Abstract:
“In the digital world, clicking ‘I Agree’ rarely means ‘I Understand’.” By saying this a dilemma of highlighted gap between giving a consent and rarely understanding it becomes an important task to solve and curb the extending disparities created by the term ‘I Agree’ . In this paper, I would elucidate upon what does it really mean to give consent and how acts like DPDP(Digital Personal Data Protection) Act, 2023 emphasizes consent as the foundation for data processing. With everything being available in cyber space where everything is interconnected and billions of people surfing together there lies a contention, where one might be under surveillance without their knowledge which further can create problems like identify theft, online frauds, digital arrest, data breaches etc. There is a sheer need to take into cognizance that what does online terms and conditions speculate. With proper consent framework and digital assistance there remains a path where populace might feel secured without being in a state of constant fear.
Keywords:
Digital consent, DPDP Act 2023, Privacy framework, Consent fatigue, Online surveillance, Data protection.
Introduction:
In our modern digital age, the ‘I Agree’ habit has become such a standard that its meaning is only barely perceptible to users. The discrepancy between granting consent and fully understanding what one is consenting is very worrisome concern in our more and more data driven world. With platforms incessantly collecting, exchanging and monetizing personal data, it raises the question of what ‘consent’ indeed signifies both ethically and legally. The passing of Digital Personal Data Protection (DPDP) Act, 2023 in India puts consent at the forefront of its regulatory framework, making it the first stone for the collection and processing of lawful data. But the massive dependence on user consent, without proper care to ensure that users do indeed comprehend the terms or possess digital literacy to deal with them, leaves profound doubts regarding the utility of consent as a protective mechanism.
The DPDP Act is indeed a seminal development and revolutionary leap in India’s trajectory towards a trustable data protection. In an extremely networked virtual world where billions of individuals share personal information on the internet, having consent as a mere routine function does not suffice. Most users are vulnerable to online spying, data leaks and identity theft without knowing how and when they granted such access. The act of ‘agreeing’ to terms and conditions written in complex, jargon legal language is rarely an informed process of understanding how data will be utilized or what might happen. This culture has created ‘consent fatigue’ where users get bombarded with incessant requests and convoluted wording and automatically accept all terms and conditions just to get minimal online services.
The paper provides an analytical examination of the consent focused approach that is incorporated within the DPDP Act, 2023, and comprehends if indeed this paradigm empowers the users or just legalizes their exposure to exploitation. It explores the mechanisms by which the digital world and web environments create risk that endures despite consent, underlining the need for a system demanding not merely user acquiescence, but actual comprehension and awareness of context. The article borrows lessons from the international privacy regimes like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), comparing the sufficiency of India’s framework to what a population that might not enjoy widespread digital literacy faces.
1.Understanding consent in the digital age
The concept of consent lies at the centre of data protection laws globally in the digital environment, in it consent serves as the collection, use and sharing of personal information is legal. This principle is adopted by DPDP Act, 2023 which recognizes consent as a key legal foundation for data processing. As per the section 6 of the act , a valid consent must be free, specific, informed, unconditional, and unambiguous it must be given by a definite affirmative action. However, a thorough evaluation is necessary to determine the model’s effectiveness in the unique context of India’s digital ecosystem.
In reality, the users frequently have to agree to privacy policies, terms of use, and data processing statements to use or access the basic services. Consent framework depends largely on users being able to understand and interpret the documents filled with legal and technical jargon. This leads to the functional gap between the legal definition of consent and how it is actually used .
Additionally, users run into forced or bundled consent in which they are left with no option but to accept all terms and conditions to use a service, in no position to negotiate or reject any clause in particular. This highlights the principle of voluntariness and questions the idea of a user’s agency in giving or declining consent.
Further, the growing or increasing commonality of consent fatigue , it’s a condition where users click ‘I Agree’ without understanding and comprehending it , it has diluted the effectiveness of the consent framework. Users are exposed to numerous, repetitive requests as a result of services growing cross platform integration which normalizes consent as a passive action than a deliberate decision.
The Indian digital landscape further complicates the situation. Many users face issues like low digital literacy, language barriers, and lack of awareness. Under these conditions, it becomes extremely difficult to expect users to give meaningful consent.
While the DPDP Act attempts to align with the international standards by incorporating essential consent principles, but the absence of mandatory provisions for user friendly consent formats, multilingual notices, or visual aids leads to gap between the legislative intent and actual implementation.
In conclusion, the digital ecosystem in India presents a situation where the user’s ability to understand and control their personal data though consent is compromised not only by the nature of legal texts, but also by structural, linguistic, and behavioural barriers.
2.Critical analysis of consent under the DPDP Act, 2023
The Digital Personal Data Protection (DPDP) Act, 2023 marks a notable step in India’s journey towards a formal structured data privacy regime. The centre of the act lies on the principle of data processing on user consent only. Section 5 and 6 of the act are load bearing pillars of the consent mechanism. However, the enforcement and practical application of this framework raises concerns.
Section 5: The notice requirement
Section 5 imposes a duty on data fiduciaries to provide a notice to data principal before seeking consent. The notice must include information such as:
- The nature and purpose of data processing,
- The manner in which data will be used,
- The contact details for both the fiduciary and grievance officer,
- Information of the principal’s rights.
The intention is to promote the transparency and user awareness which would enhance user agency and informed participation in the digital economy.
However, there is no prescribed format for these notices, no requirement for the language in which they must be provided, and no guidance on the interface or presentation. In a country as India which is highly linguistic and digital diversity it is not a minor oversight. The absence of clear guidelines for the data fiduciaries as they are under no obligation to present information in accessible, comprehensible or relevant formats. The result may clearly be transparent but in reality, the way they communicate can be confusing or exclusionary communication. For a large part of population especially those without formal education, digital literacy, or fluency in english such ‘notices’ often feel like just another formality.
Section 6: Defining valid consent
Section 6 explains what counts as a ‘valid’ consent it must be:
- Free: given voluntarily without coercion
- Specific: limited to particular purpose
- Informed: provided after understanding implications
- Unconditional: not tied to acceptance of other terms
- Unambiguous: reflected through a clear affirmative action
These elements are derived from global privacy standards like the GDPR, reflects a meaningful step forward. The reality of digital consent arises from this ideal. Many platforms present a bundled consent, users are required to accept all terms and conditions including optional data sharing for accessing basic services. This undermines the freedom of consent but also turns into a compulsory precondition.
Whereas, the Act does not mandate that the consent mechanism must be user friendly, linguistically inclusive, or visually accessible. This imposes a barrier to understanding among users who lack legal or technical literacy. This puts the responsibility of understanding complex information on people who are usually the least prepared to handle it. This becomes more problematic where digital access and knowledge gap are really wide.
Consent withdrawal and lack of design standards
Section 6(3) of the act recognises the right to withdraw consent. It should be as easy to withdraw as easy it is to give. Yet, there is no specification on how the withdrawal process works. Without proper design standards can or may be obscured, difficult to locate, or require some difficult steps that nullify from exercising the right this limits the practicality of the withdrawal provisions.
Further, the act does not set out consequences for non compliance with withdrawal requests. There is no established mechanism if a platform continues to process data even after a user has revoked the consent. This lacks the enforceable standards and accountability mechanisms which weakens the practical utilisation of the withdrawal right.
No mechanism for consent verification
The act does not create any mechanism to verify whether the consent was taken truly, was informed, unambiguous, and free. There is no obligation for the platforms to retain how the consent was obtained or the notice was understandable or not and nor to create any audit trail demonstrating the adequacy of their notice or consent. Unlike, the General Data Protection Regulation (GDPR) which requires data controllers to be able to demonstrate compliance with consent standards upon request. But in India’s case there is lack of such accountability framework like this, which undermines the user protection in the event of disputes or data misuse.
Grievance redressal and enforcement weaknesses
The act establishes the Data Protection Board of India s the main supervisory authority but its structure, independence and operational capabilities remain undefined. Without a well resourced enforcement body, users who wish to challenge questionable consent practices or report misuse concerns will find it difficult to do so. The absence of clearly defined enforcement protocols or meaningful penalties undermines the law’s credibility and restricts the potential to prevent abuse.
Reality check: Practical vs. Legal consent
The DPDP Act attempts to build a consent driven framework , it operated under an environment where digital inequalities are deeply rooted in such cases legal consent becomes more of a formality than a real choice when :
- Users are presented with dense and lengthy legal texts
- Consent is required to access even basic services
- There are no alternative ways for vulnerable groups to seek help
In practice, consent often serves less as a tool for user empowerment and more of a legal shield for corporations that shifts the responsibility to the user and preserving the existing power imbalances.
3.Comparative perspectives- GDPR, CCPA, and DPDP Act,2023
The concept of consent under the Digital Personal Data Protection Act, 2023 shares a common crossroads with international privacy laws such as the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act (CCPA) of the United States. While, the India’s framework appears to emulate these established global standards, a closer examination leads to recognition of significant distinctions in interpretation, operationalization and enforcement of consent.
Under the GDPR, consent is strictly defined. Article 4(11) of GDPR states that the consent must be freely given, specific, informed, and unambiguous, with clear affirmative action from the data subject. Article 7 further obliges that the data controllers must be able to demonstrate the consent was genuinely obtained. The GDPR’s approach just not only require consent but also ensure that it is meaningful and provable. GDPR also grants the right to withdraw their consent at any time enhancing the autonomy and control over personal data.
In contrast, the India’s DPDP Act lays down similar provisions like section 6 that consent should be free, informed, specific and unambiguous with a clear given affirmative action. The enforcement is beginning to exist , the Data Protection Board lacks the degree of enforcement, public awareness and digital literacy. Unlike, the GDPR where Data Protection Authorities are established authority, well resourced, and active, India’s enforcement mechanisms still face structural and operational challenges.
In contrast, the CCPA adopts a different way. It is not mainly based on consent as the GDPR, it gives individuals right to opt out of the data sales and mandates the businesses to provide a notification regarding the data collection to the consumers. In it the consumers can request deletion of their data, understand the purpose of collection and limit the usage. The CCPA focuses more on the user rights and transparency, whereas the India’s DPDP Act emphasise on the initial consent and compliance by data fiduciaries.
Another key difference is the presumption of literacy and understanding. GDPR assumes a high level digital literacy and public awareness among its population and sets the standards accordingly. In the Indian context, it includes a large rural population, low digital literacy and infrastructure challenges. A consent driven approach without the required awareness, enforcement, and literacy, may not provide the privacy it promises.
4.Consent fatigue and informational asymmetry in India
The DPDP Act, 2023 places consent at the centre of lawful data processing in India. Whereas informed consent in practicality suffers from two major challenges that is consent fatigue and informational asymmetry. They are not just minor bumps but they are the fundamental challenges the protective value of the consent framework and leaves the users exposed than being safeguarded.
Consent fatigue arises when the users are overwhelmed by the consent prompts they encounter on a daily basis in digital spaces that can be app installations, website pop ups or services. In such scenarios users tend to hit the ‘I Agree’ button without reading the terms and conditions. This undermines the principle of informed consent as users are neither reading nor understanding what they agree to.
In India, the combination of high digital access and low digital literacy the fatigue becomes severe. Many users from semi urban and rural areas lack the ability to understand the technical and legal language used in privacy policies. Even in urban areas, the terms and conditions are presented in complex legalese or English which is not accessible to all. Hence, the freedom of choice becomes a illusion the consent exists but in practice its hollow and meaningless.
The informational asymmetry between data fiduciaries and data principals remains a major obstacle as most of the users are not aware of the scope , nature and sensitivity of the data being collected from them. Most of the users are barely informed or aware about what is being gathered, whether it is being shared to third parties or not, transferred internationally or targeted advertising algorithms. The DPDP Act tries to solve the this using section 6 that consists of notice and consent but it does not consider whether people can actually access or understand what are they agreeing to.
This results in surrendering of users of their privacy rights for the digital convenience without realising the risks. In the absence of public awareness campaigns, privacy centre principles or transparent user interfaces, the process remains as a mere checkbox.
To address these issues the consent framework needs to go beyond the legal formalities. Privacy notices must be accessible, multilingual, and straightforward, along with digital literacy initiatives and tools that offer clear insight into haw the data is processed and shared. That bridges the gap between users and data controllers which is essential for realising meaningful consent and meaningful privacy.
5.Beyond consent- rethinking safeguards and accountability
It is clear that the data protection cannot be solely on the basis of consent in India. The earlier sections discuss that the consent isn’t enough to protect the users especially in a country like India where the digital literacy is low and the system is full of gaps and inequalities, it is difficult for users to give meaningful consent. In most cases consent ends up being a mere formality than something people genuinely understands. Putting the responsibility of privacy on individuals assumes they understand what’s happening but many of them don’t. That’s why the strong data protection needs to go beyond just asking for consent. It should protect people and hold those who handle data truly accountable.
The next step is to embrace the principle of purpose limitation. The data gathered for one reason shouldn’t be used for something else without clear informed consent. However in the Indian context such safeguards are quite weak. The DPDP Act, 2023 mentions the purpose limitation but since it lacks the proper detailing it becomes a formality than a safeguard. The risk is that the data fiduciaries may hide behind the vague and broad consent terms to justify using the people’s data for the things they never agreed to and all of which goes beyond the things they were signing up for.
To achieve proper accountability to rely on voluntary compliance is not sufficient the legal obligations must direct the conduct of the data fiduciaries. The DPDP Act provides the definition of data fiduciaries and significant data fiduciaries but these classifications are not sufficient in the absence of user focused framework. While consent is significant but it can not stand alone, it needs to be backed up by privacy systems, proper audit trails and full transparency especially when it comes to sharing data to third parties. The data fiduciaries should have to prove that their actions are fair and necessary, responsibility for that should lie with them not with the users.
When it come to big or sensitive data it should be important to conduct data protection impact assessments. Also the data protection board should play an active role not just a reactive role in making sure the rules are followed.
6.Suggestions and recommendations
To strengthen the data protection under the DPDP Act need to move beyond the consent driven model that relies on the user. The consent is important but it can’t stand alone, , must be supplemented by the data fiduciaries for a stronger accountability measures. Mandatory Data Protection Impact Assessments (DPIAs) for high risk activities and enforcing the privacy by design principles to reduce the reliance on user vigilance.
The Data Protection Board of India must be given real authority not just in theory but also in practice too. It should be empowered to conduct audits, begin investigations on its own and issue binding rules. Organizations should be required to third party data sharing and maintain transparency offer grievance mechanisms.
India should invest in the digital literacy initiatives at a national level ensuring individuals know their rights and responsibilities of providing consent. Provisions to be made for algorithmic transparency and data minimization must also be prioritized to meet the challenges posed by AI.
In conclusion, a balanced framework combining consent, strong accountability, and a strong regulatory framework is important. Only with such a system India can ensure that the DPDP Act delivers the genuine protection not just theoretically.
Conclusion
Consent has served as the backbone of data protection but the evolving digital environment reveal its limitations. The DPDP Act, 2023 marks a progress in India’s privacy framework, but it relies on the notion that the users can safeguard themselves through the agreement alone. But in reality data protection needs more than checkbox agreements, it requires privacy to be systematically integrated into both the legal and technical systems. This means to hold data fiduciaries to higher levels, empowering oversight bodies and ensuring accessible for transparency and redress. As digital networks become complex dependence on consent alone is inadequate. India must embrace a right based model that combines informed consent with enforceable fiduciary duties with institutional safeguards. Only then can data privacy be transformed from theoretical to practical assurance for all.
References
- Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, 2023 (India).
- Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
- Regulation (EU) 2016/679, General Data Protection Regulation, arts. 4(11), 7, 2016 O.J. (L 119) 1.
- California Consumer Privacy Act, Cal. Civ. Code § 1798.105 (West 2018).
- Mozilla Foundation, Is That Even Legal? – India (2024), https://www.mozillafoundation.org/en/research/library/is-that-even-legal/india/.
- Lawvs, Consent Fatigue and Data Protection Laws: Is ‘Informed Consent’ a Legal Fiction, Lawvs (July 20, 2025), https://lawvs.com/articles/consent-fatigue-and-data-protection-laws-is-informed-consent-a-legal-fiction
- Centre for Internet & Society, Internet Privacy in India, CIS-India (last visited July 23, 2025), https://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-indiate
Submitted by:
Vanshika Mann
BBA LLB
Gitarattan International Business School, GGSIPU