Granular vs Blanket Consent: What Regulators Expect in 2025

Introduction 

If you have been following India’s data protection journey, you know that consent is not just a checkbox anymore. The Digital Personal Data Protection (DPDP) Act, 2023, and the DPDP Rules notified in November 2025 make one thing very clear: blanket consent is out. Regulators expect granular, purpose-specific consent, and they are building the entire compliance framework around that principle. 

Blanket consent means checking one box and agreeing to every use of your data. It’s easy for businesses but bad for users, who have no control or understanding. This model does not respect user autonomy, and regulators worldwide have rejected it. 

Granular consent lets users control each purpose, it would be yes for core delivery and analytics but, a no for marketing. Implementing this is harder, but it is now mandatory. With an 18-month deadline, businesses relying on blanket consent must switch fast. 

What Regulators Mean by “Granular Consent”  

The DPDP Act defines consent in Section 6. 

It must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The word that matters most here is specific. Consent must be tied to a particular purpose, and it must be limited to the personal data that is necessary for that purpose. 

The DPDP Rules, notified by the Ministry of Electronics and IT in November 2025, double down on this. Rule 3 requires Data Fiduciaries to issue standalone, clear, and simple consent notices that transparently explain the specific purpose for which personal data is being collected and used. The notice must be itemised. It must spell out what data you are collecting, why you need it, and how the user can withdraw consent later.  

What this means in practice is that if your platform collects data for three different purposes, say, account management, product analytics, and marketing emails, you need three separate consent requests. A user should be able to say yes to account management, yes to analytics, and no to marketing. They should not have to agree to all three just to use your service. 

The DPDP Act and MeitY drawing reference to the Section 6, has called for a ban on bundled consent. Users and businesses both need clear parameters: users must know what they agree to, and businesses need lawful consent for specific purposes. 

India is not alone: the EU’s GDPR also requires purpose-specific consent and penalises bundled processing. India adopts similar language and enforcement. 

Why “Blanket Consent” fails DPDP Test  

Blanket consent “I consent to all uses of my data” fails almost every requirement the DPDP Act sets out. 

First, blanket consent is not ‘specific’. Users can’t know or choose the processing activities—service delivery, ads, AI training, data sharing—since nothing is detailed. 

Second, it is not ‘informed’. Informed consent means the user understands what they are agreeing to before they agree. If the notice just says “we will process your data for various purposes as described in our privacy policy,” the user has no idea what is happening. Most people will not read a 20-page legal document to figure it out. 

Third, it undermines the requirement that consent be free. If you tell a user, “Agree to everything or you cannot use our service,” they do not have a real choice. They might agree because they need the service, but that is coercion, not consent. The DPDP Act is clear that consent must be voluntary, and making essential services conditional on agreeing to unrelated processing does not meet that standard. 

Finally, it makes ‘withdrawal’ almost impossible to manage. If a user withdraws blanket consent, do you have to stop all processing, even what is needed for the core service? That is unworkable. The solution is not to ignore the withdrawal. It is never too late to have bundled consent in the first place. When consent is purpose-specific, withdrawal can also be purpose-specific. The user can withdraw consent for marketing but keep the rest of their account active. 

DPDP Rules require that withdrawing consent be as simple as giving it. A single “accept all” button does not allow selective withdrawals. Granular consent provides the needed control. 

What “Itemised” Consent Notices Looks LIke  

The DPDP Rules do not just say “be clear.” They give concrete requirements. A consent notice must be standalone, not buried inside terms of service or a privacy policy. It must be written in plain language that anyone can understand, not legal jargon. And it must include: 

1. A clear description of the personal data being collected (not “various data points,” but “name, email, phone number, location”) 

   
   

2. The specific purpose for processing (not “business operations,” but “to send you order updates” or “to show you personalised product recommendations”) 

   
   

3. A direct, easy way to withdraw consent (a link, a button, a clear process, not “contact us at legal@company.com and wait 30 days”) 

   
   

4. Information about how to exercise other rights and how to file a complaint with the Data Protection Board 

This is what makes consent “itemised.” Each purpose gets its own line item. The user sees what data is involved, what it is used for, and what their options are. No hidden bundling. No vague categories. Just clear, honest information that lets people make real decisions. 

The UX Challenge: Granularity Without Overwhelm  

Granular consent can frustrate users who get too many requests. They may abandon the signup or click “accept all” without reading. This undermines informed consent. 

This is a real problem, but the solution is not to go back to blanket consent. The solution is smarter UX design. You present consent ‘progressively’, not all at once. When a user first signs up, you ask for consent only for the core purposes that are needed to create the account. 

Later, when they enable a feature that involves additional data processing, like turning on location-based recommendations or connecting a third-party app, you present a contextual consent request for that specific purpose. 

This approach is called “just-in-time consent”. Users see requests when they matter, understand the context, and avoid cluttered signup screens. 

GoTrust’s consent management supports this pattern. You configure your purposes centrally: “account management,” “email marketing,” “product analytics,” “third-party integrations,” and then you control where and when each consent request is presented. The frontend SDK knows which purposes have been consented to and which have not, so it only shows prompts for the ones that are still missing. 

Users get a smooth, progressive experience, and you satisfy DPDP’s purpose-specific consent demands. Auditors get a structured, defensible system, not a generic approach. 

Why is “Consent Bundling” explicitly banned  

MeitY’s position on bundled consent has been clear since the draft rules were released. Consent management systems must not include options that allow users to agree to all purposes simultaneously. The idea is to prevent the “take it or leave it” problem, where users feel forced to accept everything just to access a service. 

Allow an “accept all” button only if users can also accept or reject each purpose individually. Don’t use systems where all purposes are bundled, and granular controls aren’t available. 

Regulators ban bundled consent because it mainly benefits businesses by making data use broad and withdrawal hard. It hides data use and blocks real user control. 

The DPDP Rules introduce the concept of Consent Managers, independent entities that help users manage their consent across multiple services. These Consent Managers will be required to present consent in a granular, purpose-specific way. They will maintain detailed logs of what was consented to, when, and for which purposes. And they will make it easy for users to review and update their consent at any time. 

Operationalising “Granular Consent” with GoTrust  

Implementing granular consent is not just a design problem. It is an engineering and compliance problem, too. You need to capture consent accurately, store it with full metadata, enforce it across all your systems, and maintain audit-ready records that prove every consent was valid and lawful. 

GoTrust’s platform is built around this end-to-end workflow. You define your purposes once “core service,” “analytics,” “marketing,” “third-party sharing,” and map them to the specific data categories each purpose requires. The platform generates purpose-specific consent forms, banners, and preference centres that present users with clear, itemised choices. 

When a user consents, the platform records the full context: timestamp, purpose, data categories, the exact text they saw, the channel (web, mobile, API), their IP address, and user agent. These records are immutable. They go into a tamper-proof audit log that regulators can inspect at any time. 

GoTrust also handles consent enforcement. When a user withdraws consent for a specific purpose, the platform propagates that change to all connected systems immediately. If your analytics pipeline loses consent, it stops processing that user’s data right away. If marketing consent is withdrawn, email campaigns automatically exclude that user. No manual intervention. No lag. Just instant, reliable enforcement. 

For businesses with multi-channel operations, web, mobile, IoT, and offline, GoTrust’s SDK and API layer ensures that consent state stays synchronised across all touchpoints. A preference set on mobile gets reflected on the web. A withdrawal via API gets enforced in your data warehouse. Everything stays in sync because everything talks to the same central consent backbone. 

Consequences of the Ignorance of this Transitional Shift  

The DPDP Act gives the Data Protection Board of India significant enforcement powers. Financial penalties for non-compliance can go up to ₹250 crore per violation. But the real risk is not just fines. It is reputational damage, loss of user trust, and the operational chaos that happens when you get caught relying on invalid consent. 

If regulators find that your consent mechanism does not meet the requirements because it is bundled, vague, buried in legal text, or impossible to withdraw, they can order you to stop processing that data. Imagine having to halt marketing campaigns, shut down analytics pipelines, or suspend third-party integrations because your consent was never valid in the first place. The business impact is immediate and severe. 

The safer path is to get ahead of this now. Redesign your consent flows around granular, purpose-specific choices. Implement preference centres where users can review and manage their consent at any time. Build enforcement into your backend systems so that withdrawal is instant and automatic. And maintain defensible records that prove you did everything right from the start. 

GoTrust helps businesses make this transition without rewriting their entire stack. The platform integrates with existing systems via APIs and SDKs, so you can layer compliant consent management on top of what you already have. You do not have to rip and replace. You just need to add the governance layer that the law now requires. 

Conclusion 

Granular consent is not optional under the DPDP framework. It is a core requirement, explicitly mandated by the Act and reinforced by the Rules notified in November 2025. Regulators have made it clear that bundled, blanket consent does not meet the standard. They expect standalone, itemised notices. They expect purpose-specific choices. They expect easy withdrawal. And they are building enforcement mechanisms, Data Protection Board investigations, financial penalties, and Consent Manager oversight to make sure businesses comply. 

For organisations still using blanket consent, the 18-month compliance timeline is ticking. You have until mid-2026 to redesign consent flows, update systems, and retrain teams. That is enough time if you start now, but not enough if you wait until the deadline is looming. 

GoTrust’s consent platform gives you the tools to make this shift without breaking your user experience. Granular consent controls, progressive flows, real-time enforcement, audit-ready records, and seamless integration with your existing systems. It is how forward-looking businesses are preparing for DPDP compliance, and it is how you can turn a regulatory requirement into an opportunity to build real user trust.