According to Section 6(1) of the DPDP Act, 2023:

"The consent given by the Data Principal shall be free, specific, informed, unconditional and, unambiguous with a clear affirmative action..."

"...(The consent) shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."

Valid Consent under DPDP Act

Significance of a valid consent

"Consent" is the most common lawful basis on which a business can collect, store or process the personal data of Indian citizens.

Businesses of all sizes collect a lot of personal data from individuals. For example,

  • if you complete a purchase at a convenience store, you may be required to provide your mobile number to receive a digital copy of receipt on your WhatsApp.

  • If you visit a doctor, you are required to provide your personal data to book an appointment.

  • if you want to talk to one of our consultants, you are required to provide your name and contact information from the 'contact us' page on our website.

Essentially, any organized business needs to collect personal data of their prospects and customers to run their business.

As the purpose of the DPDP Act is to protect the rights of individuals whose personal data is processed (Data Principals), the act imposes certain obligations, including seeking "valid consent", on the business (Data Fiduciary) collecting personal data.

Before you seek consent

The "Privacy Policy" of a business plays a vital role in seeking valid consent. Every Global data protection regulations require the businesses to present a privacy policy to the user before they submit their personal data. The key characteristics of consent, as defined in the DPDP Act, should be embedded into the privacy policy of the business. For example,

The privacy policy should be drafted in such a way that the individual is made aware of the reasons/purposes for collecting personal data, with whom the personal data is shared, the individual's rights like right to delete. Hence, an informed consent could be obtained from the individual.

The privacy policy should be drafted in simple and plain language, without much legal jargon to help the individual take an informed decision before providing personal data. Hence, an unambiguous consent could be obtained from the individual.

How to seek valid consent

At the time of seeking consent

Whether you are a business acquiring personal data from paper-based forms and later digitizing the same or through web/app-based forms, you need to obtain explicit consent by asking the user to take an affirmative action before submitting the personal data. The key aspect for seeking explicit consent is to make the user perform an 'affirmative action' before submitting personal data. The affirmative action could be as simple as the user ticking a checkbox confirming that the user has accepted the privacy policy of the business.

The form presented to the user should contain a link to the privacy policy of the business and it should be demonstrated that reasonable efforts are taken to make the user aware of the specific purpose or purposes for which the data is being collected among other details.

After obtaining consent

Once the consent is obtained and personal data is stored, the business should provide additional reminders to all users about any changes to its privacy policy. For example, if the business shares the personal data with a new vendor for processing, the new vendor's details should be added to the privacy policy and the same shall be notified to the users.

Consent seeking artifacts should be preserved to demonstrate that the business has indeed obtained valid consent from the users. The artifacts may include date/time of obtaining consent, IP address, data collection source (paper-based, online) etc.

Consent lifecycle management in DPDP Act

Consent has a maximum lifespan of 3-years (for certain classes of data fiduciaries) as per the DPDP Act rules, unless there is a legal obligation for the business to continue storing personal data. For example, a business may want to store its customers personal data for accounting purposes.

Consent can expire if the user requests the business that the personal data be deleted.

When consent expires or revoked by the user, the business should promptly delete all personal data and notify the same to the data principal.