Requirements for Legally Valid Electronic Consent in India: DPDP Act, IT Act & Medical Guide

Reviewed by ConsentCollect Compliance Team

Published July 11, 2026
15 min read

Executive Summary & Key Takeaways

Indian healthcare is going through a massive digital shift. Transitioning to electronic consent (eConsent) requires meeting strict legal standards. Hospitals, telemedicine apps, and clinical trial sponsors must follow overlapping rules. You cannot just use simple business signature tools. They lack clinical validation gates and do not meet national health standards. Learn the essential requirements to ensure your digital consent forms are legally binding in India.

  • DPDP Act Consent Notices: The Digital Personal Data Protection (DPDP) Act 2023 requires a clear notice before getting consent. This notice must state the data collected, the purpose, and details of your Grievance Officer.
  • Eighth Schedule Language Options: You must give patients the option to read the consent notice in English or any of the 22 languages specified in the Constitution of India.
  • Strict Age Threshold: Verifiable parental or guardian consent is mandatory for any patient under the age of 18. Self-declaration is not enough.
  • The Samira Kohli Precedent: Under Indian case law, medical consent must be highly specific. You cannot bundle different procedures into one checkbox. Diagnostic consent does not authorize treatment.
  • IT Act Electronic Signatures: The Information Technology Act 2000 recognizes electronic signatures. For healthcare, systems must capture detailed audit trails to verify patient identity.

Healthcare providers in India are rapidly adopting digital workflows. Whether you manage a large hospital, run virtual teleconsultations, or coordinate multi-site clinical trials, picking a dedicated healthcare consent builder is critical. Standard signature tools often leave you exposed to major legal risks.


#1. The Privacy Framework: DPDP Act 2023 and Medical Data

The passage of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a major shift in how healthcare providers must treat patient data in India.

Unlike the European Union's GDPR or other regional frameworks, the DPDP Act does not put health data in a separate "sensitive" category. Instead, it applies its rules to all personal data. However, because health data is personal, healthcare companies must meet very strict compliance requirements.

Under Section 5 of the DPDP Act, you cannot ask for consent without presenting a notice first. This notice must accompany or precede the consent form. It must be written in clear and plain language. The notice must contain:

  • The specific items of personal data you plan to collect.
  • The exact purpose of processing this data.
  • The specific steps the patient can take to withdraw their consent.
  • The contact details of your designated Grievance Officer.

If your clinic uses generic forms that do not outline these four points, your consent is invalid under Section 6 of the Act.

Under Section 6, consent must be free, specific, informed, unconditional, and unambiguous. The patient must give consent through a clear affirmative action.

This rule targets "bundled consent" practices. For example, a hospital cannot make a patient agree to secondary marketing or research as a condition of getting routine medical treatment. You must separate clinical care consent, research consent, and marketing opt-ins.

#Section 9: Child Data and Parental Verification

The DPDP Act sets a strict age of majority at 18 years. This is different from the GDPR, where states can lower the age of consent to 13. In India, if a patient is under 18, you must obtain verifiable consent from a parent or lawful guardian.

Furthermore, Section 9 bans any data processing that is likely to cause an adverse effect on the well-being of a child. You are strictly prohibited from tracking, profiling, or showing targeted advertisements to children. Your system must implement age-verification gates to detect minors and redirect them to parent consent workflows.

A unique feature of the DPDP Act is the creation of "Consent Managers." These are registered intermediaries accountable to the patient. Patients can give, review, or withdraw their consent through a unified digital portal managed by these entities. Healthcare platforms must be technically ready to link with these registered Consent Managers as the Data Protection Board of India (DPBI) rolls out the system.


#2. Interactive Compliance Assessment

Use this tool to build a customized compliance checklist based on your specific clinical setup in India:

Free Interactive Tool

India eConsent Compliance Checker

Configure your clinical context below to generate a personalized checklist of legal safeguards your consent form must meet under Indian law.

Step 1: Configure Your Consent Context

What type of consent are you collecting?

5 mandatory requirements
1 compliance risk detected
Based on DPDP Act 2023, IT Act 2000 & clinical regulations

Step 2: Your Compliance Requirements

Clear Purpose StatementMandatoryDPDP Act 2023 / Section 5

State exactly why you collect patient data and how you will use it. Generic phrases like "for clinic administration" are not valid under the Act.

Right to Withdraw ConsentMandatoryDPDP Act 2023 / Section 6(4)

Patients must be able to withdraw their consent at any time. The withdrawal process must be as easy as giving consent in the first place.

Grievance Officer Contact DetailsMandatoryDPDP Act 2023 / Section 5

Publish the name, email, and contact information of a Grievance Officer. This person handles patient data complaints and is legally required in every consent notice.

Multi-Lingual Notice GapCompliance RiskDPDP Act 2023 / Section 5(3)

Patients have the right to read the notice in English or any of the 22 languages in the Eighth Schedule of the Constitution. An English-only form puts you at risk if patients request a regional language version.

Procedure-Specific Consent BlocksMandatorySupreme Court Precedent / Samira Kohli [2008]

Each medical procedure needs its own separate consent checkbox. Diagnostic consent does not authorize treatment. Bundling multiple procedures into one signature is a direct breach of the Samira Kohli ruling.

ABDM Consent for Health Record SharingRecommendedNational Health Policy / ABDM / ABHA

If you share records through the National Digital Health Ecosystem, you must capture patient consent via their ABHA digital health account.

Electronic Record Integrity Audit TrailMandatoryIT Act 2000 / Section 65B (Evidence Act)

The system must log browser metadata, IP address, network headers, and precise timestamps for every signing event. This documentation is required for court admissibility.

Secure Identity Verification for SignaturesRecommendedIT Act 2000 / Section 5

Standard clickwrap consent is valid for data notices, but high-risk clinical procedures benefit strongly from an additional identity check such as a mobile OTP sent to the patient's pre-registered number.

Validate these requirements automatically

ConsentCollect scans your consent forms in real time and flags every missing item in this checklist before you publish.

Build a Compliant Form

While the DPDP Act regulates the privacy aspects of patient data, the Information Technology Act, 2000 (IT Act) governs the legal validity of electronic signatures.

#Section 3 and Section 5: Recognition of Electronic Signatures

Under Section 5 of the IT Act, if a law requires a physical signature, that requirement is met by an electronic signature. However, the signature must follow the rules set by the Central Government.

The Indian framework recognizes specific secure signature methods:

  • Aadhaar eSign: This service uses Aadhaar-based e-KYC to verify the signer. It binds a digital signature to the document using asymmetric cryptography. It is widely used for major financial and legal documents in India.
  • Digital Signature Certificates (DSC): Standard cryptographic keys issued by licensed Certifying Authorities.

For routine hospital visits and telemedicine, you do not need to integrate full Aadhaar eSign. However, you must prove that the patient is who they say they are. A simple unchecked box or signature image is easy to challenge in court. To create a strong presumption of validity under the IT Act, your software should use secure verification steps, such as sending a One-Time Passcode (OTP) to the patient's pre-registered phone number or email address.

#Admissibility in Court: Section 65B of the Indian Evidence Act

If a consent form is contested in an Indian court, you must prove that the digital record has not been altered. Under Section 65B of the Indian Evidence Act, 1872 (now replaced by Section 63 of the Bharatiya Sakshya Adhiniyam, 2023), electronic records are admissible only if they are accompanied by a compliance certificate.

This certificate must prove:

  • The computer system was operating properly when the record was created.
  • The record was stored securely without unauthorized access or modifications.
  • The electronic record was printed or downloaded in the ordinary course of clinical activity.

To meet this standard, your eConsent software must generate a detailed cryptographic audit trail. This audit trail must capture network IP addresses, browser headers, system logs, and document hashes.


#4. Clinical Standards and Case Law: The Samira Kohli Precedent

Data privacy and electronic signature laws provide the technical structure. However, Indian healthcare case law sets the clinical standards for what makes informed consent valid.

#Samira Kohli v. Dr. Prabha Manchanda [2008]

This landmark Supreme Court of India ruling is the foundation of modern medical consent law in the country. The case involved a patient who consented to a diagnostic laparoscopy. While the patient was under anesthesia, the surgeon performed a radical hysterectomy (removal of the uterus). The Supreme Court ruled that this was a major breach of the doctor-patient relationship and constituted negligence.

The court established the following rules:

  1. Consent must be specific: Consent given for a diagnostic test does not mean the patient consents to surgical treatment. You must get separate, specific consent for every major procedure.
  2. No bundling of procedures: You cannot bundle different surgeries together under a single signature. The patient has the right to refuse parts of a treatment plan.
  3. Emergency limits: Additional, unauthorized procedures can only be performed without consent in a genuine, life-threatening emergency. This applies only when waiting would cause irreparable damage or death. The surgeon cannot perform a procedure just because they think it is beneficial for the patient.

For digital consent, this means your form builder must use specific, unbundled checkboxes. Doctors must avoid generic checklists that lump different procedures together.

#Telemedicine Practice Guidelines, 2020

During virtual consultations, the Ministry of Health and Family Welfare (MoHFW) requires Registered Medical Practitioners (RMPs) to follow specific privacy and consent guidelines:

  • Implied Consent: Consent is implied if the patient initiates the telehealth consultation. For example, if a patient sends an appointment request or messages the doctor directly, they are implying consent to the consultation.
  • Explicit Consent: The doctor must get explicit consent if they initiate the telemedicine call. The doctor must also get explicit consent before prescribing certain medicines, recording the call, or sharing clinical files.
  • Consent Delivery: Explicit consent can be captured digitally. Valid methods include receiving an email, getting a text confirmation, or having the patient check a box on a secure healthcare portal. The RMP must document this consent in the patient's electronic medical record.

#Ayushman Bharat Digital Mission (ABDM)

Under the ABDM framework, the government is building a national digital health registry. Patients use an ABHA (Ayushman Bharat Health Account) number to access their records. To share medical records between different clinics or hospitals, you must use the ABDM unified consent manager. Doctors cannot pull or share patient health records without explicit consent requested and approved through the patient's ABHA digital app.


#5. eConsent in Clinical Trials: CDSCO & ICMR Rules

Clinical trials in India are governed by strict regulations that go beyond routine hospital care. Electronic consent systems used in trials must meet these unique rules.

#CDSCO New Drugs & Clinical Trials Rules, 2019 (NDCTR)

The Central Drugs Standard Control Organisation (CDSCO) regulates clinical trials. Under the NDCTR 2019, trials must follow Good Clinical Practice (GCP) guidelines.

A unique requirement in India is the mandatory audio-visual (AV) recording of the informed consent process. You must record the AV session for:

  • All clinical trials involving vulnerable populations. This includes children, cognitively impaired patients, or illiterate subjects.
  • All trials involving New Chemical Entities (NCEs) or New Biological Entities (NBEs).

The AV recording must capture the doctor explaining the trial details, the patient asking questions, and the patient signing the form. The system must store this recording securely to preserve patient privacy.

#ICMR Ethical Guidelines, 2017

The Indian Council of Medical Research (ICMR) sets ethical standards for biomedical research. Under these guidelines, research consent forms must disclose:

  • The expected risks, side effects, and benefits of the study.
  • The patient's right to withdraw from the research at any time without losing clinical care options.
  • Detailed information about the compensation available for research-related injuries.
  • The measures taken to protect confidentiality.

#6. Architectural Requirements for Compliant Indian eConsent Software

If you are choosing eConsent software for use in India, you must make sure it meets specific clinical and legal requirements. Avoid generic digital signature tools. They do not have the safeguards needed for healthcare compliance.

Your software should include:

  • Semantic Data Notice Auditing: The platform should scan your forms to ensure they contain all required DPDP Act notice elements. This includes checking for purpose statements, withdrawal rights, and Grievance Officer details.
  • Linguistic Localization Support: The software must allow you to present consent notices in English and the 22 regional languages listed in the Eighth Schedule of the Constitution. The translations must link together so you can track compliance in one place.
  • Verification and Audit Trails: The system must compile a detailed audit trail for every signature. This includes capturing IP addresses, browser headers, and timestamps. It should also support secure identity checks, such as One-Time Passcodes (OTP) sent to the patient's phone. This documentation is critical for court admissibility under Section 65B of the IT Act.
  • Age Verification Controls: The software should automatically detect if a patient is a minor and route the form to a parental consent workflow.
  • Unbundled Form Layouts: The system must allow you to create distinct checkboxes for separate procedures to comply with the Samira Kohli Supreme Court ruling.

#7. How ConsentCollect Satisfies India Compliance Standards

ConsentCollect is built from the ground up for healthcare compliance. We help you design secure, legally binding electronic consent workflows that meet all Indian regulations.

Here is how our platform handles these requirements:

#Automated DPDP Notice Validation

ConsentCollect features the Clara Auditor, a built-in compliance engine. When you set your form metadata to India (countryCode: IN), our system automatically runs the v-reg-india-dpdp validator.

It checks your template for:

  • Clear purpose statements.
  • A documented right to withdraw consent.
  • Designated Grievance Officer details.

If any of these items are missing, the auditor flags the gaps. It provides the designer with the exact compliance text to add, helping you publish with confidence.

#Right to Withdraw and Data Erasure

Under the DPDP Act, patients have a right to withdraw consent and request data erasure. ConsentCollect provides built-in tools for both options. Senders can easily manage these requests through the platform dashboard to stay compliant with Indian data rules.

#Transparent Signing Information

Transparency is a key rule under the IT Act and DPDP Act. During the signing process, the platform always displays the sender's contact details clearly. It also shows the signer's exact legal rights on the signing screen. This ensures the patient is fully informed before they sign.

#Parental Attestation and Assent Workflows

Because India requires parental consent for anyone under 18, standard digital forms are not enough. ConsentCollect provides special workflows for parental or guardian attestation and signing. It also includes minor assent forms, keeping you fully compliant with Section 9 child protection rules.

#Three-Layer Identity Verification

We believe in informed and explicit consent with strong verification. To secure your forms, we support three different verification layers based on your form type:

  • Email OTP: Simple verification for low-risk notices.
  • Privately Shared PIN Code: Extra security for clinical intake.
  • Biometric Passkey: Top-tier cryptographic security for clinical trials and surgical releases.

#Landmark Precedent Blueprints

We provide pre-formatted clauses based on the Samira Kohli Supreme Court ruling. These templates ensure that you capture specific, unbundled consent for every clinical procedure, protecting your organization from clinical liability.

#Multi-Lingual Notice Engine

ConsentCollect makes it easy to support Section 5(3) language requirements. You can draft your consent notice in English and map it to regional languages like Hindi, Marathi, Tamil, or Telugu. The system links these translations together, ensuring that patients receive the notice in their preferred local language.

#Secure Electronic Audit Trails

ConsentCollect generates a comprehensive verification package for every signed form. It captures network telemetry, browser details, and cryptographic timestamps. This data is compiled into a secure log, giving you the documentation needed for Section 65B IT Act admissibility in Indian courts.

#Zero-Knowledge Data Privacy

To support patient confidentiality, ConsentCollect uses zero-knowledge client-side encryption. Patient health data is encrypted before it leaves the browser, ensuring that unauthorized parties cannot access sensitive records.

ConsentCollect for Healthcare

Transition Your Practice to Digital Informed Consent

Standard PDF consent downloads leave your clinic exposed to liability. Upgrade to a validated clinical workflow featuring identity verification, biometric seals, and direct EHR integration.


To help compliance officers, here is a quick overview of how India's consent requirements compare to standard global frameworks:

Feature๐Ÿ‡ฎ๐Ÿ‡ณ India (DPDP Act & IT Act)๐Ÿ‡บ๐Ÿ‡ธ USA (HIPAA & Common Rule)๐Ÿ‡ช๐Ÿ‡บ European Union (GDPR)
Health Data CategoryPersonal Data (no separate category, but high protection in practice)Protected Health Information (PHI)Special Category Data (Article 9)
Consent StandardSpecific, unconditional, free, and unambiguousAuthorization required for non-treatment disclosuresExplicit consent required for research/non-care
Age of ConsentStrict 18 (verifiable parent consent required below 18)18 (with state variations down to 12)16 (member states can lower to 13)
Language MandateEnglish + 22 Eighth Schedule languagesEnglish + translation services under ACA ยง1557National language of the member state
Court AdmissibilitySecure e-signature + Section 65B CertificateESIGN Act compliance + audit traileIDAS signature standard + audit trail
Clinical Trial Special RuleMandatory AV recording for vulnerable populations and NCE trialsKey Information summary at the top of formsCTR 536/2014 voluntary written consent

#9. Frequently Asked Questions (FAQ)

Yes, electronic consent is legally valid in India under the Information Technology Act, 2000 (IT Act), and specific guidelines from the Ministry of Health and Family Welfare (MoHFW) and CDSCO. The eConsent system must securely capture the patient's identity and intent, and maintain a tamper-proof digital record.

Under Section 5 of the DPDP Act 2023, any request for consent must be preceded or accompanied by a clear notice. This notice must specify the exact personal data to be collected, the purpose of processing, the method to withdraw consent, and the contact details of the Grievance Officer.

No, Indian law does not mandate Aadhaar verification for routine medical consent. Under the IT Act 2000, while Aadhaar eSign is one method of creating a secure electronic signature, clinics can also use other methods. These include secure authentication trails, such as email tokens and mobile phone OTP checks, to verify patient identity.

Yes, simple clickwrap consent (checking a box or clicking an "I Agree" button) is valid for basic data processing notices under the DPDP Act. However, high-risk clinical procedures and drug trials require stronger proof of identity and voluntary intent, such as mobile OTP validation and secure audit logging.

#How does ConsentCollect help clinics maintain compliance under Indian regulations?

ConsentCollect runs automated semantic checks (via the v-reg-india-dpdp validator) to identify missing notice elements. It features multi-lingual notices, pre-formatted templates matching Supreme Court rules (the Samira Kohli case), and secure electronic audit trails.

#Where can I find econsent tools compliant with Indian data privacy laws?

ConsentCollect is a dedicated eConsent platform designed to comply with Indian data privacy laws (DPDP Act 2023 and IT Act 2000). The platform provides automated compliance checking, multi-lingual consent support, and secure audit trails to satisfy national health and data privacy standards.