• In this new age of digital insurance, consent is no longer a box to check—it is at the core of trust, transparency and compliance. The Digital Personal Data Protection (DPDP) Act, 2023 contains sweeping reforms that force insurers to change from simply collecting data, to actively managing permissions.
• This article is intended to be a useful resource to understand how consent works in the insurance sector, the steps insurers and Data Protection Officers (DPOs) should take to continue to fall within the regulations, and how to create consent experiences to empower your customers, as opposed to tiring them out.

1. Consent in the Spotlight: What the DPDP Act Expects from Insurers

Under the DPDP Act, insurers must revisit data collection at every touch point to ensure compliance with the new consent framework, making it the foundation of lawful data processing.
• Consent must be free, specific, informed, unconditional, and unambiguous: No more blanket consents; every piece of data collected must have a defined, known purpose.
• Granularity is a new norm: Insurers must allow their customers to provide or deny consent for underwriting or claims or marketing, as separate decisions.
• More care is needed with children and sensitive data: Extra requirements will require safeguards for the processing of minor data or for sensitive financial/medical history.
• Documents prove consent: The DPDP Act expects insurers to create verifiable evidence of consent, not just state they have consent.

2. Behind the Screens: How Insurers Collect and Manage Customer Data

Insurance data collection is everywhere from onboarding forms to telematics and claim apps. But the real question is are you collecting trust?
Audit your data touch points:
• Mobile apps & websites - Privacy notices and consent pop-ups must be visible, clear, and sensitive to the language used in notifications.
• Customer onboarding (offline and digital) - Are paper forms still bundling consents? It’s time to unbundle and digitize.
• Third-party integrations (TPAs, agents, health-tech platforms) - Ensure that downstream vendors comply with DPDP mandates when collecting or using shared customer data.
• Data lifecycle clarity - Understand what happens to the data when a policy lapses or a claim is settled. Is consent still valid?
“Most insurers don’t realize they’re collecting more data than they need. That’s not just inefficient—it’s a compliance risk.” — Expert Insight

3. Designing Smart Consent Flows for Portals & Mobile Apps

It’s time to move past generic ‘I Agree’ buttons. Create UX-first consent flows that protect you from the data protection and privacy regulation.
Some Good Principles for Designing Consent Flows:
• Layered notices
Give the most important information first, and let users delve into more information if they want to learn more.
• Consent dashboards
Enable users to see, manage or revoke consents easily, particularly on self-service applications.
• Make consent contextual
Ask for permission at the time of data collection, not at the time of general application installation.
• Language matters
Use plain language with localized options to ensure that users understand what they are consenting to.
Stat Watch: According to the 2024 PwC report, 68% of Indian policyholders abandon digital journeys if data permission asks are unclear or overwhelming.

4. Rewind & Revoke: Managing Consent Withdrawal in Insurance

Consumers can say no – even after saying yes. The insurer must ensure this is done in a seamless way.
What DPOs need to do
• Rapidly honor withdrawals: Delays to withdrawal of consent are an offence under the DPDP Act.
• Granular withdrawals: Consumers can withdraw consent for certain purposes (such as marketing), and not for claims or processing claims.
• Clarify consequences: If a withdrawal of consent impacts any future service (such as if the consumer is no longer eligible to claim) – this needs to be made clear and they should be unequivocally informed as to the consequences of withdrawal.
• Log it: You should log everything – this may include time-stamped logs setting out when and how a withdrawal of consent was made, including to be ready for audits.

5. Tackling Consent Fatigue: A Growing Risk

Too many prompts and inadequate clarity. The phenomenon of consent fatigue is very real and detrimental. User Burnout Strategies are:
• Refrain from redundant prompting : Don’t prompt users on the same consent every time they log into your application. Capture and remember their preferences for future prompts.
• Fold up prompts: When applicable, consolidate prompts by asking the user one easy to understand prompt instead of several related consent requests.
• Provide control, not pressure: Provide users with appropriate options, don’t pressure them into all-or-nothing proposals.
• Conduct UX testing: Track where users abandon a journey and where they are confused, in order to develop a more systematic consent UX.
Expert says —“Consent fatigue isn’t just a user experience issue—it’s a compliance blind spot. If customers blindly click ‘agree,’ it weakens the validity of the consent itself.”

6. The DPO’s Roadmap: Creating a Consent-Centric Culture

Establishing a consent-first mindset across departments is necessary as DPOs are the gatekeepers of data ethics.
Action Items for DPOs:
• Develop internal policies for consent collection and revocation: All different teams—IT, claims—must implement the same guidance.
• Conduct regular compliance audits: In particular, compliance audits for third party vendors, field agents, and legacy systems.
• Train functional teams: Provide relevant staff, such as customer support and sales agents, with training on consent requests and revocations.
• Work together with tech & legal: Design workflows that meet the goal of improving customer experience while complying with legal obligations.

7. Final Thoughts: Consent is the New Insurance Policy for Compliance

• The DPDP Act is not merely a legal obligation for insurers – it is a way to start rebuilding trust.
• DPOs have a responsibility to manage not only how consent is obtained, but how it is experienced for their customers.
• Insurers who create ethical, visible and user-friendly consent journeys will stand out in a busy landscape filled with compliance burdens.
• It Is important to remember that in today’s data-focused insurance marketplace, consent is more than just a document. It’s a promise from a brand to treat customers with respect and take on an obligation with responsibility.