DPDPA Rule 11: The Reality of Verifiable Consent for Persons with Disabilities

DPDPA Rule 11: The Reality of Verifiable Consent for Persons with Disabilities

Stop treating consent as a checkbox. Discover how to implement strict DPDPA verifiable consent for persons with disabilities and lawful guardians under Rule 11.

Sahil Pugalia

Written by

Sahil Pugalia

Date

Read time

7 min

Most companies treat consent as a user interface challenge. Make the button blue, make the text clear, log the click. But when it comes to the DPDP Act persons with disabilities provisions, a click is not enough. DPDPA verifiable consent is not a design choice. It is a legal burden of proof.

Rule 11 of the Digital Personal Data Protection Rules, 2025 operationalizes Section 9(1) of the Act for persons with disabilities who have lawful guardians. It requires a Data Fiduciary to obtain verifiable consent from the lawful guardian before processing the person’s personal data.

But the rule is highly targeted. It applies only when a lawful guardian actually exists under applicable law. Where no lawful guardian exists, standard Section 6 consent rules apply. The immediate risk isn’t just failing to get consent,it is failing to know which rule you are supposed to follow.

Illustration of a person with a disability and their lawful guardian navigating DPDPA verifiable consent.

Who is covered by Rule 11

Rule 11 hinges on two strict elements.

First, the individual is a person with a disability who, despite adequate and appropriate support, is unable to take legally binding decisions. The statute specifically includes individuals with long-term physical, mental, intellectual, or sensory impairments that, due to barriers, hinder full and effective participation in society equally with others. It also explicitly covers conditions related to autism, cerebral palsy, mental retardation, or a combination of such conditions, including severe multiple disability.

Second, the individual must have a lawful guardian under applicable law. This guardianship does not happen by assumption. It arises through appointment by a court under general guardianship laws, or recognition under specific disability statutes.

To navigate this, Rule 11 clarifies the authorities involved: a “designated authority” under Section 15 of the Rights of Persons with Disabilities Act, 2016 (which supports persons with disabilities in exercising legal capacity), and a “local level committee” under Section 13 of the National Trust Act, 1999.

Verifiable consent is a defined standard under the Rules, and it is significantly stricter than ordinary consent. For persons with disabilities who have a lawful guardian, the Data Fiduciary cannot simply take a user’s word for it.

You must:

  • Obtain consent from the lawful guardian before any processing begins.
  • Verify the identity of the consent-giver and confirm that they are an adult.
  • Maintain an auditable record of the verification and consent process.

Verification can be achieved using existing reliable identity and age details already available with the Data Fiduciary, provided they are based on prior verification. Alternatively, you can rely on details voluntarily provided by the guardian, or via a virtual token mapped to identity and age details issued by an authorised entity.

These authorised entities include government or statutory bodies, entities that issue virtual tokens mapped to such details, their delegates, and Digital Locker Service Providers notified under the Information Technology Act, 2000.

The due diligence of guardianship status

Anyone can click a button claiming to be a guardian. Rule 11 requires you to prove they aren’t lying.

Beyond identity and age, Rule 11 sets a specific diligence requirement. When a person identifies themselves as a lawful guardian, the Data Fiduciary must verify that the guardianship is valid under applicable law. This includes confirming that the guardian has been appointed by:

  • A court of law, or
  • A designated authority under the Rights of Persons with Disabilities Act, 2016, or
  • A local level committee under the National Trust Act, 1999.

In practice, this means obtaining and checking court orders, guardianship certificates, or equivalent documents issued under the relevant statutes. The verification must be strong enough to withstand audit or regulatory scrutiny. A checkbox is a theory; a verified court order is evidence.

Practical obligations for Data Fiduciaries

Before a single byte of personal data is processed, the operational friction begins. You must identify whether the data principal is a person with a disability who has a lawful guardian, verify the guardian’s identity and adult status, confirm their guardianship under applicable law, and record every step of that DPDP verifiable consent.

Technical measures: You must implement authentication and age verification for guardians, integrate with Digital Locker or other authorised entities where feasible, and use a consent management system that creates a robust, tamper-proof audit trail.

Organisational measures: You need policies that distinguish between persons with disabilities with guardians and those without. You must train staff on Rule 11 requirements and sensitive engagement. Most importantly, you must maintain detailed records of verification and consent, complete with timestamps and version control.

Risks and liability

Processing the personal data of persons with disabilities who have lawful guardians without verifiable consent is a direct breach of Section 9(1). The financial reality of that breach is stark: penalties under Section 33 can reach up to ₹250 crores.

But the risk isn’t just the absence of consent; it is the inadequacy of verification. Inadequate verification renders the consent invalid, turning all subsequent processing unlawful and triggering severe regulatory and civil exposure. Expect massive reputational risk if lapses involve vulnerable individuals. Guardians can and will raise grievances directly with the Data Fiduciary, with a clear escalation path to the Data Protection Board.

Illustration showing a person with a disability and their lawful guardian providing verifiable consent.

Implementation challenges and workable solutions

Identifying guardianship status: Determining if a person with a disability actually has a lawful guardian is the first hurdle. The workable approach is to use self-declaration paired with clear notices, request guardianship documentation, and where possible, verify through Digital Locker or authenticated copies.

Verifying “lawful” status: Confirming the legality and current validity of a guardianship document is complex. Data Fiduciaries must collect court orders, certificates from designated authorities, or confirmations from local level committees. Maintain verified copies and verification logs, and build triggers to re-verify upon expiry or material changes.

Balancing autonomy and protection: The greatest risk of DPDP Rule 11 compliance is overreach,undermining the autonomy of persons with disabilities who can consent independently. The solution is pragmatic assessment. Apply Rule 11 strictly when a lawful guardian exists, but respect independent consent where there is no guardianship.

Lawful guardian consent DPDP requirements do not exist in a vacuum. They intersect with a complex web of existing legislation:

  • Rights of Persons with Disabilities Act, 2016: Emphasizes equality, non-discrimination, and legal capacity. Rule 11 must be applied in a way that respects autonomy where possible and limits guardian consent to cases where lawful guardianship exists.
  • National Trust Act, 1999: Provides the framework for local level committees and guardianship for specific conditions. Documents from these committees are central to verification.
  • Guardians and Wards Act, 1890: Governs court-appointed guardians, procedures, and powers. This is the baseline for determining who qualifies as a lawful guardian.
  • Mental Healthcare Act, 2017: Introduces nominated representatives and advance directives in mental healthcare contexts. Coordination may be needed where roles overlap.

Operational best practices

  • Build clear identification protocols for persons with disabilities who may have guardians, including scripts and accessible notices.
  • Implement robust verification flows that accept court orders, designated authority certificates, and local level committee documents. Integrate Digital Locker to fetch verified documents.
  • Enforce identity and adult status verification for guardians, utilizing virtual tokens from authorised entities where available.
  • Create end-to-end audit trails for every consent action, including verification steps, document checks, timestamps, and responsible personnel.
  • Train teams on legal requirements and disability sensitivity. Establish clear escalation paths for complex or disputed cases.
  • Communicate transparently with guardians and persons with disabilities, provide accessible notices, and enable easy consent withdrawal.

What changes in practice

Consent collection is no longer a checkbox. It is a verification exercise. You are no longer just asking for permission; you are confirming who is giving it and why they are legally entitled to do so.

Documentation quality is now a survival metric. You must keep verified copies and logs that can prove your diligence months later. Your systems need to support identity, age, and guardianship verification, not just record a boolean consent toggle.

The critical risk hinge is the split decision: teams must know exactly when Rule 11 applies and when standard consent suffices. Achieving this consistently is an execution problem. Processes, systems, and people all need to align. If your consent flow cannot prove identity, adult status, and lawful guardianship on demand, you are exposed.

At Regodit, we know that compliance is only as strong as the evidence backing it. We provide a structured way to operationalize these controls, coordinate the required documentation, and maintain the exact audit trails that regulators expect. If you want to pressure test your current approach or design a compliant process that actually stands up to an audit, schedule a discussion with our team.

Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.

Keep reading

All blogs →