By – Shreya Maheshwari

Abstract 

Digital Personal Data Protection (DPDP) Rules, 2025, were notified on 14 November 2025. These rules aim to provide a citizen-centric framework for privacy protection by providing consent notices in simple language under SARAL principles of simplicity, accountability, authenticity, and lawfulness. This article argues that the requirement for a detailed itemised consent notice under Rule 3 of the DPDP Rules makes the notice information-dense. This undermines the aim of informed user consent owing to the low levels of digital literacy in India and time constraints.

Introduction 

Data collection has become integral to business and services in the present day. In today’s digital world, the idea of personal data protection is based on how users interact with consent notices for understanding how and why their data is used. The new DPDP Rules 2025 adopt a consent-centric framework to ensure that every citizen can exercise control over their personal data. However, owing to low digital literacy in India and time constraints on users, this objective can be undermined. The article critically analyses various DPDP Rules 2025, including Rule 3 and Rule 10, from a digital literacy, time and cognitive constraints perspective. It compares the statutory framework of DPDP rules to the realities of digital literacy rates in India. It further draws parallels with the research studies focusing on how users react to long consent notice forms to examine whether the notice requirements under Rule 3 allow the user to form informed consent.

Consent as the Central Pillar of the DPDP Framework

The DPDP rules 2025 place a heavy emphasis on the free consent of individuals (data principals) to ensure that citizens are aware of how their data is used and willingly consent to its use. To ensure meaningful consent, the new rules require organisations to display consent in the 22 languages mentioned under Schedule 8 of the Indian Constitution. While this aids individuals in forming informed consent, it overlooks that Schedule 8 still does not consist of many local languages. Thus, creating difficulties for providing meaningful consent for some sections of society.

Further, the act follows the SARAL approach to ensure that consent notices are in plain language so that individuals are able to comprehend the rules. However, effective consent under this approach might be hindered owing to the assumption that linguistic accessibility allows people to comprehend technical and legal terms despite a low digital literacy rate of 38%. This might create hurdles in forming informed consent, as more than half of the population might face challenges in forming meaningful consent. This impacts privacy as individuals will resort to providing a superficial consent by simply accepting or declining consent rather than forming a substantive consent by understanding the consent terms as required by Section 6 (1) of the DPDP Act, 2023.

Rule 3 and Information-Dense Consent Notices

Rule 3 of the DPDP rules 2025 requires the platforms to provide a detailed itemised notice in simple language. This includes a description of personal data, its specified purpose, etc. This detailed description ensures that the user understands the purpose and usage of their data. However, this often makes the notices information dense and lengthy. Thus, creating problems for the individuals who do not understand certain technical or legal words, as they might require a longer time to comprehend them. This detailed provision might create a gap, as platforms might insert important information in long notices for a population with low digital literacy. Hence, requiring them a longer reading period for comprehending the notice might also result in cognitive overload. Thus, risking user privacy. Additionally, it is important to understand that expecting users to fully comprehend extensive consent notices from multiple platforms negates their actual capacity to do so. Thus, resulting in consent fatigue, as users will be required to read lengthy notices, making them resort to skipping them. These structural concerns are amplified by the requirement of parental consent for each online activity for their minor children under Rule 10 of the DPDP Rules 2025. Hence, users might resort to giving quick consent without reading the terms of the notice, thereby risking the children’s data for misuse. Moreover, many parents are not digitally literate to provide informed consent. Hence, they might have to resort to blind acceptance of terms and conditions so that their children are not deprived of services, including online education.

Time Constraints and the Illusion of Meaningful Consent

The DPDP rules intend to allow individuals to form meaningful consent. This is done by enabling users to have control over their data. However, the implementation of this provision reveals deeper structural barriers. Detailed privacy notices under Rule 3 are often excessively long, requiring a substantial amount of time to read through them. This time investment in reading long privacy notices creates friction, which stops users from immediately completing their task. Moreover, many users prioritise immediate task completion over their privacy. Research shows that users prioritise saving time over reading privacy policies.

This investment deters users from a thorough review of policies, making them click the “I agree” button without understanding the consequences. Hence, these long notices, instead of informing users informed may worsen the situation as excessive information drowns important points. Thus, it is important to understand that making privacy notices long and detailed does not guarantee privacy protection but might risk it owing to consent fatigue. For example, based on average adult speed, reading privacy notices takes 30 minutes to read, making 74 per cent of people skip it and select quick join. Hence, the aim of securing personal data via informed consent cannot be fully achieved owing to time constraints coupled with low digital literacy levels, making it a more tedious task.

Conclusion

DPDP Rules 2025 are centred around the consent model, thus making it a primary requirement for processing data. However, the above analysis highlights several gaps, including digital literacy and cognitive overload, which hinder effective implementation. Hence, these gaps call for a rethinking of how to ensure informed and meaningful consent. Some of the suggestions include having an at-a-glance card where only key elements will be mentioned, including what data will be utilised, the purpose of processing it, and lastly, one clicks option to withdraw the consent. However, an expanded notice should be provided below it in case a user wants to know the full details. Lastly, it must be ensured that the notice also appears in regional languages along with the languages mentioned in Schedule 8. This will help ensure inclusivity, thereby allowing a wider population to form meaningful consent.

About the author

Shreya Maheshwari is a second-year B.COM LLB student at O.P Jindal Global University. She is interested in law and public policy, with a focus on emerging regulatory frameworks in India.

Image Source- https://www.republicworld.com/opinion/how-indias-2025-dpdp-rules-raise-the-bar-for-data-governance