Consent and Withdrawal Under DPDP: Practical Points for Businesses

Consent should be clear, informed and linked to a purpose where consent is the basis for processing. The person should know what they are agreeing to. The business should also keep a record of how consent was taken and what happens if consent is withdrawn.

Purpose identified
        ↓
Notice shown in simple language
        ↓
User gives clear consent
        ↓
Business records consent
        ↓
Data used only for stated purpose
        ↓
User asks to withdraw / correct / delete
        ↓
Team records request and acts as per law and records policy

• What data is being collected?
• Why is it being collected?
• Will it be used for calls, service delivery, billing, marketing, account creation or support?
• Will it be shared with vendors, consultants, payment gateways, CRM tools or authorities?
• How can the person withdraw consent or raise a request?
• What happens after withdrawal, especially when records must be retained for law, tax, contract or dispute reasons?

Withdrawal is not only a legal line in the policy. Your team needs a working process.

1. Receive request: user sends email, form request or written message.
2. Identify record: match user with CRM, app, HR, billing or service record.
3. Check reason and scope: is the user withdrawing marketing consent, service communication, account processing or something else?
4. Check retention duties: some records may need to be kept for legal, tax, contract or dispute reasons.
5. Act and record: update the system, restrict future use where required and keep a request log.
6. Confirm response: send a short confirmation if appropriate.

• Using one checkbox for privacy policy, terms, marketing and unrelated permissions.
• Collecting documents before the business actually needs them.
• Using vague wording like "for business purposes" without saying what the business will do.
• Keeping no record of when and how consent was taken.
• Not training the team on what to do when someone withdraws consent.
• Continuing marketing messages after opt-out because the CRM and WhatsApp list were not updated.

• date and time of consent, where available;
• form, page, app screen or document through which consent was taken;
• exact consent wording or version used;
• purpose selected by the user;
• withdrawal or correction requests;
• action taken and date of action;
• reason if some data cannot be deleted immediately due to legal or service record requirements.

Can consent be taken through a website checkbox?

Yes, a checkbox can be used where appropriate, but the wording should be clear and linked to purpose. Do not hide unrelated permissions inside one long sentence.

Can consent be withdrawn by email?

A business can provide an email route or another clear method. The important part is that the team knows how to identify the record and act on the request.

Does withdrawal mean every record must be deleted immediately?

Not always. Some records may need to be retained for legal, tax, contractual, service or dispute reasons. The action depends on the facts and current law.

Should marketing consent be separate?

Usually yes, because service communication and promotional communication are different uses. Keep the wording clear so the user is not misled.

• List every form where consent is taken.
• Check whether purpose is clear.
• Separate service, marketing and account-related permissions where needed.
• Keep version history of consent wording.
• Prepare withdrawal handling steps.
• Update CRM, WhatsApp, email and marketing lists after withdrawal.
• Review the latest DPDP Rules before final implementation.

If your team cannot process withdrawal without confusion, the consent system is not ready yet. Fix the process before adding more checkboxes.