Learn the right way to ask
for valid consent and how to record and manage it to stay compliant with
India’s DPDP Act 2023.
The Digital Personal Data Protection Act 2023, is India’s big move to protect
individual privacy rights and control how personal
data is used. A key component of the DPDP Act is consent —
a core principle which guides how organisations collect, process, handle, and
use personal information.
But how do you get valid consent?
This blog will explain the
right way to ask for, record, and manage consent.
What is Valid Consent Under the DPDPA?
According to the DPDP Act
2023, consent is considered valid if it is:
For consent to be
informed, companies have to give clear details about:
- Freely given: There must be no coercion;
consent can’t be tied to other terms or required for accessing a service.
- Specific: It must be for specified purposes,
not grouped with other unrelated activities.
- Informed: Users need to understand what they
are agreeing to, including the types of personal data, why it’s being
processed, and who it’s shared with.
- Unambiguous: Users must agree through
affirmative action (opt-in consent), not by passive means (opt-out). For
example, unchecking a pre-checked box to withdraw consent isn’t valid.
- Unconditional: You can’t restrict access to
services or products based on consent. For instance, users should be able
to access the public parts of your website even if they don’t agree to the
use of cookies.
How to Write a Consent Request?
Consent requests need to
be clear, easy to understand, and stand out from other information like general
terms and conditions.
Here’s how to do it:
- Make sure your consent request is easy to spot
- Use clear, simple language
- Write in a way your audience can easily
understand, especially if you’re asking children for consent. In such
cases, you might need to involve parents and consider age verification and
parental authorisation
- Avoid technical or legal jargon, confusing
terms and double negatives
- Use consistent language and methods for all
consent options
- Keep your consent requests short and specific,
avoiding vague or blanket wording
To maximise transparency,
the DPDP Act mandates all consent requests to be either accompanied or preceded
by a privacy notice. Let’s discuss what this notice holds.
Helping Data Principals
Make an Informed Decision — Privacy Notice
Section 6 of the DPDP Act
lays out the rules for ‘notice.’ For collecting valid consent, Data
fiduciaries must give individuals a clear and simple privacy notice
either before or when asking for consent.
- It should detail the personal data being
collected and explain the reason for processing.
- It must include mandatory information, like
how to withdraw consent, address grievances, and file a complaint with the
Data Protection Board of India (DPBI).
- It must be available in English and, if
needed, in any of the 22 languages listed in the 8th schedule of the
Indian Constitution.
- Additionally, it should provide contact
information for the officers responsible for handling personal data.
How to obtain valid consent?
The method you use must
clearly show that people are giving their consent through definite, affirmative
action. This means people need to actively opt-in. You can ask them to do so
using any of these opt-in methods:
- Signing a consent form on paper
- Ticking an opt-in box, either on paper or
electronically
- Clicking an opt-in button or link online
- Choosing from equally prominent yes/no options
- Selecting preferences in settings or a
dashboard
- Responding to an email asking for consent
- Saying yes to a clear oral request for consent
- Providing optional information for a specific
purpose, like filling out optional fields in a form
Some Best Practices to Follow
- Do not rely on silence, inactivity, pre-ticked
boxes, opt-out boxes, default settings, or blanket acceptance of terms.
These methods assume consent by default and increase confusion and
ambiguity.
- Provide separate opt-ins for different
purposes or processing types. Avoid forcing all-or-nothing consent.
- Electronic consent must be user-friendly and
not disrupt service use.
- Do not force account creation for verifiable
consent; offer it as an option for saving preferences or you can link
consent to a temporary session ID.
- For online services to children, use
age-verification measures and seek parental consent.
How should you record valid consent?
Section 7(9) of the DPDP
Act states that if there’s a question about consent in a legal proceeding, the
data fiduciary must prove that: (i) they provided an appropriate notice, and
(ii) consent was obtained based on that notice.
This means you need to not
only provide a privacy notice but also keep records of how you collect consent.
You need to have a clear
record of how and when consent was given. Keep this evidence for as long as
you’re processing the personal data based on that consent to maintain
compliance with the DPDPA.
Good records help you
monitor and refresh consent as needed. Here’s what to include:
- Who consented: The individual’s name or
identifier (like an online username or session ID).
- When they consented: A copy of a dated
document or an online record with a timestamp, or a note of the time and
date for oral consent.
- What they were told: A master copy containing
the consent statement, any privacy notice, and any other privacy
information. For oral consent, keep a copy of the script used.
- How they consented: For written consent, a
copy of the document or form. For online consent, the personal data
submitted and a timestamp. For oral consent, a note made at the time of
the conversation.
- Whether they have withdrawn consent: And when
it happened, if applicable.
How to Manage Consent?
With the Digital Personal
Data Protection Act 2023 in effect, companies must ensure they have valid
consent for processing personal data.
A Consent Management
Platform (CMP) simplifies sending, tracking, and managing consent requests
across apps and business processes. It integrates with your systems, automating
consent management to keep you compliant, enhance user trust, and streamline workflows.
CMPs also provide proof of
compliance by maintaining detailed consent records, making it easy to handle
consent requests, updates, and audits. This allows you to focus on your core
business activities.
If you’re looking for a
customisable all-in-one solution for DPDP compliance, your search ends here.
An All-In-One DPDP
Compliance Tool Kit for Your Business
With extensive experience
in implementing privacy policies across different geographies, DPDP Consultants
understands that every business has unique challenges. Whether you’re a startup
or a large enterprise, we can create a tailored compliance plan to help you
meet DPDP requirements and manage user consent effectively.
Our automated Data
Principal Consent Management (DPCM) tool streamlines sending, managing, and
tracking consent requests, ensuring transparency and compliance with DPDPA.
Additionally, it helps
create the required privacy notices to present before or alongside valid
consent.
Key Features
- Customisable to align with your business
processes
- Automates the management of personal data
consent requests
- Provides a robust system to track and handle
these requests internally
- Integrates with your company’s email service
provider to efficiently manage consent and monitor unconsented personal
data
- Shares outcomes with department heads, Data
Protection Officers, stakeholders, and management
- Helps manage consent for your legacy
personal data
- Suitable for businesses of all sizes and
scales with your business
Book A Free Consultation
DPDP Consultants offer
customised solutions to help your organisation achieve and maintain DPDP
compliance. In addition to the DPCM tool, they provide various services and
tools to navigate the DPDP Act, 2023 effectively:
- The DPDPA Readiness Review helps organisations understand the impact of the
DPDP Act on their operations.
- Our Contract Review service ensures that existing contracts align with DPDP
specifications, necessitating revisions when necessary.
- Our dedicated team provides
comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for
regulatory alignment.
- We assist in conducting DPIAs to assess and
mitigate risks in personal data processing. Our Data Protection Impact Assessment (DPIA) tool automates the
process, allowing organisations to conduct DPIAs through a user-friendly
platform. It tracks identified risks and ensures all stakeholders are
informed about the mitigation progress.
- The Data Principal Grievance Redressal (DPGR) tool enables data principals
to exercise all their rights through a user-friendly platform, reducing
response time and ensuring compliance.
- Our Data Protection Awareness Program (DPAP) educates staff on the new
privacy law through regular awareness sessions and assessments.
Looking
for expert advice from top consultants?
Whether you need guidance on legal compliance
consulting or tool-based technical solutions, DPDP Consultants can help
you with the best professional services in the industry. Get tailored insights
and practical solutions to help you succeed.
For News updates, expert insights, and practical
tips on DPDP compliance and personal data security please subscribe to our
newsletter Privacy
Talks.
