Publications

Designing Consent for Next-gen Data Driven Economy

An article titled “DPDPA compliance strategy: Collect only what you need & simplify everything” authored by our Partner, Akshayy S Nanda, has been published by Voice & Data.

As India enters a new era of data protection with the Digital Personal Data Protection Act, 2023 (DPDPA), both businesses and users stand at a critical juncture. The law requires a profound shift—not only in backend compliance but also in the everyday experiences users have with websites and apps. Central to this evolution is the concept of consent: what it means, how it’s collected, and how its misuse through “deceptive patterns” endangers both user rights and organizational trust.

The Foundations: Consent Requirements Under DPDPA

The DPDPA establishes consent as one of the primary legal bases for processing personal data. For consent to be valid, it must satisfy five distinct requirements:

Free: The consent must be given without coercion, pressure, or bundling with services. Organizations cannot tie the provision of services to consent for processing that is not necessary for the service’s performance. If refusing consent leads to denial of service for non-essential processing, it cannot be considered freely given.

Specific: Consent must be granular and purpose specific. Individuals must understand precisely what data is being processed and for what specific purpose. Blanket consent for multiple purposes is invalid.

Informed: Data principals must receive clear information about the processing through proper notice. This includes an itemized description of the personal data being processed and the specific purposes for which it will be used in English and 22 regional languages.

Unconditional: Consent cannot be bundled with acceptance of terms and conditions or tied to other agreements. It must be separate and distinct from other contractual obligations.

Unambiguous with Clear Affirmative Action: Consent must be demonstrated through a positive action. Pre-ticked boxes, inactivity, or silence cannot constitute consent. The individual user must take deliberate action to signify agreement.

Users must also be able to withdraw consent as easily as they give it—a feature often neglected in legacy designs. For children under 18, the law mandates child-appropriate communication and verifiable parental consent, with special rules against tracking or targeting kids for ads. Every consent request or management tool must also be accessible in regional languages, ensuring no digital divide around language or ability.

Reality Check: Deceptive Patterns in Digital Consent

While the legal standards are clear, digital practices have evolved a sophisticated repertoire of manipulative tactics— “deceptive patterns” (also known as “dark patterns”) that undermine genuine user autonomy. Deceptive patterns are UI or journey design practices that intentionally (or through neglect) steer individuals into making privacy choices they wouldn’t make freely. A few examples of deceptive patterns include:

  • Bombarding users who refuse to provide their phone number to a social media platform with continuous pop-ups every time they log in. “We need your phone number for security,” the messages insist, without mentioning that email-based authentication works just as well. The constant pestering wears down user resistance—a clear violation of the DPDPA’s requirement that consent be “free.”
  • Forcing users through labyrinthine settings structures. To withdraw consent for data sharing with advertising partners, users might need to navigate: Account Settings → Privacy → Data Protection → Advanced Settings → Consent Management → Specific Purpose Consent → Advertising Preferences → Partner Data Sharing. Each step requires multiple clicks, creating what privacy researchers call “consent fatigue.” This directly violates the DPDPA’s requirement that withdrawing consent be “comparable to the ease with which such consent was given”.
  • Exploiting users’ tendency to maintain default settings. When a user signs up for a food delivery app and enters her birthday, the sharing option is pre-set to “share with everyone” instead of a more private alternative. This violates fundamental data protection principles requiring that only necessary personal data be processed by default.
  • Emotionally steering by using language designed to manipulate users’ emotional states to encourage data sharing. “Don’t miss out on amazing, personalized experiences your friends are enjoying!” reads one prompt, while “Are you sure you want to limit your experience?” appears next to privacy settings. Such language violates the fairness principle by exploiting psychological vulnerabilities rather than providing objective information for informed decision-making.
  • Designing in a manner that critical information about data processing, though existing, is overlooked using tiny fonts, low contrast colors, or placement in unexpected locations. The consent withdrawal link might be present but colored in light gray text on a white background, making it effectively invisible to most users.
  • Using social pressure tactics to leverage the fundamental need for belonging. “Join 50 million users who have enabled location sharing!” proclaims one app, without mentioning that location sharing isn’t necessary for the app’s core functionality. This creates artificial urgency and peer pressure that compromises free consent.
  • Obstructing the ability of the users to exercise their rights. While consent can be granted with a single tap, withdrawal might require multiple confirmation steps, account verification, waiting periods, and even phone calls to customer service. Some apps present users with “dead ends”—links that appear to provide privacy options but lead to general help pages or broken links. A “Manage Privacy” button might only provide options to enable more data sharing, not restrict it. Such asymmetries directly violate the DPDPA’s fundamental requirement for accessible rights exercise mechanisms.
  • Using vague language like “Your data might be used to improve our services” provides no meaningful information about actual processing activities. Under the DPDPA, such ambiguity would prevent the formation of valid informed consent.

Building Compliant Interfaces: A New Design Philosophy

Creating DPDPA-compliant interfaces requires a fundamental shift from manipulation to empowerment, from exploitation to transparency. The solution lies not in legal compliance as an afterthought, but in privacy by design as a core principle. Privacy by design means using consistent typography, adequate contrast ratios, and logical information architecture. Critical privacy information should be as visually prominent as service features. Legal jargon must give way to plain language—every statement about data processing should be understandable without specialized knowledge.

UI/UX designers should use consistent button styling for consent and refusal options, adequate color contrast and accessible design for users with disabilities. Content structure should lead with the specific purpose of processing, clearly identify data being processed, explain user rights and how to exercise them, and provide contact information for data protection questions. Interactive elements used must use clear, action-oriented button labels (“I consent to email marketing” rather than vague “Accept” buttons), implement equal-effort consent and withdrawal mechanisms, provide immediate confirmation of consent choices, and allow users to review and modify their consent at any time. Cross-platform consistency is also critical to ensure identical consent management experiences across desktop, mobile web, and native applications, using consistent visual elements, terminology, and interaction patterns to prevent user confusion that could compromise informed consent.

Conclusion: The Path Forward

The DPDPA represents more than regulatory compliance—it embodies a fundamental shift toward respecting individual autonomy in the digital age. As data fiduciaries grapple with implementing these requirements, the temptation to rely on deceptive patterns may seem attractive for maintaining user engagement and data collection practices.

However, the long-term success of digital services increasingly depends on user trust and genuine consent. Organizations that invest in transparent, user-empowering interfaces position themselves as trustworthy stewards of personal data, building sustainable competitive advantages through ethical design practices.

The convergence of legal requirements, user expectations, and business imperatives creates an opportunity to redefine the relationship between technology and privacy. By rejecting deceptive patterns and embracing transparent design, organizations can create digital experiences that serve users’ interests while building stronger, more sustainable business models based on genuine user choice and trust.

As India’s digital economy continues its explosive growth, the choice facing businesses is not whether they can afford to implement these principles, but whether they can afford not to. In an increasingly privacy-conscious world, the organizations that respect user autonomy will be the ones that users trust with their data—and their business.

Published On:

  • November 15, 2025

Counsel Involved:

DISCLAIMER AND CONFIRMATION

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Saraf and Partners is, therefore, constrained from providing any further information on this web page.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that The user wishes to gain more information about Saraf and Partners, its practice areas and its attorneys, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Saraf and Partners, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

Please Read & Accept our website's Privacy Policy & Terms of Use.

Agree Disagree

Scroll to Top