Notice Content under Rule 3
Notice is presented standalone and is understandable independently of any other document, including the privacy policy and the terms of service — per Rule 3(a)
Notice text uses clear and plain language; tested for comprehension with non-legal readers; no defensive legalese
Itemised list of every category of personal data being collected for this consent event — per Rule 3(b)(i); generic terms like “account information” rejected in favour of specific categories
Specified purpose for the processing of each category, with a specific description of the goods, services, or functions enabled — per Rule 3(b)(ii)
Communication link for the website or app provided in the notice — per Rule 3(c); link resolves to a live page hosted by the data fiduciary
Mechanism for withdrawal of consent published in the notice — per Rule 3(c)(i); friction of withdrawal demonstrably comparable to friction of giving consent
Mechanism for exercise of rights under Sections 11–14 published in the notice — per Rule 3(c)(ii)
Mechanism for filing a complaint with the data fiduciary's Grievance Officer published in the notice — per Rule 3(c)(iii)
Notice version controlled; each version retained alongside the consent records collected under it
Language Availability under the Eighth Schedule
Notice available in English
Notice available in every Eighth Schedule language relevant to the customer base; language list documented with the regional and demographic analysis that supports it
Language selector visible before the consent action, not after
Translation accuracy verified by qualified native-language reviewers; machine-translation-only outputs rejected for the consent notice
Translation of legal terms reviewed for fidelity to the regulatory meaning, not literal translation
Reverse-translation spot-checks performed for high-volume languages
Language preference of each data principal recorded and retained alongside the consent record, so the same language is used for subsequent rights-fulfilment communications
Consent Capture Mechanics under Section 6
Consent given by clear affirmative action of the data principal — per Section 6(1); inaction, silence, pre-ticked boxes, or implied consent not treated as consent
Consent free, specific, informed, and unconditional — per Section 6(1); reviewed against each of these four criteria item by item
Granular consent — separate toggles or affirmative actions per purpose; unrelated purposes not bundled into a single consent
Consent UI symmetric in friction: the accept-decline path has equal visual weight and equal number of clicks; dark-pattern review documented
Service availability not conditioned on consent for purposes beyond what is necessary to provide the service — per Section 6(7)
Where consent is requested in the course of providing a service, the language and purpose are specific to that service, not blanket
Consent record captured with: timestamp, notice version shown, language displayed, data principal identifier, channel, device or IP metadata, granular choices made per purpose, method of capture (button click, biometric, IVR keypress)
Consent records retained per Rule 6 with minimum 1-year retention; longer retention defined where downstream regulatory obligations require it
Consent record tamper-evident; integrity controls applied to the consent log
Withdrawal Flow under Section 6(4)–(6) and Rule 3(c)(i)
Withdrawal mechanism accessible from the app or website within a path comparable in friction to the path that led to consent
Withdrawal does not require the data principal to log a complaint, contact a human, or navigate through a help centre when consent capture did not require any of these
Withdrawal granular per purpose: a data principal can withdraw consent for one purpose while retaining consent for another
Withdrawal effective without conditions; not subject to data fiduciary approval
Withdrawal does not invalidate the lawfulness of processing carried out before withdrawal — per Section 6(5); communications to data principals worded accordingly
Downstream processors notified of withdrawal where their processing depended on the withdrawn consent; processor-notification mechanism documented in vendor DPAs
Withdrawal triggers re-evaluation of retention under Rule 8; data no longer supported by a lawful basis is queued for erasure
Withdrawal event logged with timestamp, scope, downstream notifications issued, and resulting retention actions
Consent Manager Framework under Rule 4
Awareness of Rule 4 effective date (November 2026) recorded at the leadership level; readiness plan owned by named accountable executive
Consent Manager interoperability assessment completed: technical interfaces, identity-resolution between data fiduciary records and Consent Manager records, conflict resolution between in-app consent and Consent Manager consent
Conflict-of-interest review of candidate Consent Managers documented — Rule 4 requires no conflict of interest with any Data Fiduciary registered with the Consent Manager
Consent Manager candidate's DPB registration status verified
Data flows between the data fiduciary and the Consent Manager mapped; data minimisation reviewed for each flow
Authentication mechanism for Consent Manager-mediated rights requests defined per First Schedule Part B
Audit trail of Consent Manager interactions retained: consent given via Consent Manager, modified, withdrawn, with timestamps and reconciliation to the data fiduciary's own consent log
Suspension or cancellation of Consent Manager registration by the DPB handled with continuity plan — the data fiduciary's underlying consent obligations do not lapse when the Consent Manager does
Children's Data and Special Categories under Rule 10
Age-gating technical measures implemented to detect and prevent processing of children's personal data without verifiable parental consent
Verifiable parental consent mechanism documented; verification method proportionate to processing risk
Prohibition on tracking, monitoring, profiling, or behavioural advertising directed at children embedded in product and ad-tech configuration
Vulnerable persons handling procedures documented where the data fiduciary processes data of persons under guardianship
Parental consent record retained on the same regime as adult consent; verification evidence retained with the consent record
Periodic review of children's data flows; flows that no longer require children's data classified for erasure under Rule 8
Channel-by-Channel Coverage
App channel — consent flow tested and audit-logged end to end
Web channel — consent flow tested and audit-logged end to end
Branch / in-person channel — consent capture method documented (paper, tablet, biometric, agent-recorded); evidence retention bridge to the digital consent log defined
Partner / agent channel — consent collected by partner reconciled to the data fiduciary's own log; partner contractually bound to Rule 3 notice standards
IVR / voicebot channel — consent script aligned to Rule 3 content; recording retained as the consent record
Chat / social channel — consent flow re-evaluated, given that consent through chat is rarely valid under Section 6 if not standalone and itemised
Migrated-user consent — for data principals consented under the pre-DPDP regime, refresh strategy documented; lawful basis for continued processing identified
Channel-by-channel coverage gap analysis maintained; new channels added to the inventory before launch
DPDP Assurance Platform
Operationalise this checklist on the DPDP Assurance platform — purpose-built for Indian DPOs managing the full DPDP Act lifecycle.
Operationalise this →
Operationalise this →