systems did about each. A spreadsheet cannot answer that. Neither can a boolean column. What answers it is a consent ledger: an append-only, tamper-evident record tied to notice versions and purposes, queryable in real time by every system that processes personal data.
Phase 2 of the DPDP Rules activates Rule 4: Consent Managers — registered platforms through which individuals can give, review, and withdraw consent across many Data Fiduciaries from one place, on the account-aggregator pattern already familiar in Indian fintech.
From November 13, 2026, if you rely on consent, you should assume some of your users will manage it through a registered Consent Manager rather than your own UI. Your systems must be able to ingest externally managed consent state, honor withdrawals that arrive via API rather than your app, and keep your ledger consistent across both channels. Retrofitting that onto a checkbox architecture is far more expensive than building on a consent service from the start.
A DPDPA-grade consent architecture has five layers:
You can build this — several quarters of engineering plus permanent maintenance as rules evolve. Or you can connect it. Data Adhikaar by Qodequay Technologies ships consent as a fabric: the Sammati agent captures, refreshes, expires, and proves consent across channels; notices are drafted in English plus all 22 scheduled languages; consent checks run at p95 latency under 100 ms; and every event lands in a tamper-evident Evidence Vault. SDKs, 25+ connectors, and an MCP server mean the first passing consent check takes minutes, not months.
November 2026 is the consent deadline that matters. Run the free readiness assessment and find out how far your current consent stack is from provable.
General guidance on the DPDP Act, 2023 — not legal advice.
Free 30-minute consultation with our team — or see our products in action.