According to Section 6(1) of the DPDP Act, 2023:

"The consent given by the Data Principal shall be free, specific, informed, unconditional and, unambiguous with a clear affirmative action..."

"...(The consent) shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."

Valid Consent under DPDP Act

Importance of a valid consent in the DPDP Act

"Consent" is the most common lawful basis on which a business can collect, store or process the personal data of Indian citizens.

Businesses of all sizes collect a lot of personal data from individuals. For example,

if you want to talk to one of our consultants, you are required to provide your name and contact information from the 'contact us' page on our website.

if you complete a purchase at a convenience store, you may be required to provide your mobile number to receive a digital copy of receipt on your Whatsapp.

If you visit a doctor, you are required to provide your personal data to book an appointment.

Essentially, any organized business needs to collect personal data of their prospects and customers to run their business.

As the purpose of the DPDP Act is to protect the rights of individuals whose personal data is processed (Data Principals), the act imposes certain obligations, including seeking "valid consent", on the business (Data Fiduciary) collecting personal data.

Before you seek consent

The "Privacy Policy" of a business plays a vital role in seeking valid consent. Every Global data protection regulations require the businesses to present a privacy policy to the user before they submit their personal data. The key characteristics of consent, as defined in the DPDP Act, should be embedded into the privacy policy of the business. For example,

The privacy policy should be drafted in such a way that the individual is made aware of the reasons/purposes for collecting personal data, with whom the personal data is shared, the individual's rights like right to delete. Hence, an informed consent could be obtained from the individual.

The privacy policy should be drafted in simple and plain language, without much legal jargon to help the individual take an informed decision before providing personal data. Hence, an unambiguous consent could be obtained from the individual.

How to seek valid consent

At the time of seeking consent

Whether you are a business acquiring personal data from paper-based forms and later digitizing the same or through web/app-based forms, you need to obtain explicit consent by asking the user to take an affirmative action before submitting the personal data. This affirmative action could be as simple as the user ticking a checkbox that the user consents to the privacy policy of the business.

The form presented to the user should contain a link to the privacy policy of the business and it should be demonstrated that reasonable efforts are taken to make the user aware of the specific purpose or purposes for which the data is being collected among other details.