Consent Expiry and Refresh Rules Under DPDP: What to Build and Why

With the Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules, 2025 officially in force, businesses in India must rethink how they manage user consent not just for collection, but for how long it remains valid and when it must be refreshed.

While earlier regimes like the GDPR had clearly defined expiry terms, India's DPDP framework takes a slightly different approach. The DPDP Act emphasises purpose limitation, verifiability, and renewal in case of change, rather than arbitrary expiry periods.

What the DPDP Act Says About Consent Validity

Under Section 6 of the DPDP Act, consent must be:

• Free, specific, informed, unambiguous, and with clear affirmative action

• Tied to a specific purpose (purpose limitation)

• Withdrawable at any time by the Data Principal

Once consent is obtained for a stated purpose, it does not automatically expire but it cannot be used for new purposes or beyond what was initially described.

That’s where refresh comes in.

When Does Consent Need to Be Refreshed?

The DPDP Act and Rules 2025 don’t mandate a blanket expiry timeline, but consent must be refreshed or re-obtained in these cases:

1. Change in Purpose of Data Processing

If you begin processing personal data for a new purpose not originally disclosed, fresh consent is mandatory.

2. Major Changes in Privacy Policy or Notice

A change in terms that materially affects how personal data is handled (e.g., new data sharing partners, AI profiling, overseas transfers) requires updated consent.

3. Data Retention Expiry

Under Rule 12, data must be erased when the purpose is complete or retention is no longer required. If you wish to continue storing or using that data, you must re-seek consent.

4. Extended Inactivity

Though not explicitly defined, long periods of user inactivity may require consent reconfirmation especially in sectors like fintech, healthtech, and edtech where data sensitivity is high.

What You Need to Build for Consent Expiry & Refresh

To stay compliant (and audit-ready), here’s what businesses should build into their data and consent infrastructure:

1. Consent Lifecycle Tracker

Maintain a real-time system that monitors consent status when it was collected, what it was for, and whether any changes invalidate it.

2. Dynamic Consent UI

Consent banners and notices should support modular refresh prompts based on activity, usage changes, or data policy updates.

3. Automated Re-consent Triggers

Trigger a refresh process when:

The privacy policy changes

Data is used for additional services

Legal timelines require data to be revalidated

4. Erasure Timers

Use automated expiration logic to delete or anonymize personal data once its purpose is fulfilled unless refreshed consent is obtained.

5. Audit-Ready Consent Logs

Keep timestamped records of original and refreshed consents, including versioned privacy notices and purposes. This is critical to demonstrate verifiability under Rule 6.

Legal Risks of Not Refreshing Consent

Failure to refresh consent when required can lead to violations under:

• Section 6(5) – Using data without valid purpose-specific consent

• Section 33(a) – Processing personal data in violation of declared purpose

• Rule 13 – Denial of data principal rights like erasure

• Penalty risk – Fines up to ₹250 crore for non-compliance

How Blutic Helps You Manage Consent Refresh

Blutic is designed for businesses looking to meet India's privacy regulations without over engineering.

With Blutic, you can:

• Track the entire consent lifecycle from collection to expiry to refresh

• Set auto-triggers for re-consent based on user inactivity or policy changes

• Log consent updates with timestamped version control

• Integrate expiry-based erasure APIs to remain Rule 12-compliant

• Stay updated with evolving DPDP compliance requirements

Whether you're a startup or a large enterprise, Blutic helps you stay compliant without manual overhead.

‍