A Data Principal's unconditional right to withdraw previously given consent at any time with equal ease.
Under DPDPA Section 6(6), a Data Principal has the right to withdraw consent at any time. The withdrawal must be as easy as giving consent — if consent was given via a single click, withdrawal must be possible with equal simplicity. Upon withdrawal, the Data Fiduciary must cease processing within a reasonable period and erase the data unless retention is justified by another legal basis. The consequences of withdrawal must not be punitive.
Your consent widget must include a withdrawal mechanism that is equally prominent and accessible. If withdrawal is buried in settings or requires customer support contact while consent was one-click, you violate DPDPA.
A Mumbai OTT platform that obtained consent via a banner toggle must allow withdrawal via an equally accessible toggle — not a 5-step process through Account Settings > Privacy > Advanced > Request Withdrawal > Confirm via Email.
You cannot make consent withdrawal conditional on explaining "why" or impose a cooling-off period. The right is unconditional and immediate. You also cannot degrade service as punishment for withdrawal.
DPDPA Shield automates Consent Management. See how →