Consent vs deemed consent vs legitimate use under DPDP: clearing the confusion
At a glance
There are only two lawful routes to process personal data under India’s DPDP Act: consent (Section 6) and legitimate uses (Section 7). “Deemed consent” is not one of them — it was a term in the earlier 2022 draft Bill that was dropped from the enacted 2023 Act and replaced by the narrower “legitimate uses.” So if you’re relying on “deemed consent,” you’re relying on a concept that no longer exists in the law. The real question is: does a defined legitimate use apply, or do you need actual consent?
Educational resource only. This explains consent and legitimate uses under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
On this page
- Why “deemed consent” still confuses people
- The two routes that actually exist
- What changed from the 2022 draft
- How to tell which route you’re on
- FAQ
The situation
“Deemed consent” is still everywhere in privacy advice, templates, and internal policies — because it was a headline feature of the 2022 draft. But the law that actually passed uses different, narrower language. Businesses relying on the old term risk assuming a flexibility the enacted Act removed.
Why “deemed consent” still confuses people
It was real in the 2022 draft, so it lingers in everything written back then — but it isn’t in the law now. The 2022 draft Bill let a business assume (“deem”) consent in a broad set of situations, including loosely-defined ones like “public interest” and purposes a person could “reasonably be expected” to allow. That framing was widely discussed — and then changed. Content written in that window still references “deemed consent,” which is why the term outlives the concept.
The two routes that actually exist
Under the enacted Act, you either have consent, or you fit a defined legitimate use — there is no third “deemed” category.
- Consent. A free, specific, informed, unconditional, unambiguous opt-in to a stated purpose, by a clear affirmative action. The main route.
- Legitimate uses. A closed, defined list of situations where you can process without a consent box — for example, data a person voluntarily provides for an evident purpose, certain employment purposes, and specified state functions. It’s narrow and enumerated, not a catch-all.
If your processing doesn’t fit a listed legitimate use, consent is the rule.
What changed from the 2022 draft
The catch-alls were removed; the replacement is deliberately narrower. The enacted Act replaced “deemed consent” with “certain legitimate uses” and, importantly, dropped the broad “public interest” and “fair and reasonable purposes” grounds that made the 2022 version elastic. Some specific situations carried over, but the open-ended flexibility did not. The practical effect: you can rely less on “they’d obviously be fine with it” and must more often point to either real consent or a specific listed legitimate use.
How to tell which route you’re on
Ask whether a defined legitimate use squarely fits; if not, you need consent. A quick test for a given processing activity:
- Is it on the legitimate-use list? Does it clearly match a defined legitimate use (e.g. the person voluntarily gave the data for this evident purpose, or it’s a specified employment purpose)? If yes, you may not need a consent box — but the notice, security, and other duties still apply.
- If it’s a stretch, treat it as needing consent. “Probably counts” isn’t a legitimate use. When in doubt, get specific consent.
- Never call it “deemed consent.” Relying on a term the law removed is a red flag in any policy or template — update those.
FAQ
Does “deemed consent” still exist under the DPDP Act? No. It was in the 2022 draft Bill and was removed from the enacted 2023 Act, replaced by the narrower “legitimate uses.”
What’s the difference between consent and legitimate use? Consent is an opt-in you obtain for a stated purpose. A legitimate use is one of a defined, closed list of situations where the Act allows processing without a consent box — narrower, and not a catch-all.
Can I rely on “public interest” to process data without consent? Not as a general ground — the broad “public interest” and “fair and reasonable purposes” grounds from the 2022 draft were dropped. Only the specific listed legitimate uses apply.
My templates mention “deemed consent” — is that a problem? Yes, they’re out of date. Update them to reflect consent and the defined legitimate uses; relying on a removed concept is a compliance risk.
Related Articles
Reviewed by Confidential Dispatch Editorial Team
Last updated 14 July 2026
Not legal advice.