What a legally valid consent notice looks like in India — with examples
Short answer
A valid consent notice under India’s DPDP Act is a plain-language statement, shown at the point of collection, that tells the person exactly what data you’re collecting, the specific purpose, how to withdraw consent, and how to raise a grievance (with you and the Data Protection Board). It’s paired with a specific, per-purpose opt-in — not a link to a long policy. Below is what it must contain and worked examples of a good notice versus a weak one.
Educational resource only. This explains how to write a DPDP consent notice under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
On this page
- What a consent notice must contain
- A good notice vs a weak one
- Plain-language rules for writing it
- Where the notice goes
- FAQ
The situation
Most businesses have a privacy policy; far fewer have a proper consent notice shown where data is actually collected. The notice is what makes consent “informed” — so a strong one, in the right place, is doing real legal work. This is the applied, how-to-write version; for the full list of required contents, see the notice pillar.
What a consent notice must contain
Four things, in plain language, at the moment of collection. The DPDP Act requires the notice (Section 5) to tell the person:
- What personal data you’re collecting;
- The purpose — specific, not “for business purposes”;
- How to withdraw consent (as easily as it was given); and
- How to raise a grievance — your contact, and the right to complain to the Data Protection Board of India.
It sits alongside the consent action itself (Section 6) — the notice informs, the opt-in agrees.
A good notice vs a weak one
The difference is specificity and honesty about purpose. Take a clinic collecting a phone number:
Weak: “By submitting this form you agree to our privacy policy and to us contacting you.” Why it fails: no specific data named, vague purpose (“contacting you”), consent bundled into submission, no withdrawal or grievance route.
Good: “We’re collecting your phone number to confirm and remind you about your appointment. We won’t use it for anything else without asking. You can withdraw this anytime by replying STOP or calling us on [number]. Questions or complaints: [grievance contact].” Why it works: names the data, states one specific purpose, promises no scope creep, gives an easy withdrawal route and a grievance contact.
For a form with two purposes:
“☐ Use my number to confirm my appointment. ☐ Send me occasional health tips and offers.” — two separate, unticked opt-ins, each naming its purpose. (More on this in the granular-consent guide.)
Plain-language rules for writing it
Write it for the person handing over the data, not for a lawyer. Practical rules:
- Name the data and the purpose plainly — “your PAN, to file your returns,” not “financial information for service delivery.”
- One purpose per line. If there are several uses, list them separately with their own opt-ins.
- Say how to withdraw, and make that route real.
- Keep it short and specific. A notice nobody reads has failed; brevity plus specificity is what gets read.
- Avoid dark patterns — no pre-ticked boxes, no “agree to continue,” no burying the real purpose.
- Offer it in a language the person understands where relevant — a notice the reader can’t follow isn’t “informed.”
Where the notice goes
On the collection point itself — not only in a policy page. The notice belongs where the data is entered: on the form, before the document upload, at the start of the chat, on the signup screen. A privacy policy in the footer is not a substitute; the person needs to see the relevant notice at the moment they act. Keep a record of the notice version shown, so you can later prove what the person was told.
FAQ
What must a DPDP consent notice include? What data you collect, the specific purpose, how to withdraw consent, and how to raise a grievance — in plain language, shown at the point of collection.
Is my privacy policy the same as a consent notice? No. A policy is a general document; a consent notice is the specific, plain-language statement shown where you collect the data, paired with the opt-in. You need the notice at collection.
Does the notice have to be in the local language? It has to be understandable to the person. Where your users read a particular language, offering the notice in it is what keeps consent genuinely “informed.”
Can one notice cover several purposes? It can list them — but each purpose needs its own specific opt-in, not one blanket agreement. See the granular-consent guide.
Related reading
- What a DPDP privacy notice must contain — the full required-contents list.
- DPDP consent, explained — the consent standard the notice supports.
- Consent-at-capture: getting consent at the point of collection — where the notice is shown.
- Granular vs bundled consent — handling multiple purposes in one notice.
- Pre-ticked boxes and good consent design — the design rules the examples follow.
Reviewed by Confidential Dispatch Editorial Team
Last updated 9 July 2026
Not legal advice.