Where international businesses already largely comply with major data protection regimes such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, it may indicate an existing culture of high privacy standards. Such familiarity will be tested, however, by India’s enacted but not-yet-in-force Digital Personal Data Protection Act 2023 (DPDPA) – the DPDPA’s unique requirements may present additional challenges for companies, particularly in relation to consent management.
Ada Shahrbanu
Senior associate
Spice Route Legal
Most global data protection laws require businesses to give privacy notices to consumers, informing them of the company’s data collection practices. The DPDPA, however, imposes an additional requirement: a “consent request form”. This raises the question of whether existing privacy notices are sufficient, or whether businesses must implement a separate consent request form.
Globally, approaches to consent vary greatly. The GDPR requires consent to be free, informed, specific and unambiguous, obtained through clear affirmative action and subject to unrestricted withdrawal. The CCPA is opt-out based. It allows consumers to restrict the sale of their personal data, with opt-in required only for sensitive information or data relating to minors. Both regimes provide grounds for processing data without consent. The DPDPA adopts a markedly different stance by making affirmative consent the primary legal basis for processing personal data in India, with limited exceptions.
How consent is obtained is of great importance under the DPDPA. Most processing activities will be lawful only insofar as they align with the consent granted through the consent notice and consent request form. These documents together determine the scope of personal data that may be processed, the purposes for which they may be used, and the limitations on such processing.
Hamsadhwani Alagarsamy
Associate
Spice Route Legal
The DPDPA requires consent through documents drafted in plain language before they collect personal data. Because of the DPDPA’s emphasis on specificity and granularity, consent request forms must identify each dataset that the business proposes to collect, and specify the purposes for which it will be processed.
Affirmative consent must then be captured through user interface mechanisms such as toggles, buttons or checkboxes. The request for consent must be preceded or accompanied by a consent notice. This must list, item-by-item, the personal datasets to be processed and their purposes. It must explain the means by which individuals may exercise their personal data rights and outline the process for complaining to the yet-to-be-established Data Protection Board of India (DPBI). The consent request form secures explicit consent for each dataset and processing activity, while the consent notice provides individuals with additional information about their rights. Both documents must be available in English and all 22 scheduled Indian languages. The DPDPA does not prohibit them from being a single document, provided that it clearly links datasets to processing purposes, explains how users may exercise their rights and sets out the manner in which complaints may be made to the DPBI.
For businesses already using GDPR or CCPA-compliant privacy notices, the challenge will be to adapt them to meet the DPDPA’s requirements of granularity and affirmative consent. Dataset-and-purpose descriptions may be isolated from general privacy disclosures, and together rebuilt into a modular consent framework. Within a single document, affirmative consent mechanisms can be presented distinctly and transparently. Wider privacy information remains available, thus ensuring compliance with any requirements from other regimes.
Companies may also implement a layered strategy. A combined notice and request form may meet the DPDPA’s core requirements, supplemented by a more detailed privacy policy accessible through links or references. This will meet India’s consent standards while maintaining international transparency practices. Because the DPDPA primarily requires consent for processing, compliance will depend heavily on the design and presentation of these documents. Businesses must monitor future government guidance on their form and content to ensure alignment with the new law.
Ada Shaharbanu is a senior associate and Hamsadwani Alagarsamy is an associate at Spice Route Legal
Spice Route Legal
14th floor, Skav 909,
Lavelle Road, Ashok Nagar
Bengaluru, Karnataka 560025
Contact details:
E: contact@spiceroutelegal.com
