A DPDP-compliant consent notice isn't a paragraph in your terms and conditions — the DPDP Rules 2025 require it to be a clear, standalone, itemised request. This guide gives you a free, copy-paste template built around Section 6 of the Act and Rule 3 of the Rules, plus a downloadable one-pager.
Quick Answer: What Must a DPDP Consent Notice Include?
Under Rule 3 of the DPDP Rules 2025, a consent notice must be standalone (understandable on its own) and itemised, and must state: an itemised description of the personal data being collected; the specific purpose and a description of the goods or services enabled; and the means to withdraw consent, exercise rights, and complain to the Data Protection Board. Under Section 6(3) it must be in clear language with a contact point and a language option.
The Legal Requirements (Section 6 + Rule 3)
Two provisions shape a valid notice:
- Section 6 (consent) — consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and withdrawable as easily as it was given (Section 6(4)). See our consent requirements guide.
- Section 6(3) — the request must be in clear, plain language, offer access in English or an Eighth Schedule language, and give the contact details of a Data Protection Officer (where applicable) or another authorised person.
- Rule 3 (notice) — the notice must be understandable independently of any other information (standalone), with an itemised description of the data, the specific purpose and goods/services, and links/means to withdraw consent, exercise rights, and complain to the Board.
The Copy-Paste Consent Notice Template
Adapt the bracketed parts to your business. This is a starting point, not legal advice.
[Your Business Name] — Consent Notice
We, [Your Business Name], will collect and use the following personal data about you:
What we collect: [e.g., your name, mobile number, delivery address, email].
Why we collect it: [e.g., to process and deliver your order, and to send order updates]. We will use it only for these purposes.
Who we share it with: [e.g., our delivery partner and payment gateway], only as needed for the above.
How long we keep it: [e.g., as long as needed for your order and any legal record-keeping].You can withdraw your consent at any time, and access, correct or delete your data, by contacting us at [privacy@yourbusiness.in / phone]. If we don't resolve your concern, you may complain to the Data Protection Board of India.
This notice is available in [English / your language]. Contact for data questions: [name / role / email].
☐ I have read this notice and I consent to [Your Business Name] processing my personal data for the purposes above.
What Makes It Compliant (and What Breaks It)
| Do | Don't |
|---|---|
| Keep it standalone and itemised (Rule 3) | Bury it inside your terms & conditions |
| Use an unticked, active checkbox | Pre-tick the consent box |
| List each data type and its specific purpose | Say "we collect information to improve our services" |
| Offer one-click withdrawal and a contact point | Make withdrawal harder than opting in |
| Offer a language option (Section 6(3)) | Provide English only when a customer needs another language |
Where to Use It
Put this notice at every point you collect data: website/app checkout, a WhatsApp order flow, an Instagram order confirmation, or a QR code at your counter. Pair it with a full privacy notice published on your site.
References & Sources
- Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Section 5 notice; Section 6 consent, including 6(3)).
- The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — Rule 3, "Notice given by Data Fiduciary to Data Principal" (itemised, standalone notice).
- India Code — Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), official consolidated text.
This template is general information about the DPDP Act 2023 and DPDP Rules 2025, not legal advice. Adapt it to your business and confirm against the current notified text before use.