Consent policies to consider for privacy notices – privacy protection

You only need to register or log in to Mondaq.com to print this article.

Under the Data Protection Act 2023 (DPDPA), a data protection notice should accompany or precede a request for consent to the Data Controller. As stated in the DPDPA, consent should be free, specific, informed, unconditional and unequivocal with a clear affirmative action signifying the consent of the Data Controller to the processing of personal data to the extent necessary for the stated purpose.

Consent should be free: Data subjects are expected to have a real choice about the processing of their personal data by organizations for the purposes set out in the privacy notice (“specified purposes”). For example, consent is not valid if the Data Subjects have no choice whether to accept or refuse the processing of their personal data for the purposes specified in the notification.

Consent should be specific: Any request for consent to the processing of personal data should correspond to the purpose in the notice. An ideal approach might be to require users to indicate their consent separately for each purpose listed in the notice.

Consent should be informed: Knowing and understanding the purposes stated in the notice can help Data Controllers make an informed decision about granting consent.

Consent should be unconditional: Consent should not be a condition for receiving services from an organization. However, the organization can explain why it would not be able to provide services to the Data Controller without its consent.

Consent should be unequivocal: As the provision reads, there should be clear affirmative action by the Chief Data Controller to express consent. Consent cannot be inferred from the behavior of the Data Controller (e.g. Data Controllers explore the website without indicating their consent to the processing of their personal data).

The preferred mechanism for obtaining consent would be opt-in consent. Where a privacy notice contains a number of purposes, it is ideal to allow the Data Controller to express its consent to each of the purposes to ensure that its processing of personal data is carried out by the organization in accordance with the principles of data minimization and purpose limitation. .

For example, an organization’s privacy notice specifies the collection of names, e-mails, telephone numbers, unique governments. ID (Aadhar, PAN, Driving License etc.), blood group for the purpose of registering for a corporate event. The data controller will submit all these details to the organization. However, blood group data is not required for event registration and unique government processing. ID may not be required except for authentication purposes. Therefore, the organization is not expected to collect or otherwise process blood type details. In other words, these purposes stated in the privacy notice should have a direct connection with the personal data processed by the organization.

The content of this article is intended to provide a general guide to the issue. Professional advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Privacy from India

Privacy Notice and Privacy Policy:

NovoJuris legal department

It is not uncommon to see these terms – the Privacy Notice and the Privacy Policy – ​​used interchangeably by organizations around the world.

Privacy in India – Digital Personal Data Protection Act 2023

LexCounsel Law Firms

India’s data protection regime has recently undergone a significant overhaul, starting with the landmark judgment of Justice KS Puttaswamy (Retd.) v. Union of India (where the right to privacy was recognized as a fundamental right)…

Leave a Comment