DPDPA 2023 Section 6 — Consent: The Legal Standard for Processing Personal Data in India
Section 6 of the Digital Personal Data Protection Act, 2023 (DPDPA) requires that consent given by a Data Principal be free, specific, informed, unconditional and unambiguous, signalled through a clear affirmative action, and limited to the purpose stated in the Section 5 notice. It is the cornerstone lawful ground for every Data Fiduciary in India — photographers, schools, hospitals, hotels, marathon organisers, HR teams, retail brands and media houses alike.
Key facts
| Statute | Digital Personal Data Protection Act, 2023 |
|---|---|
| Section | Section 6 — Consent |
| Effective | Phased rollout 2025–2026 (per MeitY notification) |
| Regulator | Data Protection Board of India (DPBI) |
| Penalty Ceiling | Up to ₹250 crore per instance for breach of Data Fiduciary obligations |
| Applies To | All Data Fiduciaries processing digital personal data in India |
What Section 6 says
Section 6 makes consent the default lawful basis under DPDPA 2023. Every Data Fiduciary must obtain consent that is free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. Section 6(2) requires the request be in plain language, with the Section 5 notice, in English or any Eighth Schedule language. Section 6(3) bars bundling — consent is limited to data necessary for the purpose. Section 6(4) guarantees withdrawal as easy as giving consent; Section 6(5) preserves the lawfulness of prior processing; Section 6(6) requires cessation by Fiduciary and Processors. Section 6(7) permits registered Consent Managers; Section 6(10) places the burden of proving consent on the Fiduciary.
What it means in practice
- Consent must be a clear affirmative action — pre-ticked boxes, silence, or inaction do not qualify under Section 6(1).
- A Section 5 notice must accompany or precede the consent request, in clear plain language, in English or any Eighth Schedule language.
- Consent is purpose-bound: a school cannot reuse admission data for marketing; a photographer cannot reuse wedding images for portfolio promotion without fresh consent.
- Withdrawal must be as easy as giving consent (Section 6(4)) — a one-click withdrawal mechanism is the compliance benchmark.
- On withdrawal, the Data Fiduciary and all Data Processors must stop processing within a reasonable time (Section 6(6)).
- The Data Fiduciary carries the burden of proving valid consent (Section 6(10)) — timestamped consent logs are mandatory in practice.
Who Section 6 applies to
- Wedding and event photographers capturing guests, family members and venue staff
- Event management companies running corporate offsites, conferences and brand activations
- Schools, colleges and coaching institutes collecting student, parent and staff data (read with Section 9)
- Marathon, sports and fitness event organisers capturing participant photos, biometric timing and medical data
- Corporate HR teams handling employee onboarding, payroll, surveillance and exit data
- Hospitals, clinics and diagnostic chains processing patient identifiers and health records
- Hotels, resorts and hospitality groups storing guest IDs, CCTV footage and loyalty programme data
- Retail brands and e-commerce platforms building customer profiles and loyalty databases
- Media houses, news organisations and publishers handling subscriber and source data
- Advertising agencies and photo studios producing campaign creatives featuring identifiable individuals
Common violations
Bundled consent in school admission forms
A school combines academic enrolment consent with consent for sharing student photos with sponsors and ed-tech partners in a single tickbox — violates Section 6(1) specificity and Section 6(3) limitation to necessary data.
Wedding photographer reusing images for marketing without fresh consent
A studio uploads identifiable guest photographs to Instagram based on consent given only for delivery of the wedding album — breaches purpose limitation under Section 6(1).
Hotel storing ID copies for indefinite marketing use
A hospitality chain retains scanned Aadhaar/passport copies collected at check-in and uses them to push loyalty offers — no specific informed consent for marketing purpose.
Marathon organiser publishing finisher photos without opt-in
Race-day photographs are sold to a sponsor brand for advertising without a clear affirmative consent action — violates Section 6(1).
Hospital sharing patient data with insurance partners by default
A diagnostic chain treats insurance data-sharing as auto-consented at registration — fails the unconditional and unambiguous standard.
HR team blocking consent withdrawal behind manager approval
A corporate makes employees email HR and wait for approval to withdraw consent for non-statutory monitoring — violates Section 6(4) ease-of-withdrawal requirement.
Penalty for breach
Breach of consent obligations under Section 6 is adjudicated by the Data Protection Board of India under the Schedule to the DPDPA 2023. Failure to observe Data Fiduciary obligations — including invalid consent capture, bundled consent, or refusal to honour withdrawal — can attract penalties of up to ₹250 crore per instance. Repeat or systemic failures across a school chain, hospital group or hospitality brand can be aggregated by the Board. Penalties are in addition to compensation claims and reputational consequences from publication of Board orders.
Use the DPDPA Penalty Calculator to estimate your exact exposure.
Frequently asked questions
Can a wedding photographer rely on the couple's consent to process guests' personal data?
No. Under Section 6(1) each identifiable Data Principal — including guests, relatives and venue staff — must give their own free, specific, informed consent. The couple cannot consent on behalf of adult guests. Photographers should rely on a documented notice at the venue plus affirmative action (consent register, QR-coded form, or RSVP-stage opt-in).
Do schools need fresh consent under Section 6 if they collected data before DPDPA's effective date?
Yes. Once Section 6 is notified, Section 5(2) requires Data Fiduciaries to issue a fresh notice to existing Data Principals and continue processing only if valid consent (or another lawful ground) is obtained. For minors, this is read with Section 9 requiring verifiable parental consent.
Is a single 'I agree to terms and privacy policy' tick valid consent under Section 6?
Generally no. Section 6(1) requires specific and unconditional consent and Section 6(3) limits it to data necessary for the specified purpose. Bundling privacy consent with contractual terms typically fails the 'free' and 'specific' tests. Granular, per-purpose toggles are the safer standard.
How should a hospital chain manage consent withdrawal under Section 6(4) and 6(6)?
The hospital must offer a withdrawal channel as easy as the original consent — a portal toggle or one-click request. On withdrawal, processing must stop within a reasonable time, and all Data Processors (labs, telehealth vendors, CRM) must be instructed to do the same, while retaining only what statutes like the Clinical Establishments Act mandate.
Can a marathon organiser use race photographs for next year's marketing?
Only if the consent obtained at registration explicitly covered marketing use, or fresh consent is taken before reuse. Section 6(1) restricts processing to the specified purpose — race participation and result publication are distinct from sponsor marketing or future-edition promotion.
Do hotels need Section 6 consent to operate CCTV in lobbies and corridors?
CCTV in public-facing hospitality areas is generally operated on the basis of clear notice plus legitimate use. However, retention beyond operational need, facial recognition, or sharing with third parties (loyalty partners, law enforcement outside legal process) triggers Section 6 consent with specific purpose disclosure.
Who carries the burden of proving consent was validly obtained?
Section 6(10) places the burden on the Data Fiduciary. Every photo studio, ad agency, retail brand or media house must maintain auditable consent records — timestamp, notice version, purpose and affirmative action taken. The Data Protection Board can demand this evidence during inquiry.
Related sections
Not sure if your workflow complies with Section 6?
Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.