INTRODUCTION
The increasing reliance on digital interactions has made it essential to establish a framework for the legitimate processing of personal data. The Digital Personal Data Protection Act, 2023, prioritises consent as a crucial aspect of data protection. In data privacy, the term ‘consent’ refers to an individual’s voluntary and informed agreement to allow an organisation or principal data collector to use or share their data.[1]. However, the frequent requests for consent can lead to ‘consent fatigue’, a phenomenon where users become desensitised and indifferent to data collection practices. They often overlook the terms, notices and checkboxes by hastily providing consent without fully understanding the implications.
Researchers have found that an individual would take 76 work days per year to read all of the privacy policies they encounter[2]. The European Commission’s 2023 Cookie Pledge Project has identified “consent fatigue” as an obstacle to meaningful privacy choice.[3]
USER CONSENT AND THE DPDP ACT 2023
The Digital Personal Data Protection Act 2023 (DPDP Act)[4] It is India’s first data protection law. It draws inspiration from the European Union’s General Data Protection Regulation, commonly referred to as the GDPR. Section 6(1) of the DPDP Act states the principles of a valid consent from the user to be free, specific, informed, unconditional and unambiguous, with a clear affirmative action from the principal user for a specified purpose. In simple terms, the users must actively proceed without the consent being bundled with irrelevant data collection. Data fiduciaries (organisations/government agencies) must give clear notice in plain language before seeking consent, and they must also give clear instructions to the users on how to withdraw consent at any time.
GDPR[5] Has several other alternatives to consent, like Legitimate interests or contractual necessity; however, India’s law does not provide open-ended alternatives to consent. While Section 7 of the DPDP Act allows only certain legitimate users, allowing data fiduciaries to process personal data without explicit consent, like government services, medical emergencies and public-interest purposes. For the private sector, distinct affirmative consent is mandatory as specified under Section 6(1) of the Act. The concept of” Consent Managers” is specified under Section 6(7) of the DPDP Act and Rule 4 of the DPDP Rules 2025[6]These managers are registered intermediaries enabling the users to have a single point of access to grant, review and withdraw consent across various services. A consent manager hosts a dashboard where users can manage permissions to apps, e-commerce sites, banks, etc, by centralising consent in one place.
ACT’S IMPACT ON CONSENT FATIGUE
The DPDP Act has a heavy emphasis on consent without a narrow exception, creating a rigid mechanism for data fiduciaries, where they are likely to interrupt users with repeated prompts to get permission, even for routine functions.[7]. In India, there are over 950 million internet users, and the default consent approach could easily result in consent fatigue in the current digital population.[8] Conversely, the Act also includes mechanisms to mitigate fatigue. The consent managers, if implemented properly, could spare the users from separate consent prompts on every site, allowing centralised review of all existing permissions. The user can also revoke any consent, providing a safeguard for accidental or outdated consents piling up.
However, in practice, the consent manager dashboards could become cluttered and confusing. The legislation does not provide explicit provisions regarding dark patterns, which include deceptive or manipulative designs that are not transparently used in the user interface (UI) or user experiences (UX) that influence users’ decisions.
JUDICIAL ESTABLISHMENTS
In the case of Justice K.S. Puttaswamy v Union of India and Ors [9] The court established privacy as a fundamental right under Article 21 of the Constitution in the context of increasing concerns over privacy and data protection, although this judgment did not directly rule on digital consent, but emphasised that informational privacy and personal autonomy are fundamental to personal dignity, and individuals have the right to control their personal data to make informed decisions about its use.
Additionally, the Court of Justice of the EU in Planet49[10] Held that pre-checked cookie consent boxes do not constitute a valid consent. The court held that a mere pre-selection cannot portray the user’s affirmative action, and mandating clear information on cookie duration and third-party access to valid consent. The GDPR framework demands that consent should be free and informed, unlike fatigued users.
RECOMMENDATIONS AND REFORMS
Tackling consent fatigue while protecting user privacy requires a multi-faceted approach, which includes:
Alternative Legal Bases: India could loosen the strict consent requirements and adopt a ‘legitimate interests’ as practised in the EU, subject to a balancing test which assesses the potential risks and competing individual interests, rights and freedoms relating to a processing operation and define measures to mitigate the risks.[11] This would reduce the number of trivial consent requests while still providing transparency, as it documents the outcome of legitimate interest assessment and allows users to object to the processing of their personal data at any time.
Clear and Layered Consent Notices[12]: The consent notices should use concise language and a layered design where the most important details, like purpose, rights, terms and datatypes, should be presented prominently at the outset with optional links for more details. This helps users by providing visual cues for critical information that is immediately visible.
Strengthen Consent Managers: The Consent Managers system should:
- Standardise the technical framework so that every service can integrate
- Present a unified interface, like dashboards, alerts and a one-step revocation process
- Audit them to prevent conflicts of interest
If these functions are executed properly, such dashboards can reduce fatigue. Once the user gives access to the data to use a service, that permission could be stored and recalled rather than requesting access frequently. Additionally, these consent managers must maintain security and unreadable data-transfer mechanisms while keeping records of consent activity.[13].
Minimise Data Collection By default, and Educate the Users: Organisations should collect only the personal data they require to provide the service, thereby reducing consent prompts. Under the GDPR, this mechanism is reflected in the principle of data minimisation enshrined in Article 5(1)(c)[14]. This limitation means that there are fewer categories of processing, which involves fewer consent checkboxes, adopting data protection by design rather than a default mechanism. They should also empower users with knowledge and safety nets, and provide awareness campaigns to teach individuals to manage their consents and review their permissions. Data fiduciaries can be encouraged to use privacy-friendly defaults where there is minimal data collection until additional features have been explicitly requested by the user.
CONCLUSION
Consent fatigue weakens user autonomy and the very purpose of privacy; instead of empowering individuals, these frequent consent prompts and demands overwhelm them, which leads to thoughtless clicks giving access to their personal data. A balanced approach should be followed to maintain transparency without flooding users with consent notices, which will promote trust among the digital population, ensuring meaningful data sovereignty for all.
Author(s) Name: M Jananiya (Kristu Jayanti College of Law)
References
[1] Prashant Mali, ‘Understanding consent under DPDP Act’, (DPDPA.com, 18 November 2024)
<https://dpdpa.com/blogs/consentunderdpdpa.html>accessed 17 December 2025
[2] Policy Report ‘Limitations of Consent as a Legal Basis for Data Processing’, (Centre for Information Policy Leadership (CIPL), 1 December 2024) 10
<https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_bkl_limitations_of_consent_legal_basis_data_processing_dec24.pdf> accessed 17 December 2025
[3] Directorate General for Communication ‘Cookie Pledge’, (European Commission, 8 November 2024)
<https://commission.europa.eu> accessed 18 December 2025
[4] The Digital Personal Data Protection Act 2023 s 6
[5] General Data Protection Regulation 2016 OJ L 127, art 6(1)(f)
[6] The Digital Personal Data Protection Rules 2025, r 4
[7] Lisa P. Lukose, ‘Data Protection in Light of the DPDP Act, 2023’, (Research Gate, 2025) 12 para 2
<https://www.researchgate.net/publication> accessed 4 January 2026
[8] Sindhu Vissamsetti, ‘Making Consent Work: Consent Management Design Under the DPDP Act 2023’,(Cyber Peace, 15 November 2025)
<https://cyberpeace.org/resources/blogs> accessed 18 December 2025
[9] Justice K.S. Puttaswamy v Union of India (2017) 10 SCC 1
[10] Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (2019) C-673/17
[11] Policy Report ‘Limitations of Consent as a Legal Basis for Data Processing’, (Centre for Information Policy Leadership (CIPL), 1 December 2024), p. 13
<https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_bkl_limitations_of_consent_legal_basis_data_processing_dec24.pdf> accessed 17 December 2025
[12] The DPDP Act 2023, s 6(3)
[13] Prabhanu Kumar Das, ‘Obligations, Role, and Requirements of Consent Managers as per DPDP Rules 2025’, (14 November 2025)
<https://www.medianama.com/2025/11/223-explained-obligations-role-requirements-consent-managers-dpdp-rules-2025> accessed 18 December 2025
[14] General Data Protection Regulation 2016 OJ L 127, art 5(1)(c)
