Abstract
The digital personal data has become part of daily life in India, as people continue to share information regularly to secure simple access to the most important digital services. Digital Personal Data Protection Act, 2023, intends to address this fact, and it attempts to do so with a consent-based framework, highlighting individual autonomy as the central point in the protection of data. The Act provides specific circumstances of valid consent under section 6 such that the consent must be free, specific, informed, unconditional and limited to a given purpose, although it does not refuse the right to revoke consent. Regardless of these precautions, there is concern as to whether consent in the online context can actually serve as a valid exercise of user autonomy.In this paper, a doctrinal analysis of Section 6 of the DPDP Act is done to understand whether the consent framework, as presented, can result in informed and voluntary consent in reality. Placing reliance on Section 6 of the DPDP Act and the case of Puttaswamy (Retd.). v Union of India, it is noted that consent cannot be comprehended as a mere formal or contractual exercise. Rather, it has to be considered against the background of structural power imbalances, information overload, and lack of options on the part of the user that defines modern digital interactions.
The paper relies on the Indian scholarship along with the comparison with the General Data Protection Regulation of the European Union in order to point out the fact that consent is frequently turned into deception without the assistance of a strong interpretation and enforcement. Although the key mechanisms in Section 6 include the limitation of purpose, annulment of invalid clauses of unlawful consent, and ease of withdrawal, the outcome of the mechanisms varies with the intentional interpretation and institutional ability. The paper concludes that Section 6 can provide substantial protection, although such protection is only possible in case the regulators and adjudicatory authorities perceive consent as an ongoing relationship and not a formality.
Keywords: Privacy, Data protection, Informed Consent, Revoke, Autonomy.
Introduction
Digital interactions today are no longer occasional or optional; they are part of ordinary life in India. Whether it is paying bills online, booking a doctor’s appointment through a telemedicine app, attending classes on digital platforms, or simply scrolling through social media, individuals constantly share personal data to participate in modern society. Most of the time, this sharing happens through consent mechanisms that are presented on a take-it-or-leave-it basis. Users click “I agree” not because they have carefully weighed the terms, but because refusing often means losing access altogether. It is within this everyday reality that the Digital Personal Data Protection Act, 2023[1] must be located.
The DPDP Act adopts a consent-based framework and places individual autonomy at the centre of personal data protection. Section 6[2], in particular, attempts to define what valid consent should look like by insisting that it be free, specific, informed, and limited to a clear purpose, while also allowing withdrawal. On paper, this mechanism appears to be a strong safeguard. However, the persistence of click-wrap agreements[3]and increasingly opaque data practices raise a fundamental concern: whether these formal requirements genuinely empower individuals, or whether consent has become a procedural formality that masks deeper power imbalances between users and data-processing entities.
This paper begins from the position that consent, although necessary, is an inherently fragile tool in the digital environment. The real issue is not whether consent exists in a technical sense, but whether it can ever be truly informed and voluntary when users face information overload, limited choices, and unequal bargaining power. The central question this paper seeks to address, therefore, is how Section 6 of the DPDP[4]Act can be interpreted and enforced in a way that gives real meaning to consent, despite cognitive limitations, structural asymmetries, and gaps in institutional enforcement.
Adopting a doctrinal approach, the paper closely examines the language of Section 6, situates it within India’s constitutional understanding of privacy, and assesses the safeguards built into the provision. Rather than rejecting consent as a regulatory mechanism altogether, the paper argues for a more realistic engagement with it, one that acknowledges its weaknesses while still exploring how it can be strengthened within India’s emerging data protection framework.
[1] No. 22 of 2023
[2] No. 22 of 2023, § 6 (India).
[3] Devesh Agarwal, *Analyzing the Landscape of Click-Wrap Agreements*, LiveLaw (Jan. 5, 2024), https://www.livelaw.in/articles/analyzing-the-landscape-of-click-wrap-agreements-245917.
[4]Id. § 6