DPDPA Section 4: grounds for processing digital personal data — consent or 'certain legitimate uses'
DPDPA Section 5: notice to the Data Principal at or before consent (purpose, rights, grievance route)
DPDPA Section 6: consent must be free, specific, informed, unconditional, unambiguous, with clear affirmative action; right to withdraw
DPDPA Section 7: certain legitimate uses (voluntary disclosure, State functions, medical emergency, employment, etc.) — exhaustive list, not a general 'legitimate interests' basis
IT Act 2000 Section 43A: compensation payable by a body corporate for failure to maintain reasonable security practices in handling sensitive personal data or information (SPDI)
IT Act 2000 Section 66: computer-related offences — dishonest or fraudulent acts referenced in Section 43
IT Act 2000 Section 69A: central government power to issue blocking directions for online content (relevant to AI-generated content takedowns)
IT Act 2000 Section 70B: statutory basis for CERT-In as the national agency for cyber-incident response