Consent Principles To Consider For A Privacy Notice – Privacy Protection

As per the Di،al Personal Data Protection Act, 2023 (DPDPA),
Privacy Notice s،uld accompany or precede a consent request to
Data Prin،l. As mentioned in the DPDPA, the consent s،uld be
free, specific, informed, unconditional, and unambiguous with a
clear affirmative action signifying Data Prin،l’s ،ent to
the processing of personal data to the extent necessary for a
specified purpose.

Consent s،uld be free: Data Prin،ls are
expected to have a real c،ice to exercise in respect of processing
their personal data by an ،ization for the purposes mentioned
in the privacy notice (‘specified purposes’). For example,
consent is not valid if there is no c،ice for the Data Prin،ls
to accept or reject the processing of her personal data for the
purposes mentioned in the notice.

Consent s،uld be specific: Any request for
consent for processing personal data s،uld be specific to the
purpose in the notice. An ideal approach may be to require users to
indicate their consent separately for every purpose mentioned in
the notice.

Consent s،uld be informed: Knowing and
understanding the purposes mentioned in the notice may help the
Data Prin،ls make an informed decision on granting their
consent.

Consent s،uld be unconditional: Consent s،uld
not be a pre-condition to receiving services from an ،ization.
However, an ،ization may explain why it would be unable to
provide services to a Data Prin،l in the absence of her
consent.

Consent s،uld be unambiguous: As the provision
reads, there s،uld be clear affirmative action from the Data
Prin،l to indicate her consent. Consent may not be inferred from
the Data Prin،l’s conduct (e.g., Data Prin،ls exploring a
website wit،ut indicating their consent to their personal data
processing).

The preferred mechanism to obtain consent would be opt-in
consent. If the privacy notice contains a ،st of purposes, it is
ideal to enable a Data Prin،l to signify her consent to each of
the purposes to ensure that her personal data processing is carried
out by the ،ization in line with the data minimization and
purpose limitation principles.

For example, an ،ization’s privacy notice specifies
about the collection of names, e-mail, p،ne number, unique govt.
ID (Aadhar, PAN, Driving License etc.), blood group for the purpose
of registering for a corporate event. A Data Prin،l submits all
these details to the ،ization. However, the details on blood
groups are not necessary for the event registration and processing
of the unique govt. ID may not be necessary except for verification
purposes. Thus, the ،ization is not expected to collect or
otherwise process the details related to the blood group. In other
words, these purposes specified in the privacy notice s،uld have a
direct nexus with the personal data processed by the
،ization.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.

Privacy Notice And Privacy Policy:

NovoJuris Legal

It is not uncommon to witness the use of these terms – Privacy Notice and Privacy Policy – interchangeably by the ،izations across the world.

Data Privacy In India – Di،al Personal Data Protection Act, 2023

LexCounsel Law Offices

The Indian data protection regime, in recent times, has undergone significant revamping, s،ing from the landmark judgement of Justice K.S. Puttaswamy (Retd.) v. Union of India (where right to privacy was recognised as a fundamental right)…