• This article explores what "valid consent" truly means under the DPDPA, highlights common pitfalls in insurance workflows, and outlines actionable steps insurers must take to remain compliant and build lasting customer trust.
• The Digital Personal Data Protection Act (DPDPA) introduces a transformative shift in how personal data is collected, stored, and used across sectors, including insurance. One of its core pillars—valid, informed consent—requires insurers to rethink their existing data practices. No longer can vague or bundled consents suffice.

1. The Legal Meaning of Consent Under DPDPA

Under the Digital Personal Data Protection Act (DPDPA) 2023, consent is defined as a free, specific, informed, unconditional, and unambiguous indication of the data principal's agreement to the processing of their data. The Act emphasizes that this consent must be given through a clear affirmative action, making implicit or passive acceptance invalid. In other words, silence, pre-ticked boxes, or inactivity do not qualify as consent under DPDPA.

The DPDPA sets a high bar for consent, ensuring that individuals (data principals) retain full control over their data. The law mandates that consent must be:

• Free: The decision to give consent must be made voluntarily without coercion, pressure, or manipulation.
• Specific: Consent should be tied to a specific purpose. Blanket consent for multiple unrelated purposes is not valid.
• Informed: The data principal must be aware of what data is being collected, the purpose, the data fiduciary, and how the data will be processed.
• Unconditional: No service or benefit should be made conditional on the user giving consent for unrelated data processing.
• Unambiguous: There must be a clear, affirmative action from the individual indicating agreement.

In addition, the Act allows for consent to be withdrawn at any time, and it should be as easy to withdraw as it is to give. Data fiduciaries are responsible for enabling this withdrawal process without penalizing the user.

The DPDPA also mandates that the data principal must be given the option to access a notice in both English and any language specified in the Eighth Schedule of the Indian Constitution. The notice must be provided before or at the time of seeking consent.

2. How Consent Is Collected in Insurance—Where It Fails

In the Indian insurance sector, consent is often collected during application processes for life, health, vehicle, and other policies. This is typically done through lengthy policy documents or digital forms that include clauses for data usage. However, in practice, these methods often fall short of meeting the standards set by the DPDPA.

Common Failures in Consent Collection:

• Lack of Clarity: Consent forms are often buried within complex legal language that an average policyholder cannot easily understand. This fails the “informed” criterion under the DPDPA.
• Bundled Consent: Insurers frequently bundle consent for various data uses (such as marketing, third-party sharing, and analytics) into one checkbox. This violates the principle of “specific” consent.
• Pre-Ticked Boxes: In online portals or digital apps, many insurers use pre-selected checkboxes for data sharing, which contradicts the “affirmative action” requirement.
• Inaccessible Withdrawal Mechanisms: Policyholders often find it difficult or impossible to withdraw consent once given. There are no standardized, user-friendly systems for revoking consent.
• Conditional Services: Some insurers condition the availability of certain products or discounts on the user’s agreement to share personal data beyond what is necessary for providing the service.

Industry Practices vs. DPDPA Requirements

The insurance industry, while familiar with data protection obligations under IRDAI guidelines, often lags in implementing transparent consent protocols. The DPDPA places stricter obligations that insurers must now align with, such as providing granular opt-in choices and issuing bilingual or multilingual consent notices.

For instance, biometric and health data collected for underwriting health insurance requires higher degrees of specificity and transparency, which current consent practices often overlook. In some cases, third-party agents collect data without fully disclosing its purpose, leading to unauthorized or inadequately consented data sharing.

To align with DPDPA, insurers must revisit their consent architecture, from how forms are designed to how customer permissions are tracked. Failure to do so could not only erode trust but also invite penalties under the DPDPA.

3. Consequences of Improper Data Processing

Legal and Regulatory Risks

- Penalties: Fines up to INR 250 crore for failing to obtain valid consent.

- Liability for Damages: Insurers may be liable for harm caused by unauthorized data processing.

Operational Disruptions

- Process Revisions: Overhaul of IT systems, workflows, and customer service.

- Increased Scrutiny: Regulatory audits and investigations impacting business continuity.

Reputational Damage

- Loss of Trust: A damaged reputation leads to customer attrition.

- Negative Publicity: Media and public backlash can harm long-term brand value.

Impact on Data Subjects

- Loss of Privacy: Unsolicited marketing, profiling, and privacy intrusions.

- Data Breaches: Greater risk due to unauthorized storage or sharing.

4. Key Components of Valid and Informed Consent

Components of Valid Consent

- Purpose Specification: Clearly state why data is collected and how it will be used.

- Granular Consent: Separate approvals for underwriting, marketing, analytics, etc.

- Time-Bound Validity: Define how long consent is valid and data retention period.

- Language Accessibility: Provide consent forms in multiple Indian languages (as per the Eighth Schedule).

Features of Informed Consent

- Clarity and Simplicity: Use plain, understandable language.

- Active Opt-In: Require clear user action to give consent.

- Prior Disclosure: Share data usage, rights, and fiduciary info before consent.

- Revocability: Consent can be withdrawn at any time through a simple process.

Technical Considerations

- Audit Trails: Log all consent transactions.

- Consent Dashboards: Let users manage their consent settings.

- Integration with CRM: Sync consent data with customer profiles for compliance.

5. Embedding Consent into the Insurance Lifecycle

Application and Onboarding

- Use transparent data collection forms with clear, purpose-specific consent statements.

- Use language suitable for customer literacy and offer multilingual support.

Underwriting

- Obtain additional granular consent for sensitive data (e.g., health, biometric).

- Record all processing activities linked to consent for audit readiness.

Policy Issuance and Servicing

- Inform policyholders of changes in data usage.

- Allow customers to review and update consent preferences via digital portals.

Marketing and Cross-Selling

- Obtain explicit consent for marketing and profiling.

- Provide easy opt-out and preference modification options.

Claims Processing

- Seek fresh consent for sharing data with third parties (hospitals, surveyors, law enforcement).

- Ensure claim denial is not based on withdrawal of unrelated consents.

Renewal and End-of-Policy

- Revalidate consent at policy renewal.

- Delete or anonymize data upon policy closure unless retention is legally mandated.

6. Managing Customer Preferences and Withdrawal of Consent

Managing customer preferences and consent withdrawal effectively is critical to DPDPA compliance. The Act mandates that the process of withdrawing consent must be as simple as giving it. This shifts the onus on insurers to build systems that are customer-centric and responsive.

Essential Features of Consent Management:

• User-Friendly Dashboards: Provide a centralized interface where customers can easily view, update, or withdraw their consents.
• Real-Time Updates: Ensure that any changes in consent are reflected across systems immediately to prevent unauthorized processing.
• Multi-Channel Accessibility: Allow customers to manage consent via apps, websites, customer service, and even in-person visits.

Handling Consent Withdrawal:

• Non-Penalization: Ensure that withdrawing consent does not lead to loss of services, unless the data is essential for service delivery.
• Service Continuity: Where possible, offer alternatives that do not require the withdrawn data.
• Notification Mechanism: Notify users when their consent withdrawal has been processed and confirm any changes to service terms.

Integration with CRM and Workflows:

• Update CRM platforms to reflect changes in consent preferences.
• Tag customer records to align services with current consent.
• Alert all relevant departments when consent is changed or withdrawn.

7. Case Studies of Consent Violations in Insurance

Case Study 1: Unauthorized Marketing After Policy Expiry

A leading insurance provider was found sending promotional messages to former policyholders despite their consent being withdrawn after policy expiry. The customers filed complaints with the company and the regulatory authority. An investigation revealed that the marketing team did not update their contact lists to reflect withdrawn consents. As a result, the company faced regulatory warnings and was required to overhaul its consent management system.

Case Study 2: Data Sharing Without Specific Consent

In another case, an insurer shared customer health data with third-party wellness partners for analytics and cross-selling purposes. However, the original consent only covered data use for underwriting and claims processing. A complaint led to scrutiny by the Data Protection Board, which concluded that the sharing violated the “specific purpose” requirement under DPDPA. The company had to issue public apologies, compensate affected customers, and stop all such data partnerships until compliant consent forms were introduced.

Inadequate consent practices in the insurance sector pose serious legal and reputational risks under the DPDPA. As consent becomes central to data governance, insurers must shift from checkbox compliance to comprehensive, transparent, and customer-focused consent systems. Embedding valid consent mechanisms throughout the policy lifecycle is not just a legal necessity—it’s a strategic imperative to retain trust. With proactive steps like multilingual notices, consent dashboards, and withdrawal support, insurers can ensure DPDPA compliance while reinforcing their commitment to ethical data use and consumer rights.

8. Final Thoughts

• Clear and specific consent practices form the foundation of trust between insurers and policyholders. By demystifying data use and empowering customer choice, companies can turn compliance into a competitive advantage.
• Consent must evolve from pre-ticked boxes to informed, user-driven decisions. Offering granular opt-ins and multilingual notices ensures inclusivity and aligns insurers with both legal mandates and ethical standards.
• Embedding consent into every stage—from onboarding to claims—ensures sustained compliance and data integrity. Continuous updates and training are key to navigating the dynamic DPDPA environment.
• The ability to revoke consent must be seamless and respectful. When insurers make it easy to withdraw without penalties, they uphold the spirit of data dignity and customer autonomy.