top of page

Understanding Consent - Digital Personal Data Protection Act 2023

  • Writer: Khushbu Jain
    Khushbu Jain
  • 2 days ago
  • 3 min read

Updated: 6 hours ago




Q. 1. How can businesses ensure that consent is freely given and unconditional?


To ensure that consent is freely given and unconditional under the Digital Personal Data Protection Act (DPDP Act), 2023, businesses must adhere to the following practices:


  1. Avoid Coercion or Conditioning Access

Consent must not be tied to unrelated conditions. For example:

  • Do not make access to a service or product conditional on providing consent unless the data processing is strictly necessary for delivering that service or product.

  • Public parts of a website or app should remain accessible even if a user declines consent for non-essential data processing, such as analytics or marketing cookies.


2. Provide Clear and Transparent Information

Use a privacy notice to inform users about:

  • The specific categories of personal data being collected.

  • The purposes for which the data will be processed.

  • The rights of the data principal, including the right to withdraw consent at any time.

Ensure the information is easy to understand, using plain language and avoiding legal jargon.


  1. Affirmative Action for Consent

    • Require users to actively opt in through clear actions, such as checking a box, clicking an "I agree" button, or signing a form.

    • Avoid passive methods like pre-ticked boxes or implied consent from inactivity (e.g., merely browsing a website).


  2. Separate Consent Requests

Do not bundle consent with other terms and conditions. Each purpose of data processing should have a separate consent option, ensuring that users are not forced to agree to unnecessary processing.


  1. Enable Easy Withdrawal of Consent

Provide mechanisms for users to withdraw their consent as easily as they gave it. For example:

  • Include options in account settings or provide a simple "withdraw consent" button.

  • Ensure withdrawal does not invalidate prior lawful processing but stops future processing immediately.


6. Use Consent Managers

Recognize and integrate with consent managers, which act as intermediaries enabling users to manage, review, and withdraw their consents across multiple services transparently.


  1. Maintain Records of Consent

Keep auditable records showing:

  • When and how consent was obtained.

  • The specific purposes for which it was given.

  • That it was freely given without coercion.

By implementing these practices, businesses can ensure compliance with the DPDP Act's standards for free and unconditional consent while fostering trust with their user



Q. 2. What are the best practices for businesses to obtain explicit consent?


Under India’s DPDP Act, 2023, businesses must adopt robust consent management practices to ensure compliance and avoid penalties. Below is a structured guide addressing key requirements and best practices:


Best Practices for Obtaining Explicit Consent


  1. Clear Affirmative Action:

    • Require users to take unambiguous actions, such as checking an unticked box, clicking "I agree," or signing a digital form.

    • Avoid pre-ticked boxes or passive consent methods (e.g., implied consent from continued website use).


  2. Granular Consent Options:

    • Provide separate opt-ins for distinct purposes (e.g., marketing vs. service delivery) to ensure specificity.

    • Allow users to select specific data points they consent to share.


  3. Transparency Through Privacy Notices:

    • Mandatory Content:

      • Categories of personal data collected.

      • Purpose of processing.

      • Rights of data principals (access, correction, erasure).

      • Contact details of the Data Protection Officer (DPO).

    • Accessibility:

      • Provide notices in English and all 22 languages listed in the Eighth Schedule of the Indian Constitution.


Q. 3. How can businesses ensure that consent is not coerced or influenced?


Preventing Coerced Consent

  • Avoid Bundling: Do not tie consent to unrelated terms (e.g., denying service unless users agree to marketing).

  • No Conditional Access: Ensure non-essential data processing (e.g., analytics) does not block access to core services.

  • Voluntary Participation: Clearly distinguish mandatory data fields from optional ones.


Role of Consent Managers

  • Use interoperable platforms to let users manage, review and withdraw consent across services.

  • Ensure consent managers are registered with the Data Protection Board of India (DPBI) and provide transparent interfaces.


Handling Consent Withdrawal

  • Ease of Withdrawal:

    • Enable withdrawal through mechanisms as simple as the consent process (e.g., a "Withdraw Consent" button).

    • Process withdrawals promptly and delete data unless retention is legally mandated.

  • Record-Keeping:

    • Maintain timestamped logs of consent withdrawals and actions taken.


Q. 4. What are the penalties for businesses that fail to obtain proper consent?


Penalties for Non-Compliance

  • Financial Penalties:

    • Up to ₹50 crore per violation for failures like inadequate consent notices.

    • Up to ₹200 crore for breaches involving children’s data or security failures.

  • Factors Influencing Penalties:

    • Severity, repetition of violations and gains from non-compliance.


Key Compliance Steps

  1. Revalidate pre-DPDP consents via updated notices.

  2. Use automated systems to track consent lifecycle and generate audit trails.

  3. Educate staff on DPDP requirements, especially for handling children’s data and sensitive cases.


By integrating these practices, businesses can align with the DPDP Act’s emphasis on transparency, user control and accountability while mitigating legal risks.


____________________________________________________________________



 
 
 

Comments

bottom of page