What Counts as Valid Consent Under DPDP? 

HR teams ask candidates/employees for consent all the time but under the DPDP Act, 2023, casual consent doesn’t count anymore.

No more:

• “By submitting this form you agree…”
  
• Tick boxes hidden at the bottom
  
• Pre-selected checkboxes
  

If consent is not taken correctly, the organisation is non-compliant, even if the data collection itself was legitimate.

This guide explains what valid consent means under DPDP, specifically for HR use cases, with real examples you can copy.

What DPDP Means by “Consent”

Consent must be:

✔ Free – no pressure to accept
✔ Specific – tied to a clear purpose
✔ Informed – the person knows what they’re agreeing to
✔ Unambiguous – an active opt-in
✔ Revocable – person can withdraw easily
✔ Recorded – audit trail/proof maintained

If even one element is missing → consent is invalid.

What Makes Consent Invalid?

❌ bundled or blanket consent
❌ unclear purpose (“for company use”)
❌ consent required for employment when not legally needed
❌ consent assumed because candidate submitted documents
❌ auto-opt-ins
❌ difficult withdrawal process
❌ storing consent but not purpose

 Reality Check for HR

Most non-compliance happens not because HR misuses data, but because:

• consent language is vague
  
• requests look operational instead of purpose-based
  
• withdrawal rights are not mentioned
  
• consent records are not stored
  
• data requested is more than needed
  

When Consent Is NOT Required 

Consent should not be used where another lawful basis applies.

Reason: If refusal isn’t truly allowed, consent becomes meaningless.

Valid Consent in HR Examples

Below are real situations HR teams face and how to fix consent properly.

1. Background Verification (BGV)

❌ invalid phrasing:
By continuing with employment, you consent to all background checks.

✔ valid consent:
We request your consent to collect and verify your employment history and identity documents solely for mandatory background verification.
You may withdraw consent anytime before verification completion.

What HR must store:

• timestamp
  
• consent text version
  
• employee/candidate identifier

2. Collecting Aadhaar / PAN

DPDP flags Aadhaar as high-risk personal data.

Consent must:

• explain why Aadhaar is necessary
  
• offer an alternative if possible
  

✔ valid consent example:

We require PAN for payroll and taxation compliance. Aadhaar is requested only if required by law for verification. You may provide an alternative ID where permissible.

3. CCTV Monitoring in Office Premises

Consent must specify:

• purpose
  
• coverage
  
• retention period
  
• withdrawal limits
  

✔ valid consent:

CCTV cameras operate in common spaces for safety and compliance. Footage is retained for 30 days unless required for investigation.

4. Employee Wellness / Medical Data

Medical data is highly sensitive.

❌ invalid consent:
We may request medical documents for administrative use.

✔ valid consent:

We request your explicit consent to collect medical fitness documents solely for statutory compliance related to workplace safety.

Valid vs Invalid Consent Examples (Comparison Table)

What HR Must Record When Collecting Consent

✔ Store versioned consent text
✔ Maintain timestamps for each consent action
✔ Separate consent storage from employee folders
✔ Maintain expiry/duration of consent
✔ Track withdrawal requests

Even digital checkboxes must be linked to audit logs.

Retention + Consent Link (Full lifecycle)

Consent applies only for the period necessary.

Suggested retention limits commonly adopted by compliant companies:

No purpose = delete.

Consent Decision Flow for HR

Step 1: Is it legally required?

→ Yes → no consent required

Step 2: Is it contractually necessary?

→ Yes → no consent required

Step 3: Is it optional?

→ Yes → consent required

Step 4: If neither applies

→ do not collect data

Mini Compliance Case Story

A 500-employee IT firm collected Aadhaar + PAN + voter ID during onboarding using a single blanket consent checkbox.

Later, an employee requested Aadhaar deletion.
The organisation couldn’t track separate consent proof.

An official complaint led to:

• compliance warning
  
• forced deletion of Aadhaar archives
  
• retraining of TA staff
  
• vendor contract amendments
  

The cost of remediation was 6x higher than doing consent versioning properly upfront.

How to Ask for Consent the Right Way

Sample language HR can use:

We request your consent to collect the following personal data for the purposes described below.
• Purpose: payroll processing
• Data: bank account details
• Retention: until statutory payroll audit periods lapse
• Rights: you may withdraw consent or request correction anytime

✔ active opt-in required

Quick Checklist for HR Teams Before Asking for Consent

☑ Is consent required legally?
☑ Is purpose specific?
☑ Can consent be withdrawn meaningfully?
☑ Is retention defined?
☑ Do we have proof?

Any “no” means consent is invalid.

Downloadable Consent Template (Copy-Paste Ready)

Employee/Candidate Consent Form – DPDP Compliant

I consent to the collection and processing of the personal data listed below strictly for the stated purposes.

• Purpose: __________________________
  
• Data requested: ____________________
  
• Retention duration: ________________
  
• Withdrawal method: _________________
  

I understand that:

• Consent is voluntary where legally applicable
  
• I may withdraw anytime
  
• Data will be deleted once its purpose ends
  

Signature/checkbox: _______
Name/Employee ID: ________
Date/time: ________________

Final Message: Consent Is Not a Formality

For HR teams under DPDP, valid consent is:

• a compliance shield
  
• a trust builder
  
• a legal obligation
  

It protects the employee, and protects the organisation from penalties.

Strong consent practices = fewer risks + cleaner documentation habits.