Abstract
The Digital Personal Data Protection Act, 2023, builds the lawfulness of processing almost entirely upon a single load-bearing concept: the data principal’s consent. That consent must be free, specific, informed, unconditional and unambiguous. This paper argues that the statute, now operationalised by the Digital Personal Data Protection Rules, 2025, treats consent as a procedural event to be documented rather than as a substantive exercise of autonomy to be protected, and that this conception is structurally incompatible with the environments in which consent is actually obtained. Contemporary interfaces are engineered to steer; through manipulative defaults, friction asymmetry, choice overload and confirm-shaming, they do not merely solicit agreement but manufacture it. The result is a recognisable but underexamined pathology: consent that is legally valid yet substantively defective, formally free yet practically engineered. Drawing on the Indian law of free consent, undue influence and unconscionability, and on the constitutional foundation laid in Puttaswamy, the paper contends that Indian data protection law already possesses the doctrinal vocabulary to treat architecture-based steering as a vitiating factor, but has not yet deployed it. It proposes a reorientation built around three instruments: a material influence standard that asks whether the design, not the disclosure, determined the choice; a positive obligation of interface neutrality; and an evidential presumption against consent harvested through recognised manipulative flows. The argument is doctrinal and reconstructive rather than merely critical, and the recommendations are calibrated to the existing architecture of the Act, the Rules and the Central Consumer Protection Authority’s dark patterns regime.
Keywords: consent; dark patterns; informational autonomy; DPDP Act 2023; interface neutrality; material influence; unconscionability.
1. Introduction
1.1 Background and Context
When the Supreme Court located informational privacy within the guarantee of personal liberty, it did so on a premise about the self: that an individual is entitled to decide for herself what becomes known about her, and to whom.[1] The Digital Personal Data Protection Act, 2023, is the legislative inheritor of that premise, and it discharges the inheritance through a single mechanism. Processing of personal data is lawful only where the data principal has given consent, or where a narrow set of legitimate uses applies.[2] Consent, in turn, must be accompanied by a notice and must satisfy a demanding adjectival standard.[3] With the notification of the Digital Personal Data Protection Rules, 2025, that architecture has moved from text to operation, and the question of what consent must actually look like has ceased to be academic.[4]
The difficulty is that the Act inherits the premise of autonomy while regulating only its outward form. It specifies the qualities consent must possess and the disclosures that must precede it, but it says almost nothing about the conditions under which the choice is presented. Yet those conditions are precisely where autonomy is won or lost. The consumer who clicks ‘Accept All’ beneath a wall of pre-ticked boxes, or who abandons a buried opt-out after the third nested menu, has performed every act the statute requires. The signature is genuine; the agreement is hollow.
[1] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 [298], [325] (Chandrachud J).
[2] Digital Personal Data Protection Act 2023, s 6(1).
[3] DPDP Act 2023 (n 2) s 5; Digital Personal Data Protection Rules 2025, r 3 (notified 13 November 2025, published in the Gazette of India 14 November 2025).
[4] The Rules were notified by the Ministry of Electronics and Information Technology on 13 November 2025 with a staggered commencement: see Digital Personal Data Protection Rules 2025, r 1(2); the substantive consent and fiduciary obligations take effect eighteen months after notification.