Concept | DPDPA | GDPR | CCPA | PDPA |
Consent and its key elements | The consent given by the data principal will be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and will signify an agreement to the processing of personal data for the specified purpose and will be limited to such personal data as is necessary for such specified purpose. | Under GDPR, consent should be freely given, specific, informed, unambiguous and will be an affirmative action. | Consent must be freely given, specific, informed and unambiguous. Consent will be a clear affirmative action provided for processing personal information for a narrowly defined purpose. | While requesting for consent, the individual should be provided with information such as the purpose for the processing and any secondary purpose of processing, and the consent should be obtained only for a specific purpose. |
Aspects of Consent | • Every request for consent will be in a clear and plain
language providing the option to access the notice in English or in
any language in the Eighth Schedule. It will provide details of the
Data Protection Officer or authorised person.
• Consent can be withdrawn, but the consequences will have to be borne by the data principal. • If the consent is withdrawn, the same will not affect the legality of processing before its withdrawal. • Post withdrawal of the consent, the data fiduciary will stop processing of personal data and ensure the data processors also stop the processing. • The data fiduciary must be able to evidence that a notice was given by the data fiduciary to the data principal and consent was given by the data principal in accordance with the DPDPA. |
• The controller will keep records to demonstrate that
consent has been obtained.
• Request for consent will be in an intelligible and easily accessible form, using clear and plain language. • The data subject should be able to withdraw the consent at any time. • The performance of a contract should not be condition on consenting to the processing of personal data that is not necessary for the performance of the contract. |
Consent can be revoked:
• when such consent was provided for receiving financial benefit, • when consent was initially provided to allow the business to ignore the opt-out preference signal with respect sale or sharing of the personal information or the use of the consumer's sensitive personal information. |
• The individual can withdraw consent at any time.
• Consent will not be obtained as a condition to provide a product or service if the same is beyond what is reasonable to provide the product or service. |
Consent Manager | The concept of consent manager is introduced in DPDPA. They are a person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. | GDPR does not make a reference to consent managers, however it does allow individuals who have the authority to act on behalf of data subjects when they are incapable of providing consent to manage consent on their behalf. | Although there is no concept of consent manager in the CCPA,
consent can be given by the consumer, their legal guardian or a
person who has power of attorney, or person acting as a conservator
for the consumer.
However, a consumer may authorize another person to opt out of the sale or sharing of the consumer's personal information and to limit the use of the consumer's sensitive personal information on the consumer's behalf. |
PDPA mentions that the consent may be given by any person validly acting on that individual's behalf. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.