PART 5 OF 8

Consent & Notice Requirements

Reading Time: 30 minutes | Consent Framework

1. Consent as the Foundation

Under the DPDPA 2023, consent is the primary legal basis for processing personal data. The Act establishes a robust consent framework that requires consent to be free, specific, informed, unconditional, and unambiguous. This reflects the principle that individuals should have meaningful control over how their personal data is used.

Consent Definition Section 7

Consent means any freely given, specific, informed, unconditional and unambiguous indication of the Data Principal's wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.

1.1 Elements of Valid Consent

Element Requirement Invalid Practice
Freely Given No coercion, pressure, or undue influence Bundling consent with service access
Specific For identified, particular purpose Blanket consent for all purposes
Informed Clear notice provided before consent Hidden or unclear privacy terms
Unconditional No conditions attached to consent Pre-conditions or quid pro quo
Unambiguous Clear indication of agreement Pre-ticked boxes or silence
Clear Affirmative Action Active step by data principal Opt-out mechanism

2. Notice Requirements

Section 5 mandates that every request for consent must be accompanied by an itemized notice. The notice is the foundation of informed consent and must provide data principals with sufficient information to make meaningful choices.

Notice Content Requirements Section 5

The notice must inform the Data Principal about:

  • The personal data and the purpose for which it is proposed to be processed
  • The manner in which the Data Principal may exercise rights under the Act
  • The manner in which the Data Principal may make a complaint to the Board
  • Such other particulars as may be prescribed

2.1 Notice Design Principles

Best Practices for Notice

  • Clarity: Use plain, simple language avoiding legal jargon
  • Layered approach: Summary with links to detailed information
  • Accessibility: Available in languages understood by data principals
  • Timing: Provided before or at time of data collection
  • Visibility: Prominently displayed, not buried in terms
  • Itemized: Specific categories and purposes listed clearly
  • Actionable: Clear instructions on exercising rights

2.2 Language Requirements

The notice must be available in English or any language specified in the Eighth Schedule to the Constitution. This includes:

Language Category Examples
Mandatory (English) English version always available
Regional (North) Hindi, Punjabi, Kashmiri, Urdu
Regional (South) Tamil, Telugu, Kannada, Malayalam
Regional (East) Bengali, Odia, Assamese, Manipuri
Regional (West) Marathi, Gujarati, Konkani

Sample Privacy Notice Structure

Layer 1 (Summary):
- Identity of data fiduciary
- Categories of data collected
- Primary purposes
- Key rights and how to exercise them
- Link to full notice

Layer 2 (Detailed):
- Comprehensive list of data categories
- All purposes with descriptions
- Third-party sharing details
- Retention periods
- Rights exercise procedures
- Grievance officer contact
- Complaint mechanism to Board

3. Legitimate Uses Without Consent

Section 7 of DPDPA recognizes that consent may not always be feasible or appropriate. The Act provides for "legitimate uses" - specific situations where processing is permitted without consent.

Legitimate Uses Section 7(a)-(i)

Processing without consent is permitted for:

  • (a) Specified purposes where data principal voluntarily provides data
  • (b) State performance of functions or provision of services
  • (c) Compliance with legal judgment or order
  • (d) Medical emergency or health threat
  • (e) Safety during disaster or public order breakdown
  • (f) Employment purposes for specified categories
  • (g) Reasonable purposes for credit institutions
  • (h) Publicly available personal data
  • (i) Corporate mergers and acquisitions

3.1 Voluntary Provision (Section 7(a))

When a data principal voluntarily provides data for a specified purpose without objecting to notice, processing is permitted. Key conditions:

  • Data principal initiates the provision of data
  • Specified purpose is clearly stated
  • Notice has been provided
  • Data principal does not object
  • Processing limited to stated purpose

3.2 State Functions (Section 7(b))

Government entities may process data for:

  • Providing benefits, services, certificates, licenses, permits
  • Performance of any function under law
  • Provision of any service or benefit to data principal
  • Issuance of any certificate, license, or permit

3.3 Employment Purposes (Section 7(f))

Employment Processing

Employers may process employee data without separate consent for purposes such as recruitment, attendance, performance evaluation, benefits administration, and compliance with employment laws. However, this does not extend to processing unrelated to employment relationship.

3.4 Comparison: Consent vs Legitimate Use

Aspect Consent-Based Legitimate Use
Data principal action Affirmative consent required No consent needed
Notice requirement Mandatory with consent request May be required depending on ground
Withdrawal right Yes, at any time Limited - processing may continue
Documentation Consent records required Justification documentation
Scope As specified in consent As necessary for legitimate purpose

4. Withdrawal of Consent

The right to withdraw consent is fundamental to data principal autonomy. Section 6(4) ensures that consent withdrawal is as easy as giving consent.

Consent Withdrawal Section 6(4)

The Data Principal shall have the right to withdraw her consent at any time, with the ease of such withdrawal being comparable to the ease with which such consent was given.

4.1 Withdrawal Mechanism Requirements

Ease of Withdrawal Principles

  • If consent given online, withdrawal should be possible online
  • If consent given via single click, withdrawal via single click
  • No excessive steps or barriers to withdrawal
  • Clear and accessible withdrawal option
  • No penalty or fee for withdrawal
  • Prompt effect of withdrawal

4.2 Consequences of Withdrawal

  • Cessation of processing: Data fiduciary must stop processing for consented purposes
  • Data deletion: Unless retention required by law or legitimate use
  • Third-party notification: Notify processors and third parties
  • Service impact: May affect provision of services dependent on data
  • Prior processing: Withdrawal does not affect lawfulness of prior processing

Common Non-Compliance Issues

Organizations often make withdrawal difficult through: hidden withdrawal options, excessive verification steps, lengthy waiting periods, requiring phone calls when consent was online, dark patterns discouraging withdrawal. Such practices violate the "ease of withdrawal" requirement and may attract penalties.

5. Consent for Specific Purposes

Consent must be obtained separately for each specified purpose. Bundled or omnibus consent is not valid under DPDPA.

5.1 Purpose Specification

Valid Purpose Specification Invalid Purpose Specification
"To process your order and arrange delivery" "For our business purposes"
"To send promotional emails about similar products" "For marketing"
"To share with logistics partner for delivery" "To share with third parties"
"To analyze purchase history for personalized recommendations" "To improve your experience"

5.2 Change of Purpose

If the data fiduciary wishes to process data for a new purpose not covered by original consent:

  1. Fresh consent must be obtained for the new purpose
  2. Updated notice must accompany the consent request
  3. Original consent does not extend to new purposes
  4. Data principal has right to refuse consent for new purpose

6. Consent Records and Evidence

Data fiduciaries must maintain records demonstrating valid consent was obtained. This is crucial for accountability and in case of disputes or regulatory inquiries.

6.1 Consent Record Requirements

Documentation Elements

  • Identity of data principal (or verified identifier)
  • Date and time of consent
  • Method of consent capture
  • Version of notice/policy presented
  • Specific purposes consented to
  • Any modifications or withdrawals
  • Technical logs (IP address, device, etc.)
  • Audit trail of consent lifecycle

6.2 Consent Management Systems

Organizations should implement technical solutions for consent management:

  • Consent capture: UI components for obtaining consent
  • Storage: Secure database for consent records
  • Retrieval: Quick access for data subject requests
  • Updates: Mechanism to refresh consent when needed
  • Withdrawal: Easy withdrawal and propagation
  • Reporting: Analytics and compliance reporting

7. Key Takeaways

Summary Points

  • Consent must be free, specific, informed, unconditional, and unambiguous
  • Clear affirmative action required - pre-ticked boxes or silence not valid
  • Notice must be itemized, clear, and in accessible language
  • Legitimate uses provide alternatives to consent in specific situations
  • Consent withdrawal must be as easy as giving consent
  • Purpose must be specifically stated - blanket consent invalid
  • Fresh consent needed for new purposes
  • Comprehensive consent records essential for compliance
  • Consent Managers provide centralized consent management option
← Part 4: DPDP Rules 2025