What Is Consent Fatigue Under DPDP Act 2023 §6?
Section 6 of India's Digital Personal Data Protection Act 2023 is unambiguous: consent must be free, specific, informed, and unambiguous. A data fiduciary cannot bury processing purposes in legalese, pre-tick boxes, or bundle unrelated consents into a single agreement. Every purpose must be stated plainly, and refusal must be as easy as acceptance.
In theory, this is a significant leap forward for data subjects. In practice, India's digital product ecosystem has developed a well-worn playbook of consent UX dark patterns that systematically erode each of those four requirements — and the regulatory framework hasn't yet caught up with enforcement at the interface layer.
Consent fatigue is the documented psychological phenomenon where users, overwhelmed by the volume and frequency of consent requests, begin to click "Accept All" reflexively, without reading. The consent remains technically valid but is substantively meaningless — the data subject never exercised a genuine choice.
Why India's Digital Landscape Has a Consent UX Problem
India's internet user base grew from roughly 560 million in 2020 to over 900 million in 2026. A large proportion of these users are first-generation smartphone owners interacting with apps — banking, UPI payments, e-commerce, health, and government services — that have imported consent patterns from Western GDPR-era design without adapting them to Indian language, literacy, and trust contexts.
The result is predictable: a 2025 survey by the Internet and Mobile Association of India found that over 74% of users reported accepting all permissions without reading, citing time pressure, small text, confusing language, or the belief that rejection would block access to the service. This is consent fatigue at scale.
- Pop-up banners appear before users can engage with the product, creating hostage dynamics
- Reject options are visually de-emphasised or buried in secondary menus
- Multiple consent requests are bundled — location, analytics, marketing, cross-company sharing — in a single click
- Consent for sensitive categories (biometrics, financial data) is mixed with benign requests
- Withdrawal mechanisms are absent, difficult to locate, or non-functional
What DPOs Need to Know: Valid Consent Has Four Requirements
For a DPO advising on product design, the statutory language translates into four concrete UX obligations that must be verified at every touchpoint where personal data is collected:
- Free — No service may be withheld solely because the data principal refuses non-essential processing. Consent cannot be a condition of access to core functionality.
- Specific — Each processing purpose must be listed individually. A single "Accept" button covering analytics, advertising, and cross-border transfer in one click violates specificity.
- Informed — The notice must explain what data is collected, for what purpose, for how long it will be retained, and with whom it will be shared — before the consent action.
- Unambiguous — Consent must be an affirmative act: a positive click, checkbox, or signature. Silence, pre-ticked boxes, scrolling past a banner, or continued use of a service do not constitute consent under the Act.
A DPO's consent review should go beyond checking that a consent form exists. It must evaluate whether the UX design allows a reasonable user to actually exercise the four-part standard — and whether the consent fatigue dynamics in the product flow systematically undermine that standard even when the legal text is compliant on paper.
How This Simulator Demonstrates the Problem
The simulation below presents you with 12 consent banners drawn from real-world Indian app patterns — covering cookies, AI personalisation, location data, financial profiling, biometrics, loyalty programme sharing, and cross-border data transfer. You will have 90 seconds to respond to all 12.
At the end, your Consent Hygiene Score measures how often you rejected or actively managed consent versus defaulting to acceptance. For DPOs and product teams, this score is less about your individual performance and more about what happens to hundreds of thousands of users interacting with your product every day under similar time pressure, on a small screen, while doing something else.
The scenario is deliberately uncomfortable. It is meant to be.