8 January 2024

Consent Principles To Consider For A Privacy Notice

NovoJuris Legal


NovoJuris Legal logo
NovoJuris Legal, an innovative and new-age law firm, where clients leverage on in-depth knowledge and solutions based approach. We work with high impact and rapid growth companies to large corporates and disruptive tech businesses. Our Funds formation practice is robust and we are consistently ranked amongst India’s top 5 in private equity.
As per the Digital Personal Data Protection Act, 2023 (DPDPA), Privacy Notice should accompany or precede a consent request to Data Principal.
India Privacy
To print this article, all you need is to be registered or login on

As per the Digital Personal Data Protection Act, 2023 (DPDPA), Privacy Notice should accompany or precede a consent request to Data Principal. As mentioned in the DPDPA, the consent should be free, specific, informed, unconditional, and unambiguous with a clear affirmative action signifying Data Principal's assent to the processing of personal data to the extent necessary for a specified purpose.

Consent should be free: Data Principals are expected to have a real choice to exercise in respect of processing their personal data by an organization for the purposes mentioned in the privacy notice ('specified purposes'). For example, consent is not valid if there is no choice for the Data Principals to accept or reject the processing of her personal data for the purposes mentioned in the notice.

Consent should be specific: Any request for consent for processing personal data should be specific to the purpose in the notice. An ideal approach may be to require users to indicate their consent separately for every purpose mentioned in the notice.

Consent should be informed: Knowing and understanding the purposes mentioned in the notice may help the Data Principals make an informed decision on granting their consent.

Consent should be unconditional: Consent should not be a pre-condition to receiving services from an organization. However, an organization may explain why it would be unable to provide services to a Data Principal in the absence of her consent.

Consent should be unambiguous: As the provision reads, there should be clear affirmative action from the Data Principal to indicate her consent. Consent may not be inferred from the Data Principal's conduct (e.g., Data Principals exploring a website without indicating their consent to their personal data processing).

The preferred mechanism to obtain consent would be opt-in consent. If the privacy notice contains a host of purposes, it is ideal to enable a Data Principal to signify her consent to each of the purposes to ensure that her personal data processing is carried out by the organization in line with the data minimization and purpose limitation principles.

For example, an organization's privacy notice specifies about the collection of names, e-mail, phone number, unique govt. ID (Aadhar, PAN, Driving License etc.), blood group for the purpose of registering for a corporate event. A Data Principal submits all these details to the organization. However, the details on blood groups are not necessary for the event registration and processing of the unique govt. ID may not be necessary except for verification purposes. Thus, the organization is not expected to collect or otherwise process the details related to the blood group. In other words, these purposes specified in the privacy notice should have a direct nexus with the personal data processed by the organization.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More