Good vs bad consent notice, annotated
A consent notice, side by side
The same request done badly and well. Six things decide whether a DPDP consent notice actually holds — here is where each one lands.
Vague, catch-all purpose
“Our records and any other business purpose” isn’t a purpose. Consent has to name a specific use, so the person knows exactly what they’re agreeing to.
Pre-ticked and bundled
The box is already ticked and covers everything at once. Consent must be a free, specific action the person takes — not a default they have to undo.
No way to withdraw
There’s no way to take consent back and no one to contact. A notice should say how to withdraw and how to reach a grievance officer.
Specific, itemised purpose
One clear use, in plain words, with how long the data is kept. The person can see exactly what they’re agreeing to and for how long.
Unticked and specific
The box starts empty, so agreeing is a deliberate act — and it’s tied to that one purpose, not a bundle.
Easy to withdraw
It says how to withdraw consent and gives a contact, so the choice stays with the person after they’ve made it.
This is a mock. The firm name, email, and details shown are illustrative, not a real business.
Related reading
- What a legally valid consent notice looks like in India — with real examples — the full explainer this teardown illustrates.
- DPDP consent, explained — the underlying law a notice has to satisfy: free, specific, informed, unconditional, unambiguous.
- Pre-ticked boxes and good consent design — the design mistake behind pins 2 and 5.
- Granular vs bundled consent — why one “I agree to all” fails, and how to split by purpose.
- Consent vs deemed consent vs legitimate use — for when consent isn’t the right basis at all.
Reviewed by Confidential Dispatch Editorial Team
Last updated 10 July 2026
Not legal advice.