DPDPA Consent Management

Consent management under the Digital Personal Data Protection Act (DPDPA) 2023 refers to the systematic process of collecting, recording, storing, and managing permissions from data principals before processing their personal data. Under DPDPA, every data fiduciary must obtain valid consent accompanied by an itemized notice specifying each purpose of data processing, maintain immutable authorization records, and provide easy mechanisms for withdrawal.

Under Section 6 of the DPDPA, valid consent must be free, specific, informed, unconditional, and unambiguous. The authorization must be accompanied by a clear itemized notice in plain language (English or any Schedule VIII language) that specifies each purpose for which personal data will be processed. Permission cannot be bundled or made a precondition for accessing services unless the data processing is necessary for that service. Data fiduciaries must also ensure approval is given through a clear affirmative action.

Section 6(5) of the DPDPA mandates that withdrawing consent must be as easy as giving it. Data fiduciaries must provide accessible, one-click withdrawal mechanisms that allow data principals to revoke permission for specific processing purposes at any time. Upon withdrawal, the data fiduciary must cease processing the relevant personal data within a reasonable period and notify all downstream processors to halt processing as well.

No, explicit permission is not required for all personal data processing under DPDPA. Section 7 provides certain legitimate uses where processing is permitted without direct authorization, including voluntary data sharing by the data principal, government-mandated processing, medical emergencies, employment purposes, and processing in the interest of public order. However, for all other processing activities, obtaining valid consent with an itemized notice is mandatory.

Under Section 5 of the DPDPA, before requesting authorization, every data fiduciary must provide an itemized notice to the data principal that clearly describes the personal data being collected, each specific purpose for which the data will be processed, and the manner in which data principal rights can be exercised. The notice must be in clear, plain language available in English or any of the 22 languages listed in Schedule VIII of the Indian Constitution.

Section 9 of the DPDPA requires verifiable parental or lawful guardian consent before processing any personal data of children (individuals under 18 years). Data fiduciaries must implement robust age verification mechanisms to identify minors and authenticate the identity of the parent or guardian providing approval. Additionally, the DPDPA prohibits tracking, behavioral monitoring, and targeted advertising directed at children, and bars processing that could cause detrimental effects to a child's well-being.

Under Section 8(3) of the DPDPA, data fiduciaries are required to maintain accurate and complete records of all permissions obtained from data principals. This includes the specific notice provided, the timestamp of authorization, the purposes approved, any modifications or updates to the granted permissions, withdrawal records, and the version history of authorization forms. These records must be maintained in an auditable format and produced as evidence during regulatory inspections by the Data Protection Board of India.

The DPDPA requires consent to be specific and purpose-based, meaning data fiduciaries should avoid bundling permissions for multiple unrelated processing purposes into a single request. Each purpose must be clearly itemized in the notice, and data principals should have the ability to grant or withhold approval for each purpose independently. Bundling authorization or making it a blanket condition for accessing services may render the permission invalid under DPDPA Section 6 requirements.

While both DPDPA and GDPR require consent to be freely given, specific, informed, and unambiguous, there are key differences. DPDPA mandates authorization in Schedule VIII languages (22 Indian languages plus English), whereas GDPR requires clear and plain language of the member state. DPDPA introduces a mandatory itemized notice requirement before collecting permission, has stricter parental consent rules with a blanket ban on behavioral tracking of children, and does not recognize legitimate interest as a standalone legal basis for processing like GDPR does. DPDPA penalties can reach up to 250 crore per violation.

Permission management violations under the DPDPA carry significant penalties. Failure to obtain valid consent or provide proper notice can attract penalties up to 150 crore. Violations related to children's authorization requirements under Section 9 can result in penalties up to 200 crore. Personal data breaches resulting from inadequate approval-based processing safeguards carry the maximum penalty of 250 crore. The Data Protection Board of India adjudicates these violations and has the authority to impose penalties on a per-violation basis.