Consenti

DPDPA Compliance Guide

ℹ️Compliance group: opt-in-dpdpa — India-specific opt-in with fiduciary name, grievance officer in modal, and age gate (18+). GPC signal is ignored. Use compliance: { type: 'opt-in-dpdpa' } in your ConsentiSetup config.

India's Digital Personal Data Protection Act 2023 (DPDPA) came into force in August 2023 and is enforced by the Data Protection Board of India under the Ministry of Electronics and Information Technology (MeitY).

Official references

Key requirements

RequirementDetail
Consent modelOpt-in — no silent or pre-ticked consent
GPCNot recognised under DPDPA — Consenti ignores GPC when regulation is 'dpdpa'
Data Fiduciary disclosureName of the entity collecting data must appear in the consent notice
Grievance OfficerEmail address for complaints must be disclosed in the consent notice
PurposeProcessing purpose must be described in clear, plain language
WithdrawalMust be as easy as giving consent
MinorsUnder-18 requires verifiable parental consent (Section 9)

DPDPA vs. GDPR

GDPRDPDPA
Opt-in requiredYesYes
GPC honouredOptionalNot applicable
Data Fiduciary name in noticeNot required in bannerRequired
Grievance Officer in noticeNot required in bannerRequired
Sensitive categoriesGDPR Art. 9 special categoriesSensitive personal data (Chapter III)
EnforcerData Protection AuthoritiesData Protection Board of India

Enabling DPDPA mode

Frontend widget

ts
new ConsentiSetup({
  core: {
    regulation: 'dpdpa',
    // autoHonorGPC is not needed — GPC is not recognised under DPDPA
  },
})

Profile configuration (dashboard)

In the Profile Editor, select DPDPA (India 2023) as the regulation. Three fields appear:

  • Data Fiduciary Name — your company or product name (appears in the modal notice)
  • Grievance Officer Email — contact address for data complaints (required by law)
  • Purpose Description *(optional)* — plain-language description of why you collect data

Programmatic profile JSON

json
{
  "regulation": "dpdpa",
  "dpdpa": {
    "dataFiduciary": "Acme Corp",
    "grievanceEmail": "[email protected]",
    "purposeDescription": "To operate the website and send transactional emails."
  }
}

Consent notice (modal footer)

When regulation: 'dpdpa' is active and the profile includes a dpdpa block, Consenti automatically injects a notice before the modal action buttons:

html
<div class="consenti-modal__dpdpa-notice">
  <strong>Data Fiduciary:</strong> Acme Corp.
  <strong>Purpose:</strong> To operate the website and send transactional emails.
  You may withdraw consent at any time or contact our Grievance Officer at
  <a href="mailto:[email protected]">[email protected]</a>.
</div>

No custom template changes are required — the notice is rendered automatically.

GPC under DPDPA

⚠️DPDPA does not recognise GPC as a valid opt-out signal. Even if the visitor's browser sendsnavigator.globalPrivacyControl === true, Consenti will not automatically deny cookies under DPDPA. The banner is always shown on first visit for an explicit opt-in.

Right to withdrawal (Section 6)

DPDPA Section 6 requires that withdrawal of consent is as easy as giving consent. Use widget.showModal() from a persistent footer link to give users a way to update their choices at any time:

html
<a href="#" onclick="window.__consenti?.showModal(); return false;">
  Manage my consent
</a>

Erasure (Section 12)

DPDPA Section 12 grants users the right to erasure. Use the GDPR-compatible erasure endpoint:

http
DELETE /consenti/api/v1/consent/:visitorId

This removes all consent records, history, and visitor data for the given visitor ID.