Consent vs Lawful Basis: What Businesses Get Wrong Under GDPR and DPDPA

Introduction 

Both the European Union’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act, 2023 (DPDPA / DPDP Act) recognize consent as a primary ground for processing personal data, rather than an exclusive requirement for all processing activities. Article 6 of the GDPR lists six legal bases for processing. Consent appears next to contract, legal obligation, vital interests, public tasks, and legitimate interests. The DPDPA provides a sophisticated dual-track framework for data processing: it establishes Consent as the primary ground while providing a distinct, independent path for 'Certain Legitimate Uses.' This ensures that while individual autonomy is prioritized, Data Fiduciaries can also process data with confidence for critical purposes, such as legal compliance, medical emergencies, or the delivery of State benefits, without requiring consent, thereby ensuring both robust privacy and operational efficiency. 

However, many organisations still portray it as if consent is the only solution. They gather "consent" in situations where it cannot be freely given. They treat consent as a one-size-fits-all answer when other legal grounds would work better. They also struggle to clearly separate the legal basis for processing from the user's experience of choice and control. Under both GDPR and DPDPA, this is not only poor practice; it undermines the validity of processing and adds unnecessary compliance risks. 

Lawful Basis Under GDPR: Consent as One Option Among Many 

Article 6 GDPR provides the core list of lawful bases. Processing is lawful only if at least one of the enumerated grounds applies to the specific purpose:

1. Consent of the data subject for one or more specific purposes. 

   
   

2. Necessity for performance of a contract or pre‑contractual steps. 

   
   

3. Necessity for compliance with a legal obligation. 

   
   

4. Necessity to protect vital interests of the data subject or another person. 

   
   

5. Necessity for performance of a task carried out in the public interest or in the exercise of official authority. 

   
   

6. Necessity for the legitimate interests of the controller or a third party, balanced against the rights and freedoms of the data subject. 

The key design choice in GDPR is that controllers must choose a lawful basis per purpose, document that choice and then act consistently with it. Consent is only appropriate when individuals genuinely have a choice and when saying “no” does not lead to disproportionate consequences. For core contract performance, statutory reporting, safety‑critical processing or many fraud controls, other bases ordinarily make more sense. 

GDPR’s recitals further clarify what proper consent requires: a clear affirmative act, freely given, specific, informed and unambiguous, and separate from other matters such as terms and conditions. Silence, pre‑ticked boxes or inactivity do not meet this standard. 

Lawful Basis Under India’s DPDPA: Consent Plus Legitimate Uses 

The DPDP Act follows a different structure but a similar logic. It frames processing largely around consent, but it also allows processing without consent in a defined set of situations labelled as “certain legitimate uses”. The enactment broadly covers the following: 

1. Requires a Data Fiduciary to obtain consent before processing personal data, following notice requirements in Section 5 and consent conditions in Section 6. 

   
   

2. Creates a list of legitimate uses where consent is not required, including compliance with court orders or laws, state functions, responding to medical emergencies, employment‑related purposes and other situations to be prescribed. 

In other words, DPDPA’s consent model is complemented by statutory permissions that act as functional lawful bases for defined contexts. A public authority processing data to provide notified benefits, or an employer processing employee details for salary and statutory deductions, is not expected to rely on consent when the activity is mandated or inherently necessary for that relationship. 

However, the Act still expects transparency and safeguards even when consent is not the ground. Notice, security measures and data‑subject rights continue to apply, and the Data Fiduciary remains accountable for demonstrating that a legitimate use clause genuinely covers the processing. 

What Businesses Get Wrong Under GDPR 

Treating Consent as the Default Lawful Basis 

A common pattern under GDPR is to treat consent as the “safe” choice because it appears to give explicit user approval. Using consent where there is a power imbalance or where refusal would make the service practically inaccessible often makes that consent invalid. Employment processing, necessary fraud checks or mandatory regulatory reporting are poor candidates for consent, because the data subject cannot freely decline without serious consequences. 

When controllers ask for consent in those settings, they create a legal mismatch: the real basis for processing is contract, legal obligation or legitimate interests, but the documentation and interfaces claim consent. If that consent is withdrawn, the organisation is left either ignoring the withdrawal (and undermining trust) or scrambling to retrofit another basis after the fact. 

Confusing Preference UX With Legal Basis 

Another recurring mistake is to treat any toggle or checkbox in a user interface as “consent” in the legal sense, regardless of what lawful basis applies behind the scenes. An email preference centre enables users to manage non-essential marketing, serving as a tool to exercise the Right to Object under GDPR, rather than evidence of consent. While the GDPR permits Legitimate Interests for marketing, the DPDPA is strictly consent-centric, meaning opt-out mechanisms for initial marketing collection are generally invalid. 

If the marketing is in fact justified under legitimate interests with appropriate balancing, then the preference centre is a way of honouring user choice on top of that basis, not the basis itself. Blurring this distinction can complicate records of processing and make it harder to demonstrate compliance to supervisory authorities. 

Piling Lawful Bases on Top of Each Other 

Controllers sometimes state that processing is based on “consent and contract and legitimate interests” for the same purpose. This undermines GDPR’s structure. Article 6 anticipates a primary lawful basis per purpose. Attempting to stack them can backfire: if the controller relies on contract in practice but claims consent in notices, it may be challenged for mischaracterising the data subject’s rights. 

A more proactive approach is to select the most appropriate basis, explain it transparently and build consent mechanisms only where consent is truly required or adds meaningful autonomy. 

Assuming Everything Must Be Consent‑Based 

In India, one of the early misconceptions is that all processing must be grounded in consent, and that legitimate uses are a narrow exception to be avoided. That tends to produce bloated consent flows where users are asked to “agree” even when the activity is clearly mandated by law or inherent in the service relationship, this could be further observed through the reading of Section 7. 

The result is twofold. First, it creates consent fatigue and increases the risk that users click through without understanding, which undermines the spirit of informed choice. Secondly, it creates legal confusion: if processing is justified under a legitimate use clause, the organisation does not need consent for that specific purpose and should not suggest that refusal would block mandatory processing. 

Using Consent Language Where Power Imbalances Exist 

The DPDPA, while less explicit than GDPR’s recitals, still assumes that consent is meaningful only where the Data Principal has a genuine opportunity to say no. When a private employer demands “consent” for routine HR processing that is required by labour or tax law, or when a citizen is told that essential services are conditional on broad, bundled consent, the voluntariness of that consent is questionable. 

In those contexts, it is safer and more honest to rely on the relevant legitimate use or legal obligation and to frame notice accordingly. Consent can then be reserved for genuinely optional processing, such as additional analytics or marketing that go beyond what the service inherently requires. 

Creating an Auditable Record. 

A final mistake is to assume that legitimate uses are “automatic” and do not require any documentation or internal analysis. In practice, Data Fiduciaries need to be able to show which clause they rely on, how the processing fits within its scope, and what safeguards are in place. 

Treating legitimate uses as a black box can lead to overbroad interpretations that do not survive regulatory scrutiny. A structured assessment similar in spirit to a GDPR legitimate interests' assessment is a safer way to use these permissions responsibly.