Introduction
In 2023, a significant milestone was achieved with the enactment of India’s long-awaited data protection law, the Digital Personal Data Protection Act, 2023 (DPDPA), following the landmark Supreme Court case of Justice K.S. Puttaswamy (Retd.) v. Union of India, which upheld privacy as a fundamental right. The journey towards formulating comprehensive data protection laws began post the judgment, leading to multiple iterations of the bill until the final enactment of the DPDPA 2023.
Central to the Act is the principle that personal data of a Data Principal can only be processed in accordance with the provisions of DPDPA and for a lawful purpose, for which data principal has given its explicit consent. Thus, ‘consent’ emerges as pivotal to processing operations. In the K.S. Puttaswamy case, it was observed that,
“…. apart from safeguarding privacy, data protection regimes seek to protect the autonomy of the individual. This is evident from the emphasis in the European data protection regime on the centrality of consent. Related to the issue of consent is the requirement of transparency which requires a disclosure by the data recipient of information pertaining to data transfer and use.”
Therefore, informed consent plays a critical role in securing the rights of individuals whose personal data is being processed.
To enforce the provisions of the DPDPA, the Ministry of Electronics and Information Technology (MeitY), on 3rd January, 2025 released the draft Digital Personal Data Protection Rules, 2025 (DPDP Rules). These draft rules are released for public consultation, which is open till 18th February, 2025.
This blog aims to explore the mandates related to consent and notice requirements as outlined in the DPDPA and its allied draft rules.
Notice and Consent Requirement Under the DPDPA and the Draft DPDP Rules
The Digital Personal Data Protection Act establishes strict requirements for processing personal data, emphasizing consent as a cornerstone principle. Section 4 (1) of the DPDPA mandates that Data Fiduciaries can process personal data only if the Data Principal provides explicit consent, aligning with global standards for privacy protection. Section 6 (1) of the Act emphasizes that consent must be free, specific, informed, unconditional, and unambiguous, signifying clear agreement to the processing of personal data for the specified purpose and limited to what is necessary for that purpose. These provisions collectively ensure that the consent process is thorough and respects the rights of the Data Principal.
Moreover, Section 5 provides that, the Data Fiduciary must provide the Data Principal with a notice detailing the personal data processed and its purpose. The notice should also outline the procedure for exercising of rights under sub-section (4) of section 6 (right to withdraw consent) and section 13 (right of grievance redressal). Additionally, it must specify the process for lodging complaints with the Board. This provision of the law thus enables transparency and accountability in data processing practices.
Rule 3 of the draft Digital Personal Data Protection Rules 2025 specifies rigorous criteria for consent notices aimed at ensuring informed and specific consent from Data Principals.
The notice provided by a Data Fiduciary to the Data Principal serves as a crucial tool for ensuring transparency, accountability, and informed consent in the processing of personal data. This notice must adhere to specific requirements to guarantee clarity and accessibility for the Data Principal.
The following are the essential requirements that a notice must adhere to as per Rule 3 of the draft DPDP Rules:
- Independent Presentation: The notice must be presented in a manner that allows it to be understood independently, without reliance on other information that may have been shared previously or might be shared in the future.
- Clear and Plain Language: The notice should provide a fair and easily understandable account of the information necessary for the Data Principal to give specific and informed consent. This includes:
- An itemised description of the personal data being processed.
- The specified purpose of processing and an itemised description of the goods or services enabled by such processing.
- Ease of Access and Rights: The notice must include a clear communication link to the website or app of the Data Fiduciary. It should also describe alternative means, if available, for the Data Principal to:
- Withdraw consent as easily as it was given.
- Exercise rights provided under DPDPA.
- File complaints with the Board.
These provisions, thus, ensure that individuals are empowered with essential information and control over their personal data. It ensures that consent is not merely a formality but an informed and active choice. The inclusion of clear mechanisms for withdrawal of consent, exercising rights, and grievance redressal underscores a commitment to data privacy and user-centric practices.
What this Means for the Organizations
To comply with the Act and DPDP Rules, organizations must provide clear, concise, and easily understandable notices to data principals, itemizing the personal data collected, its processing purpose, and associated services. The notice should outline how data principals can exercise their rights, including withdrawing consent, accessing platforms, and filing complaints, ensuring transparency and ease of action.
Websites and online platforms that deploy cookies to collect, store, or process personal data must obtain explicit consent from Data Principals. The cookie consent notice/banner must clearly inform users about the types of cookies used, their purpose, and how collected data will be utilized to showcase compliance with DPDP rules. Users must also have a mechanism to withdraw consent at any point (withdrawal should be as easy for the Data Principal as it was to give the consent). These requirements ensure that Data Principals have meaningful control over their personal data, fostering greater transparency and accountability in online data practices.
To comply with the DPDP Rules, organizations should implement an effective privacy notice and cookie consent strategy that clearly communicates data collection, processing purposes, and user rights. A user-friendly consent management system is essential, ensuring individuals can easily give and withdraw consent. Additionally, organizations must establish processes for handling Data Subject Requests (DSRs), enabling data principals to access, rectify, or erase their data with ease as per DPDPA.
Conclusion
The DPDPA, 2023, and the draft DPDP Rules, 2025, mark a significant step towards strengthening data privacy and empowering individuals with control over their personal data. The emphasis on explicit, informed, and unambiguous consent ensures that the processing of personal data aligns with global standards of transparency and accountability. Through detailed mandates on notice requirements, the draft DPDP Rules guarantee that Data Principals are equipped with clear and accessible information about how their data will be processed, their rights, and grievance redressal mechanisms.
For organizations, these mandates are not just legal obligations but also opportunities to foster trust, transparency, and accountability in their data-handling practices. Adhering to these requirements will not only ensure compliance but also enhance user confidence, positioning businesses as responsible stewards of personal data in an increasingly data-driven world.
You can read more about consent requirements in different privacy regulations from around the globe here.
