Your Rights · Section 6(4)
Withdraw your consent — at any time, for any reason
If you have ever consented to a company processing your personal data, the DPDP Act 2023 gives you an unconditional right to withdraw that consent — and they have to make it as easy as giving it was. Here is what the law says, the 6-line email that gets it done, and what happens after you send it.
The law in one paragraph
What Section 6 actually says
Section 6(4) of the DPDP Act: “The Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.”Section 6(5) follows up: once consent is withdrawn, the Data Fiduciary (and every Data Processor they hired) must stop processingthe data — unless a separate, narrower legal basis still applies (e.g. an active loan account).
In plain English: if signing up took two clicks, withdrawing should also take two clicks. If the “unsubscribe” link doesn’t work, or the company makes you call a hotline only open on weekday afternoons, or asks you to send a notarised letter — that is a violation. The email below is your fallback, and the response (or silence) is evidence you can use later.
Copy, paste, send
The 6-line withdrawal email
Subject: Withdrawal of consent under Section 6(4) of the DPDP Act, 2023
To the Grievance Officer / Data Protection Officer,
[Company name]
I am a Data Principal under the Digital Personal Data Protection Act, 2023.
The personal data you hold about me is linked to:
• Account / customer ID: [your ID or registered email / phone]
• Registered email: [your email]
• Registered phone: [+91 ...]
Under Section 6(4) of the DPDP Act, I hereby withdraw my consent to the
processing of my personal data for ALL purposes that are not legally
mandatory for you to retain. In particular, please immediately:
1. Stop all marketing communication (email, SMS, WhatsApp, push).
2. Stop sharing my data with any third party, advertising network or
data broker.
3. Stop any analytics, behavioural profiling or model training that uses
my data.
Please confirm in writing within 7 days that the above has been actioned,
and tell me which data (if any) you must retain under a specific legal
obligation, together with the reason and retention period.
If I do not hear back, I will proceed under Section 13 (grievance redressal)
and, if needed, file a complaint with the Data Protection Board of India.
Sincerely,
[Your full name]
[Date]
Send it from the email address the company has on file for you, so they can verify your identity without asking for ID. Always cc yourself and keep the sent mail — that is your proof of date and content.
After you send it
What should happen, and by when
Within 48 hours
Marketing stops
Promotional email, SMS, WhatsApp and push notifications must be turned off. If you receive even one after this window, you have a documented violation.
Within 7 days
Written confirmation
A reply confirming what they stopped, and a list of any data they are legally required to keep (with the law that requires it and for how long).
If silence
Escalate
Send one reminder. If still nothing, file a complaint with the Data Protection Board — step-by-step here.
Common questions
FAQ
Do I have to give a reason for withdrawing?
No. Section 6(4) is unconditional — you can withdraw consent at any time, for any or no reason, and the company cannot ask you to justify it before acting.
How long do they have to act on a withdrawal?
The Rules expect prompt action — most companies treat it as a 7-day SLA, and large platforms must do it within a reasonable time. Marketing communications should stop within 48 hours of receipt. If they keep contacting you after that, that is itself a violation.
Will my account or service stop working?
If the consent you withdrew was for a feature that genuinely needs that data (e.g. KYC for a bank account), that feature stops. The company must clearly tell you what stops — and they cannot withhold a service for refusing optional data, like marketing tracking.
Does withdrawal erase my data?
Not automatically. Withdrawal stops new processing. To erase the historical data you also need to send an erasure request (Section 12) — we have a template for that too.
What if the company says they need to keep the data for tax / legal reasons?
That is allowed under Section 8(7) for genuine legal-retention. But they must (a) stop using it for any other purpose, (b) tell you what they are keeping and why, and (c) delete it the moment the legal hold expires.