As per the Digital Personal Data Protection Act, 2023 (DPDPA), Privacy Notice should accompany or precede a consent request to Data Principal. As mentioned in the DPDPA, the consent should be free, specific, informed, unconditional, and unambiguous with a clear affirmative action signifying Data Principal’s assent to the processing of personal data to the extent necessary for a specified purpose.
- Consent should be free: Data Principals are expected to have a real choice to exercise in respect of processing their personal data by an organization for the purposes mentioned in the privacy notice (‘specified purposes’). For example, consent is not valid if there is no choice for the Data Principals to accept or reject the processing of her personal data for the purposes mentioned in the notice.
- Consent should be specific: Any request for consent for processing personal data should be specific to the purpose in the notice. An ideal approach may be to require users to indicate their consent separately for every purpose mentioned in the notice.
- Consent should be informed: Knowing and understanding the purposes mentioned in the notice may help the Data Principals make an informed decision on granting their consent.
- Consent should be unconditional: Consent should not be a pre-condition to receiving services from an organization. However, an organization may explain why it would be unable to provide services to a Data Principal in the absence of her consent.
- Consent should be unambiguous: As the provision reads, there should be clear affirmative action from the Data Principal to indicate her consent. Consent may not be inferred from the Data Principal’s conduct (e.g., Data Principals exploring a website without indicating their consent to their personal data processing).
The preferred mechanism to obtain consent would be opt-in consent. If the privacy notice contains a host of purposes, it is ideal to enable a Data Principal to signify her consent to each of the purposes to ensure that her personal data processing is carried out by the organization in line with the data minimization and purpose limitation principles.
For example, an organization’s privacy notice specifies about the collection of names, e-mail, phone number, unique govt. ID (Aadhar, PAN, Driving License etc.), blood group for the purpose of registering for a corporate event. A Data Principal submits all these details to the organization. However, the details on blood groups are not necessary for the event registration and processing of the unique govt. ID may not be necessary except for verification purposes. Thus, the organization is not expected to collect or otherwise process the details related to the blood group. In other words, these purposes specified in the privacy notice should have a direct nexus with the personal data processed by the organization.