{"id":380677,"date":"2026-04-10T10:00:43","date_gmt":"2026-04-10T04:30:43","guid":{"rendered":"https:\/\/www.scconline.com\/blog\/?p=380677"},"modified":"2026-04-10T09:39:09","modified_gmt":"2026-04-10T04:09:09","slug":"consent-governance-dpdp-act-most-misread-obligation","status":"publish","type":"post","link":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/","title":{"rendered":"Consent as Governance: Understanding DPDP&#8217;s Most Misread Obligation"},"content":{"rendered":"<div style=\"text-align: justify; line-height: 150%;\">\n<p style=\"margin-bottom: 3%; text-align: center; font-style: italic;\">The DPDP framework treats consent as a continuing legal relationship between the data principal and the data fiduciary.<\/p>\n<p style=\"margin-bottom: 3%;\">Consent is usually the first word that appears in any data protection discussion and often the first concept businesses assume they already understand. Under India&#8217;s <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\">Digital Personal Data Protection Act, 2023<\/a> (DPDP Act<!-- XML to hyperlink the Act throughout in fn as well -->), however, consent is intentionally designed to be more demanding than a checkbox, more consequential than a policy statement, and far more difficult to implement than most organisations expect.<\/span><\/p>\n<p style=\"margin-bottom: 3%;\">The DPDP framework treats consent as a continuing legal relationship between the data principal and the data fiduciary. It is built on clarity, control, and accountability, not on convenience. Yet in many organisations, consent still lives almost entirely inside onboarding flows and privacy notices. That is where compliance risk begins &#8212; quietly, structurally, and often unnoticed until enforcement scrutiny arrives.<\/p>\n<p style=\"margin-bottom: 3%;\">The Act permits processing of digital personal data only for a lawful purpose, most commonly on the basis of consent.<a id=\"fnref1\" href=\"#fn1\" title=\"1. DPDP Act, S. 4.\"><sup>1<\/sup><\/a> But the quality of consent matters. It must be free, specific, informed, unconditional, and unambiguous, expressed through a clear affirmative action.<a id=\"fnref2\" href=\"#fn2\" title=\"2. DPDP Act, S. 6(1).\"><sup>2<\/sup><\/a> These are not abstract standards. The Act itself illustrates their practical meaning. Where a telemedicine app seeks consent both to provide medical services and to access a user&#8217;s contact list, the latter consent is invalid if it is not necessary for the stated purpose.<a id=\"fnref3\" href=\"#fn3\" title=\"3. DPDP Act, S. 6(1), Illustration (telemedicine app).\"><sup>3<\/sup><\/a> The takeaway for businesses is simple: Consent cannot be broader than necessity.<\/p>\n<p style=\"margin-bottom: 3%;\">Equally important is what happens after consent is obtained. Under the DPDP Act, consent is not permanent. A data principal has the right to withdraw consent at any time, and withdrawal must be as easy as giving consent.<a id=\"fnref4\" href=\"#fn4\" title=\"4. DPDP Act, S. 6(4).\"><sup>4<\/sup><\/a> The Act balances this right with operational realism. If a user places an order on an e-commerce platform and later withdraws consent, the platform may stop enabling future use but can continue processing data strictly to fulfil the already paid transaction.<a id=\"fnref5\" href=\"#fn5\" title=\"5. DPDP Act, S. 6(5), Illustration (e-commerce transaction).\"><sup>5<\/sup><\/a> Consent withdrawal governs future processing; it does not undo completed obligations.<\/p>\n<p style=\"margin-bottom: 3%;\">Where most organisations struggle is not at the moment of collection, but at the moment of withdrawal. Modern data environments are fragmented. Personal data flows across internal systems, shared platforms, backups, analytics tools, and external processors. The DPDP Act is clear that once consent is withdrawn, the data fiduciary must cease processing and erase personal data unless retention is required by another law.<a id=\"fnref6\" href=\"#fn6\" title=\"6. DPDP Act, S. 6(6) read with S. 8(7).\"><sup>6<\/sup><\/a> The law&#8217;s illustrations make this tangible. When a user sells a car through an online marketplace and the transaction is complete, the platform must no longer retain the user&#8217;s personal data.<a id=\"fnref7\" href=\"#fn7\" title=\"7. DPDP Act, S. 8(7), Illustration (online marketplace).\"><sup>7<\/sup><\/a> The purpose has ended. The data must exit active use.<\/p>\n<p style=\"margin-bottom: 3%;\">At the same time, the Act recognises that erasure is not absolute. Where retention is required under another law such as banking or financial regulations, personal data may be retained for the mandated period.<a id=\"fnref8\" href=\"#fn8\" title=\"8. DPDP Act, S. 8(7), Illustration (bank account closure).\"><sup>8<\/sup><\/a> This reflects a practical compliance reality. DPDP does not require blind deletion, but it does require disciplined boundaries. Retained data cannot be repurposed simply because it still exists.<\/p>\n<p style=\"margin-bottom: 3%;\">The <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9002981468\">Digital Personal Data Protection Rules, 2025<\/a> (<a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9002981468\"><span class=\"Hyperlink\" style=\"text-decoration: underline; text-underline-style: solid; text-underline-mode: continuous;\">DPDP Rules)<\/span><\/a> reinforce this governance-centric approach. Consent notices must be clear and understandable, not buried in dense legal text.<a id=\"fnref9\" href=\"#fn9\" title=\"9. DPDP Rules, R. 3.\"><sup>9<\/sup><\/a> Withdrawal must be operationally feasible, not theoretically available. Where data is shared with processors, fiduciaries must ensure that erasure and cessation obligations extend downstream.<a id=\"fnref10\" href=\"#fn10\" title=\"10. DPDP Rules, R. 8.\"><sup>10<\/sup><\/a> These requirements expose a common gap: Organisations often have policies that say the right things, but systems that cannot execute them consistently. In practice, organisations that proactively test their consent workflows rather than relying on documentation alone are significantly better placed during regulatory review.<\/p>\n<p style=\"margin-bottom: 3%;\">A further shift under DPDP is evidentiary. Where consent is the basis of processing and a dispute arises, the burden lies on the data fiduciary to prove that valid notice was given and lawful consent was obtained.<a id=\"fnref11\" href=\"#fn11\" title=\"11. DPDP Act, S. 6(10).\"><sup>11<\/sup><\/a> Consent is therefore no longer just permission it is proof. Businesses that cannot trace consent across systems, versions, and time-frames will find this difficult to defend.<\/p>\n<p style=\"margin-bottom: 3%;\">Consent obligations under DPDP also sit alongside existing Indian laws. The <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-0002796572\">Information Technology Act, 2000<\/a> continues to impose liability for failure to maintain reasonable security practices and for unlawful disclosure of personal data. Sector-specific regulations in banking, fintech, healthcare, and telecom may mandate retention or disclosures that coexist with DPDP obligations. Effective compliance lies in reconciling these regimes, not treating DPDP in isolation.<\/p>\n<p style=\"margin-bottom: 3%;\">For leadership teams, the real implication of DPDP consent is cultural rather than textual. Compliance does not fail because a clause was missing. It fails when governance, technology, and accountability do not align. Organisations that embed consent into product design, data architecture, vendor management, and internal decision-making will be far better positioned as enforcement matures.<\/p>\n<p style=\"margin-bottom: 3%;\">Ultimately, the DPDP framework redefines consent as a matter of governance rather than documentation. The law does not reward eloquent privacy policies; it tests whether consent can be operationalised, evidenced, and enforced across systems and decision-making layers. As regulatory scrutiny increases, the true measure of compliance will lie in an organisation&#8217;s ability to demonstrate discipline knowing precisely when data may be processed, when it must cease, and who is accountable at each stage. Consent, under DPDP, is therefore not about permission alone; it is about control exercised responsibly and provably over time.<\/p>\n<\/div>\n<hr\/>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><strong><span style=\"color: #000080;\">*Lawyer, Data Privacy, Intellectual Property &amp; IT Laws, Corporate Law, Consumer &amp; Labour Laws, Legal Compliance &amp; Advisory, Disputes Resolution &amp; Litigation. Author can be reached at: <a href=\"mailto:rohinisjadhao@gmail.com\">rohinisjadhao@gmail.com<\/a>.<\/span><\/strong><\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn1\" href=\"#fnref1\">1.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593482\"><span class=\"Hyperlink\" style=\"text-decoration: underline; text-underline-style: solid; text-underline-mode: continuous;\">4<\/span><\/a>.<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn2\" href=\"#fnref2\">2.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593489\"><span class=\"Hyperlink\" style=\"text-decoration: underline; text-underline-style: solid; text-underline-mode: continuous;\">6(1)<\/span><\/a>.<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn3\" href=\"#fnref3\">3.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593489\"><span class=\"Hyperlink\" style=\"text-decoration: underline; text-underline-style: solid; text-underline-mode: continuous;\">6(1)<\/span><\/a>, <span style=\"font-style: italic;\">Illustration<\/span> (telemedicine app).<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn4\" href=\"#fnref4\">4.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593489\">6(4)<\/a>.<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn5\" href=\"#fnref5\">5.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593489\">6(5)<\/a>, <span style=\"font-style: italic;\">Illustration<\/span> (e-commerce transaction).<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn6\" href=\"#fnref6\">6.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593489\">6(6)<\/a> read with S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593491\">8(7)<\/a>.<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn7\" href=\"#fnref7\">7.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593491\">8(7)<\/a>, <span style=\"font-style: italic;\">Illustration<\/span> (online marketplace).<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn8\" href=\"#fnref8\">8.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593491\">8(7)<\/a>, <span style=\"font-style: italic;\">Illustration<\/span> (bank account closure).<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn9\" href=\"#fnref9\">9.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9002981468\">DPDP Rules<\/a>, R. 3.<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn10\" href=\"#fnref10\">10.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9002981468\">DPDP Rules<\/a>, R. 8.<\/p>\n<p style=\"margin-left: 18pt; text-indent: -18pt;\"><a id=\"fn11\" href=\"#fnref11\">11.<\/a> <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593555\" target=\"_blank\">DPDP Act<\/a>, S. <a href=\"https:\/\/www.scconline.com\/DocumentLink.aspx?q=JTXT-9001593489\">6(10)<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>by Rohini Jadhao*<\/p>\n","protected":false},"author":67011,"featured_media":380679,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[42503,1191],"tags":[102120,102121,102119,102122,102118],"class_list":["post-380677","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-legal-analysis","category-op-ed","tag-consent-withdrawal-under-dpdp-act","tag-data-fiduciary-consent-governance-india","tag-digital-personal-data-protection-act-consent-analysis","tag-dpdp-compliance-consent-requirements","tag-dpdp-consent-obligations-india"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.4 (Yoast SEO v26.4) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Consent as Governance under the DPDP Act: Understanding India&#039;s Most Misread Obligation<\/title>\n<meta name=\"description\" content=\"A doctrinal analysis of consent under the Digital Personal Data Protection Act, 2023 covering withdrawal, erasure, notice obligations, and governance responsibilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Consent as Governance: Understanding DPDP&#039;s Most Misread Obligation\" \/>\n<meta property=\"og:description\" content=\"A doctrinal analysis of consent under the Digital Personal Data Protection Act, 2023 covering withdrawal, erasure, notice obligations, and governance responsibilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/\" \/>\n<meta property=\"og:site_name\" content=\"SCC Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/scc.online\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-10T04:30:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"886\" \/>\n\t<meta property=\"og:image:height\" content=\"590\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Editor\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Consent as Governance: Understanding DPDP&#039;s Most Misread Obligation\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Editor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/\",\"url\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/\",\"name\":\"Consent as Governance under the DPDP Act: Understanding India's Most Misread Obligation\",\"isPartOf\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp\",\"datePublished\":\"2026-04-10T04:30:43+00:00\",\"author\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/84e42bab48238baf12c7e33b3d9761fe\"},\"description\":\"A doctrinal analysis of consent under the Digital Personal Data Protection Act, 2023 covering withdrawal, erasure, notice obligations, and governance responsibilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#primaryimage\",\"url\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp\",\"contentUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp\",\"width\":886,\"height\":590,\"caption\":\"DPDP Consent Governance India\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.scconline.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Consent as Governance: Understanding DPDP&#8217;s Most Misread Obligation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#website\",\"url\":\"https:\/\/www.scconline.com\/blog\/\",\"name\":\"SCC Times\",\"description\":\"Bringing you the Best Analytical Legal News\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.scconline.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/84e42bab48238baf12c7e33b3d9761fe\",\"name\":\"Editor\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/34e366be721c41333586de05faa13743195f5b142dcd7a015c6fabd2389521d0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/34e366be721c41333586de05faa13743195f5b142dcd7a015c6fabd2389521d0?s=96&d=mm&r=g\",\"caption\":\"Editor\"},\"url\":\"https:\/\/www.scconline.com\/blog\/post\/author\/editor_4\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Consent as Governance under the DPDP Act: Understanding India's Most Misread Obligation","description":"A doctrinal analysis of consent under the Digital Personal Data Protection Act, 2023 covering withdrawal, erasure, notice obligations, and governance responsibilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/","og_locale":"en_US","og_type":"article","og_title":"Consent as Governance: Understanding DPDP's Most Misread Obligation","og_description":"A doctrinal analysis of consent under the Digital Personal Data Protection Act, 2023 covering withdrawal, erasure, notice obligations, and governance responsibilities.","og_url":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/","og_site_name":"SCC Times","article_publisher":"https:\/\/www.facebook.com\/scc.online\/","article_published_time":"2026-04-10T04:30:43+00:00","og_image":[{"width":886,"height":590,"url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.jpg","type":"image\/jpeg"}],"author":"Editor","twitter_card":"summary_large_image","twitter_title":"Consent as Governance: Understanding DPDP's Most Misread Obligation","twitter_misc":{"Written by":"Editor","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/","url":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/","name":"Consent as Governance under the DPDP Act: Understanding India's Most Misread Obligation","isPartOf":{"@id":"https:\/\/www.scconline.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#primaryimage"},"image":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp","datePublished":"2026-04-10T04:30:43+00:00","author":{"@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/84e42bab48238baf12c7e33b3d9761fe"},"description":"A doctrinal analysis of consent under the Digital Personal Data Protection Act, 2023 covering withdrawal, erasure, notice obligations, and governance responsibilities.","breadcrumb":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#primaryimage","url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp","contentUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp","width":886,"height":590,"caption":"DPDP Consent Governance India"},{"@type":"BreadcrumbList","@id":"https:\/\/www.scconline.com\/blog\/post\/2026\/04\/10\/consent-governance-dpdp-act-most-misread-obligation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.scconline.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Consent as Governance: Understanding DPDP&#8217;s Most Misread Obligation"}]},{"@type":"WebSite","@id":"https:\/\/www.scconline.com\/blog\/#website","url":"https:\/\/www.scconline.com\/blog\/","name":"SCC Times","description":"Bringing you the Best Analytical Legal News","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.scconline.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/84e42bab48238baf12c7e33b3d9761fe","name":"Editor","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/34e366be721c41333586de05faa13743195f5b142dcd7a015c6fabd2389521d0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/34e366be721c41333586de05faa13743195f5b142dcd7a015c6fabd2389521d0?s=96&d=mm&r=g","caption":"Editor"},"url":"https:\/\/www.scconline.com\/blog\/post\/author\/editor_4\/"}]}},"jetpack_featured_media_url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2026\/04\/DPDP-Consent-Governance-India.webp","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":299820,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/08\/22\/indias-digital-personal-data-protection-act-2023-impact-on-hospitality-sector\/","url_meta":{"origin":380677,"position":0},"title":"India&#8217;s Digital Personal Data Protection Act, 2023 \u2014 Impact on Hospitality Sector","author":"Bhumika Indulia","date":"August 22, 2023","format":false,"excerpt":"by Supratim Chakraborty\u2020 and Himeli Chatterjee\u2020\u2020 Cite as: 2023 SCC OnLine Blog Exp 68","rel":"","context":"In &quot;Experts Corner&quot;","block_context":{"text":"Experts Corner","link":"https:\/\/www.scconline.com\/blog\/post\/category\/experts_corner\/"},"img":{"alt_text":"india digital personal data protection act 2023","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":339887,"url":"https:\/\/www.scconline.com\/blog\/post\/2025\/01\/28\/indias-leap-towards-an-era-of-privacy-meity-releases-draft-digital-personal-data-protection-dpdp-rules\/","url_meta":{"origin":380677,"position":1},"title":"India&#8217;s Leap Towards an Era of Privacy: MeitY Releases Draft Digital Personal Data Protection (DPDP) Rules","author":"Bhumika Indulia","date":"January 28, 2025","format":false,"excerpt":"by Harsh Walia* and Vanshika Lal**","rel":"","context":"In &quot;Experts Corner&quot;","block_context":{"text":"Experts Corner","link":"https:\/\/www.scconline.com\/blog\/post\/category\/experts_corner\/"},"img":{"alt_text":"Draft Digital Personal Data Protection Rules","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/01\/Draft-Digital-Personal-Data-Protection-Rules-1.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/01\/Draft-Digital-Personal-Data-Protection-Rules-1.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/01\/Draft-Digital-Personal-Data-Protection-Rules-1.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/01\/Draft-Digital-Personal-Data-Protection-Rules-1.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":371058,"url":"https:\/\/www.scconline.com\/blog\/post\/2025\/12\/26\/digital-personal-data-protection-rules-2025-key-highlights\/","url_meta":{"origin":380677,"position":2},"title":"Digital Personal Data Protection (DPDP) Rules, 2025: Key Highlights of the Newly Notified Framework","author":"Editor","date":"December 26, 2025","format":false,"excerpt":"Ashish Deep Verma*","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"Digital Personal Data Protection Rules 2025","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":334827,"url":"https:\/\/www.scconline.com\/blog\/post\/2024\/11\/11\/digital-personal-data-protection-act-2023-employers-guide\/","url_meta":{"origin":380677,"position":3},"title":"Digital Personal Data Protection Act, 2023: A Ready Reckoner for Employers","author":"Bhumika Indulia","date":"November 11, 2024","format":false,"excerpt":"by Avik Biswas*, Supratim Chakraborty**, Sumantra Bose*** and Ivana Chatterjee****","rel":"","context":"In &quot;Experts Corner&quot;","block_context":{"text":"Experts Corner","link":"https:\/\/www.scconline.com\/blog\/post\/category\/experts_corner\/"},"img":{"alt_text":"DPDP Act employers guide","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":313336,"url":"https:\/\/www.scconline.com\/blog\/post\/2024\/02\/07\/preparing-for-a-new-data-protection-regime\/","url_meta":{"origin":380677,"position":4},"title":"Preparing for a New Data Protection Regime","author":"Bhumika Indulia","date":"February 7, 2024","format":false,"excerpt":"by Sohini Banerjee\u2020 and Anmol Bharuka\u2020\u2020 Cite as: 2024 SCC OnLine Blog Exp 14","rel":"","context":"In &quot;Experts Corner&quot;","block_context":{"text":"Experts Corner","link":"https:\/\/www.scconline.com\/blog\/post\/category\/experts_corner\/"},"img":{"alt_text":"new data protection regime","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/02\/new-data-protection-regime.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/02\/new-data-protection-regime.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/02\/new-data-protection-regime.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/02\/new-data-protection-regime.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":366711,"url":"https:\/\/www.scconline.com\/blog\/post\/2025\/11\/14\/meity-notified-digital-personal-data-protection-rules-2025\/","url_meta":{"origin":380677,"position":5},"title":"Your Complete Guide to Digital Personal Data Protection Rules, 2025","author":"Shubhi","date":"November 14, 2025","format":false,"excerpt":"Gov has notified the DPDP Rules to establish a robust framework for privacy, consent, security, and governance in India\u2019s digital ecosystem.","rel":"","context":"In &quot;Legislation Updates&quot;","block_context":{"text":"Legislation Updates","link":"https:\/\/www.scconline.com\/blog\/post\/category\/legislationupdates\/"},"img":{"alt_text":"Digital Personal Data Protection Rules 2025","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/11\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/11\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/11\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/11\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=700%2C400&ssl=1 2x"},"classes":[]}],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/380677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/users\/67011"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/comments?post=380677"}],"version-history":[{"count":2,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/380677\/revisions"}],"predecessor-version":[{"id":380681,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/380677\/revisions\/380681"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media\/380679"}],"wp:attachment":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media?parent=380677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/categories?post=380677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/tags?post=380677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}