DPDPA Compliance Guide
opt-in-dpdpa — India-specific opt-in with fiduciary name, grievance officer in modal, and age gate (18+). GPC signal is ignored. Use compliance: { type: 'opt-in-dpdpa' } in your ConsentiSetup config.India's Digital Personal Data Protection Act 2023 (DPDPA) came into force in August 2023 and is enforced by the Data Protection Board of India under the Ministry of Electronics and Information Technology (MeitY).
Official references
- Ministry of Electronics and Information Technology (MeitY) — DPDPA 2023 — official Act page
- India Gazette Notification — DPDPA 2023 (PDF) — official gazette text of the Act
- MeitY — Ministry of Electronics and Information Technology
Key requirements
| Requirement | Detail |
|---|---|
| Consent model | Opt-in — no silent or pre-ticked consent |
| GPC | Not recognised under DPDPA — Consenti ignores GPC when regulation is 'dpdpa' |
| Data Fiduciary disclosure | Name of the entity collecting data must appear in the consent notice |
| Grievance Officer | Email address for complaints must be disclosed in the consent notice |
| Purpose | Processing purpose must be described in clear, plain language |
| Withdrawal | Must be as easy as giving consent |
| Minors | Under-18 requires verifiable parental consent (Section 9) |
DPDPA vs. GDPR
| GDPR | DPDPA | |
|---|---|---|
| Opt-in required | Yes | Yes |
| GPC honoured | Optional | Not applicable |
| Data Fiduciary name in notice | Not required in banner | Required |
| Grievance Officer in notice | Not required in banner | Required |
| Sensitive categories | GDPR Art. 9 special categories | Sensitive personal data (Chapter III) |
| Enforcer | Data Protection Authorities | Data Protection Board of India |
Enabling DPDPA mode
Frontend widget
new ConsentiSetup({
core: {
regulation: 'dpdpa',
// autoHonorGPC is not needed — GPC is not recognised under DPDPA
},
})Profile configuration (dashboard)
In the Profile Editor, select DPDPA (India 2023) as the regulation. Three fields appear:
- Data Fiduciary Name — your company or product name (appears in the modal notice)
- Grievance Officer Email — contact address for data complaints (required by law)
- Purpose Description *(optional)* — plain-language description of why you collect data
Programmatic profile JSON
{
"regulation": "dpdpa",
"dpdpa": {
"dataFiduciary": "Acme Corp",
"grievanceEmail": "[email protected]",
"purposeDescription": "To operate the website and send transactional emails."
}
}Consent notice (modal footer)
When regulation: 'dpdpa' is active and the profile includes a dpdpa block, Consenti automatically injects a notice before the modal action buttons:
<div class="consenti-modal__dpdpa-notice">
<strong>Data Fiduciary:</strong> Acme Corp.
<strong>Purpose:</strong> To operate the website and send transactional emails.
You may withdraw consent at any time or contact our Grievance Officer at
<a href="mailto:[email protected]">[email protected]</a>.
</div>No custom template changes are required — the notice is rendered automatically.
GPC under DPDPA
navigator.globalPrivacyControl === true, Consenti will not automatically deny cookies under DPDPA. The banner is always shown on first visit for an explicit opt-in.Right to withdrawal (Section 6)
DPDPA Section 6 requires that withdrawal of consent is as easy as giving consent. Use widget.showModal() from a persistent footer link to give users a way to update their choices at any time:
<a href="#" onclick="window.__consenti?.showModal(); return false;">
Manage my consent
</a>Erasure (Section 12)
DPDPA Section 12 grants users the right to erasure. Use the GDPR-compatible erasure endpoint:
DELETE /consenti/api/v1/consent/:visitorIdThis removes all consent records, history, and visitor data for the given visitor ID.