Consent Under DPDP Act Is Not a Checkbox

The Checkbox Problem

Every Indian internet user has seen it: a pop-up asking for consent, a pre-ticked checkbox, and a vague privacy policy written in legal language that nobody reads. The user clicks “I agree” and the service proceeds to collect, process, and share their data.

This is not meaningful consent. It is performative consent.

The Digital Personal Data Protection Act 2023 was designed to change this. It requires that consent be free, specific, informed, unconditional, and unambiguous — with a clear purpose and the ability to withdraw. But the Act does not just change what consent means. It changes what organisations must be able to prove.

Under the DPDP Act, it is not enough to have obtained consent. You must be able to demonstrate that you obtained it, for what purpose, and that the individual was properly informed. This is where most organisations are unprepared.

Why the Current Practice Is Broken

Consent records today are not verifiable. Most organisations store consent as a database flag — a boolean field that says “user consented.” There is no proof of what the user was shown, what they agreed to, or when. If a regulator asks for evidence, a database flag is insufficient.

Consent withdrawal is not systemically enforced. When a user withdraws consent, most systems have no automated way to propagate that withdrawal to all data processors. The user’s data continues to be processed under a consent that no longer exists.

There is no immutable audit trail. Consent records can be altered, deleted, or lost without detection. In a regulatory inquiry, the absence of an immutable record is itself a compliance failure.

The data controller cannot prove purpose limitation. Even if consent was obtained, there is rarely a cryptographic linkage between the consent record and the actual data processing. Did the user agree to this specific use of their data, or did they agree to a blanket policy? Most organisations cannot answer this question with certainty.

The Conceptual Shift: From Consent as a Flag to Consent as a Credential

The shift is to treat consent as a verifiable credential — a cryptographically signed, tamper-evident record that proves what was consented to, by whom, and for what purpose.

This is not about adding a fancier checkbox. It is about changing the fundamental nature of the consent record.

A verifiable consent record includes:

• The identity of the data subject (the user)
• The identity of the data fiduciary (the organisation)
• The specific purpose of data processing
• The categories of data covered
• The duration of consent
• A timestamp of consent and withdrawal
• A cryptographic signature that makes the record tamper-evident

The user holds a copy of this consent record. So does the organisation. So can the regulator. Any alteration is detectable.

The W3C Data Privacy Vocabulary (DPV) provides the standardised vocabulary for expressing these consent attributes in a machine-readable, interoperable format.

How Sovio Consent Enables This

Sovio Consent is a decentralised consent management platform built on W3C DPV standards.

Verifiable consent receipts. Every consent action generates a verifiable credential — a consent receipt that serves as cryptographic proof of what was agreed. The receipt includes purpose, data categories, duration, and the user’s digital signature.

Granular consent controls. Users can consent to specific purposes (e.g., “use my email for transaction alerts but not marketing”), specific data categories, and specific durations. Organisations can define consent templates aligned to their processing activities.

Immutable audit trail. Every consent action — grant, modification, withdrawal — is recorded immutably. The audit trail is exportable in standard formats for regulatory reporting.

Automated consent lifecycle management. When consent expires or is withdrawn, the system propagates the change to all downstream data processors. Processing that continues after consent withdrawal is detectable and auditable.

DPDP Act alignment. Consent is designed for the DPDP Act’s requirements: notice, purpose limitation, data minimisation, consent withdrawal, and erasure. The verifiable receipt model provides the evidentiary standard that regulators expect.

Who Should Care

• Data protection officers and compliance teams who are responsible for demonstrating DPDP Act compliance. Verifiable consent records eliminate ambiguity in regulatory inquiries.
• Healthcare organisations processing sensitive personal data where consent granularity is legally required and consent withdrawal must be enforced systemically.
• Banks and financial institutions collecting consent for data sharing with third-party service providers, credit bureaus, and analytics partners.
• Marketing and adtech platforms managing consent across multiple data processors, where consent withdrawal must cascade in real time.
• Any organisation that processes personal data of Indian citizens and will be subject to DPDP Act enforcement.

The Bottom Line

The DPDP Act raises the bar for consent. It is no longer sufficient to have a checkbox and a privacy policy. Organisations must be able to prove that consent was obtained, specific, informed, and revocable — with an audit trail that regulators can verify.

Verifiable consent credentials provide that proof. They change consent from a liability exposure into a demonstrable compliance asset.

Sovio Consent provides verifiable consent receipts and DPDP Act-compliant consent lifecycle management. Book a demo to see how consent-as-credential works.