ARTICLE
5 November 2024

Consent And Consent Managers

J
JSA

Contributor

JSA is a leading national law firm in India with over 600 professionals operating out of 7 offices located in: Ahmedabad, Bengaluru, Chennai, Gurugram, Hyderabad, Mumbai and New Delhi. Our practice is organised along service lines and sector specialisation that provides legal services to top Indian corporates, Fortune 500 companies, multinational banks and financial institutions, governmental and statutory authorities and multilateral and bilateral institutions.
In the third instalment of the Prism series on the Digital Personal Data Protection Act, 2023 ("DPDPA"), we analyse the concepts of ‘Consent' and ‘Consent Manager'.
India Privacy

In the third instalment of the Prism series on the Digital Personal Data Protection Act, 2023 ("DPDPA"), we analyse the concepts of 'Consent' and 'Consent Manager'. Consent is one of the fundamental concepts in a data protection legislation and we delve into the requirements of a valid consent under the DPDPA in this Prism. We have also focused on the concept of 'Consent Manager' under the DPDPA and have enumerated the roles and responsibilities of these consent managers. In the latter part of the Prism, we look at other data protection laws around the world such as the General Data Protection Regulation ("GDPR"), the Singapore's Personal Data Protection Act ("PDPA") and the California Consumer Privacy Act ("CCPA") to learn how these data protection legislations approach 'Consent' and 'Consent Manager'.

What is "consent" and what are the key elements of a valid consent?

Consent is considered as the primary ground that allows processing of personal data. A valid consent must fulfil the following requirements:

Consent must be:

1539852a.jpg

The consent should signify that the data principal agrees to the processing of their personal data for the purpose mentioned in the notice given by the data fiduciary to the data principal. Consent should also be obtained only for personal data that is necessary for the specified purpose.

  • The consent must indicate a clear affirmative action which means actively ticking a box or signing a document. Therefore, passive actions like pre-checked boxes or call-to-actions may not count as a valid consent.
  • The CCPA mentions that acceptance of general or broad terms of use, hovering over, muting, pausing or closing a tab, or consent that have been obtained through dark patterns cannot be considered as a valid consent. Similarly, the GDPR also mentions that pre-ticked boxes or inactivity will not be considered as consent.
  • Since the DPDPA mentions that consent should be given for specific purposes, granular options may be given to consent separately to separate purposes.

When is a consent invalid?

To the extent that a consent infringes the DPDPA, its rules or any other law in India, it shall be invalid to that extent.

How should a request for a consent be made?

1539852b.jpg

  1. Right to withdraw consent: Where the data fiduciary relies on consent to process the personal data, data principal will have the right to withdraw her consent at any time.

1539852c.jpg

  1. Record keeping: If a question arises on the legality of the consent provided by the data principal, the data fiduciary must be able to demonstrate that a notice was given by the data fiduciary to the data principal and consent was given by the data principal in accordance with the DPDPA.
  2. The data principal may give, manage, review or withdraw her consent to the data fiduciary through a 'Consent Manager'.
    • Who is a 'Consent Manager'?

A consent manager has been defined as a person registered with the Data Protection Board of India ("Board"), who acts as a single point of contact to enable data principals to 'give, manage, review and withdraw' the data principal's consent through 'an accessible, transparent and interoperable platform'.

1539852d.jpg

  • Similar to the DPDPA, the Account Aggregator Framework by the RBI allows account aggregators to act as intermediaries that obtain, submit and manage the consent of users to obtain their financial data from banks and share it with lending institutions. Similarly, the National Digital Health Mission's health data management policy also has the concept of consent managers to manage consent for health data.
  • It is unclear whether consent managers will also collect personal data alongside obtaining consent.
  • It is also pertinent to know if the Electronic Consent Framework (released by the Ministry of Electronics and Information Technology in 2017) will be made applicable to consent managers since the document outlines technology specifications to manage user consent provided electronically to share data across different entities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More