Please click here to download the Prism as a PDF.
Consent and Consent Managers
In the third instalment of the Prism series on the Digital Personal Data Protection Act, 2023 (“DPDPA”), we analyse the concepts of ‘Consent’ and ‘Consent Manager’. Consent is one of the fundamental concepts in a data protection legislation and we delve into the requirements of a valid consent under the DPDPA in this Prism. We have also focused on the concept of ‘Consent Manager’ under the DPDPA and have enumerated the roles and responsibilities of these consent managers. In the latter part of the Prism, we look at other data protection laws around the world such as the General Data Protection Regulation (“GDPR”), the Singapore’s Personal Data Protection Act (“PDPA”) and the California Consumer Privacy Act (“CCPA”) to learn how these data protection legislations approach ‘Consent’ and ‘Consent Manager’.
What is “consent” and what are the key elements of a valid consent?
Consent is considered as the primary ground that allows processing of personal data. A valid consent must fulfil the following requirements:
Consent must be:
The consent should signify that the data principal agrees to the processing of their personal data for the purpose mentioned in the notice given by the data fiduciary to the data principal. Consent should also be obtained only for personal data that is necessary for the specified purpose.
- The consent must indicate a clear affirmative action which means actively ticking a box or signing a document. Therefore, passive actions like pre-checked boxes or call-to-actions may not count as a valid consent.
- The CCPA mentions that acceptance of general or broad terms of use, hovering over, muting, pausing or closing a tab, or consent that have been obtained through dark patterns cannot be considered as a valid consent. Similarly, the GDPR also mentions that pre-ticked boxes or inactivity will not be considered as consent.
- Since the DPDPA mentions that consent should be given for specific purposes, granular options may be given to consent separately to separate purposes.
When is a consent invalid?
To the extent that a consent infringes the DPDPA, its rules or any other law in India, it shall be invalid to that extent.
How should a request for a consent be made?
- Right to withdraw consent: Where the data fiduciary relies on consent to process the personal data, data principal will have the right to withdraw her consent at any time.
- Record keeping: If a question arises on the legality of the consent provided by the data principal, the data fiduciary must be able to demonstrate that a notice was given by the data fiduciary to the data principal and consent was given by the data principal in accordance with the DPDPA.
- The data principal may give, manage, review or withdraw her consent to the data fiduciary through a ‘Consent Manager’.
- Who is a ‘Consent Manager’?
A consent manager has been defined as a person registered with the Data Protection Board of India (“Board”), who acts as a single point of contact to enable data principals to ‘give, manage, review and withdraw’ the data principal’s consent through ‘an accessible, transparent and interoperable platform’.
- Similar to the DPDPA, the Account Aggregator Framework by the RBI allows account aggregators to act as intermediaries that obtain, submit and manage the consent of users to obtain their financial data from banks and share it with lending institutions. Similarly, the National Digital Health Mission’s health data management policy also has the concept of consent managers to manage consent for health data.
- It is unclear whether consent managers will also collect personal data alongside obtaining consent.
- It is also pertinent to know if the Electronic Consent Framework (released by the Ministry of Electronics and Information Technology in 2017) will be made applicable to consent managers since the document outlines technology specifications to manage user consent provided electronically to share data across different entities.
Comparison with select data protection laws around the world
| Concept | DPDPA | GDPR | CCPA | PDPA |
| Consent and its key elements | The consent given by the data principal will be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and will signify an agreement to the processing of personal data for the specified purpose and will be limited to such personal data as is necessary for such specified purpose. | Under GDPR, consent should be freely given, specific, informed, unambiguous and will be an affirmative action. | Consent must be freely given, specific, informed and unambiguous. Consent will be a clear affirmative action provided for processing personal information for a narrowly defined purpose. | While requesting for consent, the individual should be provided with information such as the purpose for the processing and any secondary purpose of processing, and the consent should be obtained only for a specific purpose. |
| Aspects of Consent | · Every request for consent will be in a clear and plain language providing the option to access the notice in English or in any language in the Eighth Schedule. It will provide details of the Data Protection Officer or authorised person.
· Consent can be withdrawn, but the consequences will have to be borne by the data principal. · If the consent is withdrawn, the same will not affect the legality of processing before its withdrawal. · Post withdrawal of the consent, the data fiduciary will stop processing of personal data and ensure the data processors also stop the processing. · The data fiduciary must be able to evidence that a notice was given by the data fiduciary to the data principal and consent was given by the data principal in accordance with the DPDPA. |
· The controller will keep records to demonstrate that consent has been obtained.
· Request for consent will be in an intelligible and easily accessible form, using clear and plain language. · The data subject should be able to withdraw the consent at any time. · The performance of a contract should not be condition on consenting to the processing of personal data that is not necessary for the performance of the contract. |
Consent can be revoked:
· when such consent was provided for receiving financial benefit, · when consent was initially provided to allow the business to ignore the opt-out preference signal with respect sale or sharing of the personal information or the use of the consumer’s sensitive personal information. |
· The individual can withdraw consent at any time.
· Consent will not be obtained as a condition to provide a product or service if the same is beyond what is reasonable to provide the product or service. |
| Consent Manager | The concept of consent manager is introduced in DPDPA. They are a person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. | GDPR does not make a reference to consent managers, however it does allow individuals who have the authority to act on behalf of data subjects when they are incapable of providing consent to manage consent on their behalf. | Although there is no concept of consent manager in the CCPA, consent can be given by the consumer, their legal guardian or a person who has power of attorney, or person acting as a conservator for the consumer.
However, a consumer may authorize another person to opt out of the sale or sharing of the consumer’s personal information and to limit the use of the consumer’s sensitive personal information on the consumer’s behalf. |
PDPA mentions that the consent may be given by any person validly acting on that individual’s behalf. |
This Prism has been prepared by:
Akshaya Suresh |
Aravindini Magesh |
For more details, please contact [email protected]
