The blind spot every DPDP vendor has

Open the marketing site of any global compliance platform and you will see the same screenshot — a cookie banner on a desktop browser, with a friendly "Accept All" button. That is the only consent moment those platforms are built for. It is also the consent moment that has very little to do with how Indian businesses actually meet customers.

India runs on physical commerce. A telecom retailer onboards a new SIM at a counter in a tier-3 town. A bank opens a savings account at a branch in a tier-2 city. A pharmacy chain captures patient details for a chronic-care programme at the till. A clinic registers a new patient at the front desk. None of these moments involve a website. All of them, under the Digital Personal Data Protection Act 2023, require verifiable, purpose-specific consent from the data principal — and a defensible audit trail showing that consent was free, informed and given before the personal data was collected.

If your DPDP platform cannot capture consent at the physical counter, it cannot defend the most enforcement-prone consent moments your business has.

What QR-based consent actually is

QR-based consent is a deceptively simple idea executed properly: a printed QR code at every physical touchpoint resolves to a purpose-specific, mobile-optimised consent screen in the data principal's preferred language. The customer scans, reads the notice, gives or declines consent for each purpose, and the consent record is written to the consent ledger with a timestamp, IP and device fingerprint, the exact privacy notice version they saw, and a hash of the displayed text.

Every element of that flow exists to satisfy a specific DPDP obligation:

  • Section 5 — the notice must be in plain English or any language listed in the Eighth Schedule. The QR resolves to the customer's chosen language; the language toggle and the version of the notice they read are both stored.
  • Section 6 — consent must be free, specific, informed, unconditional, unambiguous and given by clear affirmative action. A scan-and-tap is a clear affirmative action; per-purpose toggles deliver specificity.
  • Section 6(4) — the data principal has the right to withdraw consent as easily as it was given. The same QR can be reused later from any device, opens to a preference centre, and lets the customer withdraw or modify any purpose with a single tap.
  • Section 8(7) — the Data Fiduciary must maintain a record of consent. The QR-driven flow writes an immutable, hash-chained ledger entry with the full context — this is what an Adjudicating Officer will ask for during an enforcement inquiry.

Where QR consent matters most

Five real-world surfaces drive the bulk of the value:

  1. Retail and quick-service restaurants — a QR at the till lets you collect loyalty-programme consent without a paper form, while keeping a perfect audit trail of who consented, when, and to what.
  2. Branch and field banking — for the segments of the population that walk into a branch, QR consent replaces the multi-page paper form with a 60-second mobile flow. The BFSI auditor gets clean, indexed records.
  3. Healthcare — patient registration, vaccination drives, diagnostic camps. Each has its own purpose and its own retention rule; QR consent encodes both.
  4. Events and conferences — a single QR at the registration desk replaces the lanyard scan + spreadsheet workflow that has historically been the worst DPDP exposure for B2B marketers.
  5. Real-estate site visits, automotive test drives, insurance lead capture — anywhere a sales executive collects a phone number on a notepad today.

Why no other DPDP platform ships it

The reason is structural, not accidental. Global GRC suites were built for the GDPR-era web — long privacy policies, cookie banners, web forms. They have no concept of an offline touchpoint, no inventory of physical locations, no QR-management workflow, and no integration with point-of-sale or branch systems. Building it later is hard because the consent ledger, the language stack, and the preference centre all have to be re-architected to handle the additional metadata. As of 2026, none of OneTrust, GoTrust, Privy by IDfy, Leegality or CookieYes ships QR-based consent as a native module. Complynz does — see the DPDP Platform Comparison 2026 for the full feature matrix.

The Complynz QR Consent module — what you get

  • QR generator with per-location, per-purpose configuration; bulk export for printing on signage, receipts and brochures.
  • Localised consent flows in all 22 Eighth Schedule languages plus Hinglish — the customer chooses, you don't have to print 22 different posters.
  • Purpose-specific opt-in with one toggle per purpose, satisfying Section 6's specificity requirement.
  • Immutable consent ledger with notice-version hash, timestamp, device fingerprint, and one-tap withdrawal.
  • Real-time consent-rate analytics per location, per purpose, per language — so the marketing and compliance teams share the same dashboard.
  • Native integration with the Complynz DSR portal, grievance workflow, and breach-notification module — every consent record is reachable from every other workflow.

Operational rollout — what to expect

For most of our customers the rollout is a 10–14 day project, not a multi-month programme:

  1. Days 1–3: map physical locations and processing purposes; configure language defaults per geography.
  2. Days 4–7: generate and approve the localised consent screens; legal sign-off on the underlying privacy notices.
  3. Days 8–10: print and place QR signage; train branch and store staff on the 30-second customer pitch ("scan this and choose what you'd like to share with us").
  4. Days 11–14: dashboards, alerts and reporting handed over to the compliance team.

The audit moment that matters

Imagine an Adjudicating Officer asking, eighteen months from now, for the consent record of a specific customer who walked into your tier-3 branch on a particular Tuesday afternoon. With QR-based consent and an immutable ledger, you produce the record in under 30 seconds — the language they read, the purposes they accepted, the version of the notice on display that day, and the timestamp. With a paper form, you spend three weeks looking through the basement of a regional office. The DPDP Act allows for penalties of up to ₹250 crore. Which scenario are you optimising for?

FAQ

Is a QR-based consent capture legally valid under the DPDP Act 2023?

Yes. The DPDP Act does not prescribe the medium of consent capture; it requires that consent be free, specific, informed, unconditional, unambiguous and given by clear affirmative action (Section 6), and that a record of consent be maintained (Section 8(7)). A QR-driven flow that presents a localised privacy notice, captures per-purpose opt-ins through clear affirmative taps, and writes an immutable ledger entry meets every one of those requirements — and is materially stronger evidentially than a paper form.

Which other DPDP platforms in India ship QR-based consent natively?

As of 2026, none of OneTrust, GoTrust, Privy by IDfy, Leegality or CookieYes ship QR-based consent capture as a native module. Complynz is the only platform with QR Consent in the standard offering — see the DPDP Platform Comparison 2026.

Do I need separate QRs per location and per purpose?

Yes for the location dimension (so you can attribute consent and trace down to the physical touchpoint), and yes for the purpose dimension if your processing purposes differ materially across surfaces. The Complynz QR generator lets you configure both in a single console; bulk export then produces ready-to-print files.

How quickly can a typical retail or BFSI customer roll this out?

Most Complynz QR Consent rollouts are live in 10–14 days, including legal sign-off on the privacy notices and signage placement. The blocker is rarely the technology — it is the time required for the legal team to approve the localised notices.

Related reading

Talk to our team: hello@complynz.com