Section 6 DPDPA

Consent.


6.(1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

Illustration.

X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for
(i) the processing of her personal data for making available telemedicine services, and
(ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.

(2) Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement.

Illustration.

X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for
(i) the processing of her personal data by Y for the purpose of issuing the policy, and
(ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.

(3) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act.
(4) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal.


Illustration.

X, an individual, is the user of an online shopping app or website operated by Y, an e-commerce service provider. X consents to the processing of her personal data by Y for the purpose of fulfilling her supply order and places an order for supply of a good while making payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or website for placing orders, but may not stop the processing for supply of the goods already ordered and paid for by X.
(6) If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.

Illustration.

X, a telecom service provider, enters into a contract with Y, a Data Processor, for emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her consent to X for the processing of her personal data for emailing of bills, downloads the mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall cause Y to cease, the processing of the personal data of Z for emailing bills.

(7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
(8) The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.
(9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
(10)Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder.


Applicable DPDP Rule 2025

Rule 4: Registration and Obligations of Consent Manager

Read More on Childrens Consent The Rule 10 of DPDP Rules and its Legal Interpretation

Read more on BLOG : Consent under DPDPA - Comprehensive Understanding

Read more on BLOG : Childrens of illiterate parents BANNED from social media IN INDIA?

Read more on BLOG : Understanding the Modern Role of a Consent Manager Under DPDPA and DPDP Rules 2025?"

Section 7 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 6 of the Digital Personal Data Protection Act, 2023 (DPDPA)

1. Purpose and Scope of Section 6

Purpose: To define legal requirements for obtaining valid consent, empowering individuals to make informed decisions about their personal data.

Scope: Applies to all personal data processing activities requiring consent, with conditions like informed, voluntary, specific, and withdrawable consent.

2. Alignment with Constitutional Principles and Indian Laws

Right to Privacy: Recognized as a fundamental right under Article 21 in Justice K.S. Puttaswamy v. Union of India (2017), ensuring informed, voluntary, and specific consent.

IT Act, 2000: Section 43A emphasizes obtaining consent for sensitive personal data processing.

Consumer Protection Act, 2019: Protects individuals from misuse of personal data without proper consent.

3. Consent Fatigue

Definition: A state where individuals feel overwhelmed by constant requests for consent, leading to indiscriminate agreement without understanding implications.

Solutions:

  • Simplified Notices: Use plain language and concise formats.
  • Layered Consent: Provide essential information upfront and detailed explanations subsequently.
  • Granular Consent: Allow consent for specific data processing activities.

4. Practical Examples and Illustrations

  • E-Commerce: "We will use your name and address to deliver your order. Tick here to receive promotional emails."
  • Healthcare: "I consent to use my medical records for treatment. Tick here to allow anonymized data for research."
  • Social Media: "I agree to upload and use my photos for profile creation."
  • Finance: "I consent to use my KYC details for account setup. Tick here to receive financial product recommendations."

5. Implications for Data Fiduciaries and Data Principals

For Data Fiduciaries:

  • Operational Complexity: Implement mechanisms to obtain, store, and manage consent.
  • Compliance Risks: Non-compliance can result in penalties and reputational damage.
  • Building Trust: Transparent consent practices enhance customer trust.

For Data Principals:

  • Empowerment: Enables control over personal data.
  • Responsibility: Requires individuals to read and understand consent notices.
  • Safeguards: Provides mechanisms for withdrawing consent and raising grievances.

6. Summary of Safeguards to Prevent Misuse

  • Informed Consent: Clearly explain the purpose and scope of data processing.
  • Voluntary Participation: Avoid coercive practices for consent.
  • Granular Options: Allow individuals to choose specific purposes for consent.
  • Withdrawability: Enable Data Principals to withdraw consent easily.
  • Auditable Records: Maintain consent records for compliance audits.
  • Simplified Language: Use plain language for consent forms.

Conclusion

Section 6 of the DPDPA ensures that consent remains meaningful and effective, aligning with constitutional principles and addressing challenges like consent fatigue. It empowers Data Principals and establishes robust mechanisms for Data Fiduciaries to build trust and compliance.

Read More on Childrens Consent The Rule 10 of DPDP Rules and its Legal Interpretation

Read more on BLOG : Childrens of illiterate parents BANNED from social media IN INDIA?

Read more on BLOG : Consent under DPDPA - Comprehensive Understanding

© 2024 Advocate (Dr.) Prashant Mali