What challenges arise from the withdrawal of consent under the DPDP Act?

The DPDP Act, 2023, introduces a consent-driven data framework. Central to this is the right of individuals (Data Principals) to withdraw consent at any time. This right increases personal control, but presents complex operational challenges for organisations (Data Fiduciaries). Recognising these realities is vital for successful compliance.

Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. Just as individuals can give consent, they also have the right to withdraw it at any time. Importantly, withdrawing consent should be as easy as giving it.

Once consent is withdrawn, the Data Fiduciary must stop processing personal data for the purpose for which consent was originally obtained, unless another legal ground allows continued processing.

Key Legal Implications

Withdrawal of consent has immediate legal consequences:

• The organisation must cease processing the relevant personal data.
• The data may need to be deleted unless retention is required by law.
• The organisation must ensure that downstream processors also stop processing the data.
• The withdrawal should not affect the legality of processing done before the withdrawal.

This creates a strong obligation on organisations to design systems that can respond quickly and accurately to such requests.

While the idea may seem simple, putting it into practice is not straightforward. Organisations face several operational challenges when implementing it.

1. Identifying and Mapping Data

One of the main challenges is finding all the places where a Data Principal’s data is stored. In large organisations, personal data is usually spread across different systems, such as databases, applications, backups, and even third-party systems/vendors.

Without proper data mapping and tracking:

• It becomes hard to know exactly where the data is stored.
• Some data may not be deleted completely or may still be used.
• This can lead to unintentional non-compliance.

To address this, organisations need to use data discovery tools and keep their data records up to date.

2.  Third-Party and Vendor Management

Many organisations depend on third parties such as vendors, service providers, and cloud platforms to handle personal data.

Some common challenges are:

• Informing all relevant third parties when consent is withdrawn.
• Making sure vendors take action quickly and correctly.
• Keeping track of and checking whether vendors are following the rules.

Although contracts can clearly state what vendors must do when consent is withdrawn, ensuring this happens properly and on time is still difficult in practice.

3. Data Retention vs. Legal Obligations

Sometimes, organisations are required by law to retain certain data for a specific period, such as for tax purposes, regulatory compliance, or dispute resolution.

This creates a conflict:

• The Data Principal asks for their data to be deleted after withdrawing consent.
• The organisation is legally required to keep that data.

To manage this situation:

• Organisations should clearly inform users of such exceptions.
• The data should be stored safely or archived instead of being actively used.
• Proper reasons and records should be maintained to justify why the data is retained.

 4. Impact on Business Operations

When consent is withdrawn, it can directly affect how a business operates, especially in areas like marketing, customer analysis, and personalised services.

For example:

• If a user withdraws consent for marketing, they must be removed from campaigns immediately.
• If their data is removed, analytics systems may need to be updated or adjusted.

This means organisations need to update their systems quickly and in real time, which can require significant time, effort, and resources.

5. Technological Limitations

Many organisations face challenges because their IT systems are old and not built with privacy in mind. In such systems:

• Data is stored in separate systems that do not easily connect.
• It is difficult to delete or update data.
• Handling requests often requires manual intervention.

Because of this, processing a consent withdrawal request can be slow and prone to errors. For example, a system may allow a user account to be deactivated but may not support the complete deletion of all related data.

To address these issues, organisations need to upgrade their systems and incorporate privacy features such as automatic data deletion, robust consent tracking, and improved cross-system integration.

6. Real-Time Processing and System Synchronisation

In today’s digital systems, especially in areas like e-commerce, fintech, and online advertising, personal data is used continuously. This includes activities such as:

• Tracking user behaviour
• Giving personalised recommendations
• Detecting fraud

When a person withdraws consent, the expectation is that all data processing should stop immediately. However, this is difficult because:

• Systems may take time to update
• Some processes run in batches rather than in real time.
• Different systems may not communicate quickly due to technical limitations.

Because of these issues, data may still be processed even after consent is withdrawn, leading to compliance problems.

To avoid this, organisations should design systems that can respond quickly, using near-real-time or event-based processes so that consent changes are applied without delay.

7. Identity Verification and Fraud Risks

Before processing a consent withdrawal request, organisations must confirm that the request is coming from the correct person. This is important to prevent misuse. However, this creates a challenge:

• If verification is too strict, genuine users may face delays or inconvenience.
• If verification is too weak, fraudsters may misuse the system and request the deletion of someone else’s data.

This issue is especially important in sectors like banking and telecom, where personal data is highly sensitive.

To manage this risk, organisations can use a layered approach to verification, such as OTPs, login-based checks, or authentication tokens. This helps maintain both security and user convenience.

8. Auditability and Regulatory Scrutiny

Under the DPDP framework, organisations must be able to prove that they are following the law if regulators ask. This means they need to:

• Keep clear records of all withdrawal requests
• Record what actions were taken (such as stopping data use, deleting data, or informing vendors)
• Track timelines and how systems responded

If proper records are not maintained, organisations may face penalties even if they handled the withdrawal request correctly.

Therefore, keeping proper documentation is just as important as taking the right action.

9. User Awareness and Communication Gaps

A common issue for organisations is that users often do not clearly understand:

• How they can withdraw their consent
• What happens after they withdraw consent
• Which data will be deleted and which may still be retained

When this information is not communicated properly:

• Users may file unnecessary complaints
• The organisation’s reputation may be affected
• Complaints to regulatory authorities may increase

To avoid these problems, organisations should:

• Provide clear and easy-to-understand privacy notices
• Offer simple dashboards or settings for managing consent
• Clearly explain what happens when consent is withdrawn and any limitations involved

This helps users make informed decisions and reduces confusion and disputes.

10. Organisational Readiness and Training

Handling withdrawal of consent is not only a technical task. It requires coordination between different teams, such as:

• Legal
• IT
• Customer support
• Compliance

If employees are not properly trained:

• Requests may be handled incorrectly
• There may be delays in processing
• Users may receive different or conflicting responses

To manage this effectively, organisations should:

• Conduct regular training for all relevant teams
• Set clear internal processes and responsibilities

This ensures that everyone understands their role and handles withdrawal requests in a consistent and timely manner.

Conclusion

The right to withdraw consent under the DPDP Act, 2023, represents a profound shift in the power balance between individuals and organisations. While it empowers Data Principals, it also creates practical complexities that organisations must address to uphold compliance.

These challenges are multi-dimensional. They include issues related to technology, tracking of data, managing third-party vendors, legal requirements, and handling requests promptly. What seems like a simple right for users actually requires strong coordination between systems, processes, and teams within an organisation.

To deal with these challenges effectively, organisations should take a broader approach to privacy management. This includes:

• Using advanced systems to manage consent
• Maintaining clear and accurate records of where data is stored
• Improving contracts and monitoring of third-party vendors
• Designing systems with privacy in mind from the beginning (privacy by design)
• Providing regular training and awareness to employees

Organisations that take these steps will not only meet legal requirements but also build trust with users and improve their overall data management practices in the long run.