Every week, someone in an HR team somewhere in India sends a candidate’s documents to a BGV vendor before the offer letter is even signed — let alone before asking permission. It happens quietly, routinely, and often with zero awareness that it might be illegal.
So let’s address this head-on: Can you run a background verification on a candidate without their explicit consent? And more importantly — what happens if you do?
The short answer is no. The more honest answer is: it’s complicated, it’s evolving, and the consequences of getting it wrong are only getting steeper.
Why This Question Keeps Coming Up
BGV without consent isn’t always deliberate. Often it happens because of process gaps — a vendor who starts preliminary checks the moment a resume is shortlisted, an HR team that buried a consent clause somewhere inside a 12-page offer letter, or a hiring manager who assumes that applying for a job is consent enough.
These assumptions are legally fragile.
India doesn’t have a single dedicated statute for background verification. But the absence of one specific law doesn’t mean the activity is unregulated — it means it’s governed by multiple laws simultaneously, and non-compliance with any one of them can expose an employer to serious liability.
What Indian Law Actually Says
The IT Act, 2000 and SPDI Rules, 2011
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — commonly called the SPDI Rules — were the first real signal that India takes personal data seriously. These rules require organisations to obtain written consent before collecting or processing sensitive personal data, which includes identity documents, financial records, and biometric information — all of which are commonly gathered during a BGV exercise.
Running checks on a candidate’s Aadhaar, PAN, employment history, or address without their knowledge isn’t just ethically questionable under these rules. It’s non-compliant.
The Digital Personal Data Protection Act, 2023
This is where things have fundamentally shifted.
The DPDP Act, 2023 — with its Rules notified in November 2025 — is India’s first comprehensive data protection law. It operates on one central principle: explicit, informed, and purpose-specific consent. The Act gives individuals (called “Data Principals”) the right to know what data is being collected about them, why it’s being collected, and who it’s being shared with.
For background verification, this has direct consequences:
Consent must be obtained before any check is initiated — not buried in fine print, not assumed from a job application
The consent must be specific to BGV — a generic “I agree to terms” won’t hold up
The employer (as Data Fiduciary) remains fully liable even if a third-party vendor conducts the actual checks
Data collected for verification must be deleted after the purpose is served — holding onto rejected candidates’ reports indefinitely is itself a violation
The DPDP Rules 2025 have further tightened this — requiring consent forms to be in plain language, and in regional languages for pan-India operations. Any consent form drafted before November 2025 likely needs to be replaced entirely.
The Indian Contract Act, 1872
There’s another angle that rarely gets discussed. A BGV agreement signed under duress or without genuine understanding of its scope may not constitute valid consent under contract law. If a candidate feels they have to sign — because the offer depends on it — without being given adequate time or information to make an informed choice, the validity of that consent becomes arguable. Courts have increasingly taken a dim view of fine-print consent buried in employment contracts.
The “Implied Consent” Myth
A common defence from employers is that candidates impliedly consent to verification by applying for a job. “They submitted their documents. That’s consent enough.”
This logic doesn’t survive legal scrutiny.
The DPDP Act is unambiguous: implied consent is not consent. Voluntary submission of documents for one purpose (applying) does not extend permission for another purpose (verification of those documents with third parties, former employers, or government databases). These are distinct actions, and each requires its own legal basis.
The distinction matters even more when you consider what BGV vendors actually do — they contact past employers, run criminal database checks, verify educational institutions, and sometimes conduct physical field visits. None of that is implied by submitting a resume.
What Happens When BGV Is Done Without Consent
The risks aren’t hypothetical anymore.
For the candidate: A person subjected to BGV without consent has grounds to raise a formal complaint under the DPDP Act. They can demand to know what data was processed, request deletion, and seek damages for unauthorized processing.
For the employer: Under the DPDP Act, penalties for data processing violations can run into crores. More practically, evidence gathered through an improperly consented BGV process may be legally challenged — meaning that a discrepancy discovered without proper consent could be difficult to act upon without exposing the company to a counter-legal claim.
For the BGV vendor: Vendors who process data without valid employer-to-candidate consent chains are also exposed. The DPDP Rules make it clear that Data Processing Agreements between employers and vendors are mandatory — not optional formalities.
What Proper Consent Looks Like in 2026
Given everything above, here’s what a legally defensible BGV process actually requires:
1. A standalone consent form — not embedded in the offer letter or employment agreement. It should clearly state what checks will be conducted, which third parties will be involved, and how long the data will be retained.
2. Purpose limitation — the consent must be specific to background verification. It cannot be a blanket permission for any future data use.
3. Timing — consent must come before checks are initiated. Many companies initiate BGV with the conditional offer, which is acceptable — but only if the candidate has signed the consent document first.
4. Candidate rights disclosure — the candidate must be told they have the right to withdraw consent (even if withdrawal may affect the employment offer), and the right to access and correct their information.
5. Vendor compliance — your BGV partner must operate under a signed Data Processing Agreement. Outsourcing the check does not outsource the liability. If your vendor mishandles a candidate’s data, you — as the Data Fiduciary — remain responsible.
A Note on Background Verification Platforms
Platforms built specifically for the Indian regulatory environment — like OnGrid — have compliance built into the architecture, not bolted on as an afterthought. Consent collection is digital, timestamped, and audit-ready. Every step of the verification chain is documented, which matters enormously when a candidate or regulator asks “when was consent obtained and what was it for?”
This is the difference between a BGV process that protects your organisation and one that creates liability at every stage.
The Bottom Line
BGV without consent isn’t a grey area in India anymore — it’s a clear legal risk, and the DPDP Act has made enforcement far more serious than it was even two years ago.
The question for HR and compliance teams isn’t “do we need consent?” — that answer is settled. The question is: “Is our current consent process actually valid, specific, documented, and built for the standards that apply today?”
If you’re not sure, that uncertainty itself is the answer. A consent form written in 2022 isn’t compliant with rules notified in 2025. A vendor you’ve worked with for years may not have updated their Data Processing Agreements. A process that “worked fine” without incident isn’t the same as a process that is legally sound.
Audit your BGV workflow now — before a candidate does it for you.
Leave a Reply