Confidential Dispatch

How to handle consent withdrawal (business side): what your flow must allow

At a glance

When a customer withdraws consent under India’s DPDP Act, your business has to actually act on it: make withdrawal as easy as giving consent was, stop the processing that relied on that consent, tell any processors you shared the data with to stop too, and often move to delete the data. It also has to be findable and honoured promptly. This is the operator’s side of the withdrawal right — building the flow, not just the consumer clicking “unsubscribe.”

Educational resource only. This explains handling consent withdrawal on the business side under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

On this page

The situation

Taking consent is the part businesses design carefully; handling its withdrawal is the part they forget. But the withdrawal right is only real if your systems respond to it — and a withdrawal that’s ignored, or far harder than the opt-in was, is a compliance failure sitting in plain sight.

What the law requires of your flow

Withdrawal must be as easy as consent was, and available at any time. The Act makes withdrawal a right, and requires it to be as easy to withdraw as it was to give (Section 6). So if a customer opted in with one tap, you can’t force them through a week of emails or a phone queue to withdraw. Two design consequences follow immediately: the withdrawal route has to be easy to find, and it has to be comparably simple to use. Parity with the opt-in is the standard.

What has to happen when someone withdraws

A withdrawal has to actually change what you do with the data — not just log a preference. On withdrawal, your systems should:

  • Stop the processing that relied on that consent — promptly, not “at the next cycle.”
  • Move to delete the data where consent was the basis and no other lawful reason to keep it applies (the erasure duty).
  • Preserve what law requires — you can retain specific records a law obliges you to keep, but not everything “just in case.”
  • Confirm to the person that it’s done, where appropriate.
  • Keep the consent record updated — log that consent ended and when, so you can show you acted.

The failure mode to avoid: recording “unsubscribed” while the underlying processing quietly continues.

Don’t forget your processors

Your obligation to stop follows the data — including to the vendors you passed it to. If you shared the person’s data with processors (an email tool, a CRM, an analytics provider), withdrawal means those parties have to stop the relevant processing too, unless another lawful basis genuinely applies. That only works if your vendor contracts and integrations let you propagate a withdrawal — so build the signal to flow downstream, and make sure your Data Processing Agreements require processors to act on it. A withdrawal you honour internally but not with your vendors isn’t fully honoured.

Building the withdrawal flow

Design it as a first-class feature, mirroring your opt-in. Concretely:

  1. Expose it where users look — account settings, the message footer, your privacy/help section; not buried.
  2. Match the opt-in’s ease — same channel, similar number of steps.
  3. Map consent to processing so a withdrawal can actually switch off the right activities (this needs your consent records to be purpose-linked).
  4. Propagate to processors — trigger the stop signal to vendors holding the data.
  5. Trigger deletion where consent was the basis, and record it.
  6. Log and (where apt) confirm — an auditable trail that you acted, and when.

FAQ

How easy does consent withdrawal have to be? As easy as giving consent was. If opting in took one tap, withdrawal must be comparably simple and easy to find — not a harder, slower process.

What do I have to do when a customer withdraws consent? Stop the processing that relied on it, tell your processors to stop too, move to delete the data where consent was the basis (keeping only what law requires), and record that you acted.

Do my vendors have to stop too? Yes. Processors you shared the data with must stop the relevant processing unless another lawful basis applies. Your contracts and systems need to pass the withdrawal on.

Is unsubscribing the same as withdrawing consent? Not necessarily. An “unsubscribe” that only stops one message stream, while other processing continues, doesn’t fully honour a withdrawal. The flow must actually stop the processing the consent covered.

Reviewed by Confidential Dispatch Editorial Team

Last updated 14 July 2026

Not legal advice.