DPDPA Legacy Notice | Collecting Legacy Consent Under DPDPA

Legacy Notice | Collecting Legacy Content Under DPDPA

DPDPA.4 min Read

India’s DPDP Act makes legacy data a compliance hurdle. Learn to manage transition notices, build defensible audit trails, and understand why a Consent Manager is a vital risk-containment tool for your existing database.

As India’s Digital Personal Data Protection (DPDP) Act moves from intent to enforcement, many organisations are discovering that the most complex compliance questions are not about future users; they are about the past.

In this blog, we examine why implementing a Consent Manager sooner rather than later is not merely a compliance exercise, but a risk-containment decision.
At the centre of this discussion lies a deceptively simple question:

How do you deal with legacy notices?

When to Implement a Consent Manager

As organisations accelerate alignment with the DPDP Act, 2023, a recurring concern continues to surface across boardrooms, product teams, and compliance functions:

“What do we do about the data of users we already have?”

Designing consent flows for new users is comparatively straightforward. The real complexity lies with millions of existing customers whose personal data already resides within organisational systems collected under earlier legal frameworks, older privacy notices, or implied consent models.

This is where most compliance strategies begin to fray.

The Legacy Data Challenge

Section 5(2) of the DPDP Act establishes a transitional framework for personal data collected before the Act’s commencement.

Organisations are allowed to continue processing personal data they collected before the commencement of the Act if the individual's consent was obtained at the time of collection or at any time before the commencement date.

In such cases, organisations do not need to retake consent under the Act as long as a Notice is issued to the affected Data Principals.

At a minimum, this Notice must clearly and transparently communicate:

The Description: What categories of personal data are currently held
The Purpose: The specific purposes for which that data is being processed
The Rights: How the Data Principal may exercise statutory rights, including consent withdrawal and grievance redressal

This requirement is typically fulfilled through a legacy notice.

The challenge is how to do so in a manner that is defensible, auditable, and operationally scalable.

A Practical Framework for Implementing Legacy Notices Using CoTrust

Step 1: Delivery - The First Contact

The Notice should be delivered through an effective and direct channel, typically the medium most frequently used to engage the user, such as email, WhatsApp, or an in-app notification.

Ideally, this can be a standalone communication. However, the intent must be unmistakable: this is a data protection notice issued in fulfilment of statutory obligations.

Step 2: The Notice Interface

The Notice can lead users to a dedicated privacy landing page designed solely to satisfy the requirements of Section 5(2).

This interface presents information in a clear, personalised manner, and includes:

An itemised view of personal data held (for example: name, contact details, identity information, transaction or loan history)
A plain-language explanation of processing purposes
A clear articulation of user rights, including grievance redressal and consent withdrawal mechanisms, including the manner in which a complaint may be made to the Data Protection Board.

Generic or static privacy policies may be insufficient to demonstrate compliance with the provisions.

Step 3: The User’s Decision

At the conclusion of the Notice, the Data Principal should be presented with a clear and meaningful choice:

Manage Preferences/Withdraw Consent: enabling granular control over non-essential processing

Where users choose to manage preferences, they must be able to withdraw consent for discretionary uses, such as marketing or profiling.

Step 4: The Audit Trail

Every stage of this process, delivery, access, acknowledgement, and preference changes, must be captured in an immutable, time-stamped audit trail.

This is not simply good hygiene. It is defensive infrastructure.

If a complaint is raised months later, before the Data Protection Board, alleging a lack of awareness or improper processing, the organisation must be able to demonstrate with evidence that:

The notice was sent
The notice was accessible
The user had a genuine opportunity to act
No withdrawal of consent was exercised

What if the User Does Nothing

If a Data Principal receives the legacy notice and takes no action, the organisation may continue processing the personal data for the stated purposes. However, this continuation rests on transitional grounds, not on fresh consent.

This distinction is critical.

Regulators are unlikely to assess compliance based solely on whether a notice was sent. They will examine whether the notice met contemporary standards of clarity, specificity, and accessibility as reflected in the DPDP framework and its accompanying Rules.

Many forms of historical or consent that were obtained under earlier regimes may not meet today’s threshold of being free, informed, specific, and unambiguous.

As a result, legacy notices should be viewed as a risk-mitigation measure, not a permanent solution. For non-essential processing, particularly marketing, secondary analytics, or profiling, prudent organisations will move toward seeking explicit, affirmative consent over time rather than relying indefinitely on user inaction.

Finally, it bears emphasis that under the DPDP regime, the burden of proof sits squarely with the data fiduciary. User silence is not a defence. Only a demonstrable, well-designed notice process, supported by verifiable audit trails, provides protection.

In short, ignoring the message allows processing to continue but only within defined limits, and only for as long as the underlying notice remains legally and procedurally defensible.

Waiting for the DPDP Act and Rules to come into force may feel safe, but it’s operationally risky. Compliance is not a last-minute switch; it’s a muscle built over time. Organizations that start today will be enforcement-ready, while others will be forced into reactive fixes.

This content is for informational and educational purposes only and does not constitute legal advice. Readers should consult qualified legal professionals for advice specific to their circumstances.