Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.
Last Updated: 2024-09-18 ~ Riju Ghosh ~ DPDP Consultants
Explore 9 types of consent
that ensure clear communication, transparency, and privacy in handling personal
information effectively.
As people share more of
their personal information online, strong data protection has become essential.
The Digital Personal Data Protection Act(DPDPA) of 2023 sets out clear rules for
safeguarding personal
data in India.
Under the DPDPA and other privacy laws, one of the key responsibilities of organisations is to get consent from individuals before using their data. This can be challenging because the amount of data collected keeps increasing.
There are different types
of consent designed to fit various situations and levels of data use. These
types help ensure clear communication between data principals and those
handling their data, highlighting the importance of transparency and privacy.
Let’s explore the 9
different consent types and how they are crucial for protecting personal data.
The DPDPA requires that
consent must be informed. This means individuals need to fully understand how
their data will be used, the risks involved, and their
rights.
For consent to be
informed, companies have to give clear details about:
An example of an informed
consent type is when a social media site gives users a detailed privacy notice
explaining how their data will be used, shared, and protected. With informed
consent, people can control their information and ensure companies meet high
standards for data privacy.
Explicit consent,
sometimes called express or active consent, means individuals must clearly and
indisputably agree to the data being collected and used.
This type of consent is
usually needed for sensitive
information like health records, racial or ethnic background,
religious beliefs, or political views. For example, an online health platform
would ask users to actively opt in and share their medical history for
personalised health advice.
Related: FM
Sitharaman Meets Fintech Startups
Implied or passive consent
means that a consumer’s consent is assumed unless they explicitly say
otherwise.
A common example is cookie
policies. When you keep browsing a website after seeing a cookie banner or
privacy notice, your continued use is often seen as implied consent for the
website to place and access cookies on your device.
Implied consent types are
often used when the data controller thinks people would generally agree to the
data processing, or when the processing is necessary for a contract or service.
However, clear and transparent information must be provided about the purposes
of data processing and how to opt-out.
Businesses like opt-out
consent because it requires customers to take action to stop or decline
processing. Many people don’t read the fine print and end up giving consent,
which benefits the organisation.
Out of all types of
consent, granular consent is all about giving people choices and control over
specific parts of data processing. It lets individuals decide what types of
data sharing or purposes they agree to.
For example, if your
business sends updates about different services, you should let subscribers
choose which services they want information about.
By offering granular
consent, organisations respect users’ autonomy and empower them to decide
exactly how their data is used. It’s a user-first approach to privacy, helping
people make informed decisions and ensuring their privacy expectations are met.
Furthermore, the act
mandates that Data Fiduciaries provide the Privacy Notice in English and any
regional language specified in the Eighth Schedule of the Constitution.
Unlike granular consent,
general consent gives broad permission for various data processing activities
without detailing specific purposes or conditions. These types of consent are
often seen in online service agreements where users agree to the general collection,
processing, and storage of their personal data needed to use the service.
Hospitals could ask for
general consent for routine, low-risk medical procedures like exams, tests, and
minor treatments.
With conditional consent,
individuals can place limits on how their data is used. They agree to data
processing under certain conditions or for specific purposes but not for
others.
For example, in a survey,
participants might give consent for their responses to be used for research but
not for marketing or third-party sharing.
Conditional consent lets
people control the extent and scope of their data use, setting boundaries and
specifying their preferences.
Common practices needing
conditional consent include:
Ongoing consent, or dynamic
consent, is important in long-term relationships where data processing happens
over time. It acknowledges that people’s preferences and circumstances can
change, so it regularly seeks to renew or confirm consent. These consent types
keep individuals informed about data processing activities and allow them to
update their consent choices.
For instance, if something
changes during a research study or new information arises, the organisation
needs to inform participants and ask if they still consent to be part of the
study.
Such types of consent
promotes continuous communication between individuals and data handlers, making
it easy to adjust and align with changing privacy preferences.
Presumed consent means that
consent is assumed based on laws, societal norms, or the specific context. It
implies that individuals agree to certain data processing activities unless
they explicitly object or opt-out. This is often used when there’s a strong
public interest or legal reason for processing data.
The DPDP Act 2023 has updated a similar concept of ‘deemed
consent’ from the 2022 draft. Now called ‘legitimate
uses,’ it allows for the processing of personal data for
specific purposes without the individual’s consent.
Revocable consent or
withdrawable consent, lets individuals revoke or withdraw their previously
given consent for their personal data to be collected. It highlights the idea
that people should have the right to change their minds and control their data
whenever they want.
Such consent types
acknowledge that consent isn’t just a one-time thing but an ongoing process
that respects individuals’ autonomy and their ability to decide how their
personal information is used.
While consent is generally
something you can withdraw, there are situations where it might not be
revocable. For instance, if data processing is necessary to comply with legal
obligations imposed on the organisation, they may need to continue processing your
data even if you withdraw consent.
Consent management is a
crucial issue in data privacy. However, with the amount of consent types, it’s
not always straightforward and can be challenging to navigate.
At DPDP Consultants, we’ve
developed a suite of tools to help companies handle all their compliance
obligations, regardless of the types of consent they collect.
Our Data
Protection Consent Management (DPCM) tool automates consent
requests, ensuring your processes are clear and transparent under India’s
privacy laws.
DPCM begins by organising
assets for each department and uploading existing information like names,
emails, and phone numbers. It also assists in creating necessary privacy
notices that accompany valid consent.
In addition to the DPCM
tool, they offer various services and tools to help you comply with the DPDP
Act 2023 efficiently.
Streamline your consent
management today with DPDP Consultants’ customisable DPCM tool. Automate your
processes, enhance transparency and ensure 100% compliance with India’s privacy
law.
For News updates, expert
insights, and practical tips on DPDP compliance and personal data security
please subscribe to our newsletter Privacy
Talks.
