Executive Summary
Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous. These requirements demand more than a terms acceptance checkbox. This guide addresses the legal, technical, and operational dimensions of consent management that organisations must navigate.
Key Takeaways
- 1Design consent requests that are genuinely informative rather than legally comprehensive but incomprehensible
- 2Implement granular consent for distinct processing purposes rather than bundled permissions
- 3Ensure withdrawal mechanisms are as accessible as consent collection
- 4Maintain auditable records of consent including version, timestamp, and scope
- 5Plan for consent refresh when processing purposes expand
1Understanding Section 6 Requirements
Section 6 establishes that consent must accompany or precede any processing of personal data. The consent must relate to specified data for a specified purpose. This specificity requirement precludes broad, catch-all consent that attempts to cover future, undefined uses. Importantly, consent cannot be a condition for providing goods or services unless necessary for performance.
Important Warnings
- •Pre-ticked checkboxes do not constitute valid consent
- •Consent obtained through deceptive dark patterns is voidable
2Designing the Consent Request
The consent request is the interface between legal requirements and user understanding. It must communicate processing purposes clearly without overwhelming users with legal terminology.
Identify Distinct Purposes
Separate processing purposes that require independent consent. Marketing communications, analytics, and service delivery should not be combined into a single consent request.
Draft Plain Language Descriptions
Explain each processing purpose in language a reasonable person without legal training would understand. Avoid technical jargon and defined terms where simpler alternatives exist.
Specify Data Categories
Identify what personal data will be processed for each purpose. Users should understand what they are consenting to share.
Disclose Recipients
Where data will be shared with third parties, identify them by name or category with sufficient specificity.
State Retention Periods
Communicate how long data will be retained for each purpose.
Practical Tips
- •Test consent language with actual users before deployment
- •Consider localisation for audiences whose primary language is not English
3Technical Implementation
Consent management requires technical infrastructure to collect, record, honour, and demonstrate consent. Many organisations implement a Consent Management Platform integrated with their data processing systems.
Consent Collection Interface
Build or configure interfaces that present consent requests at appropriate points in the user journey. Ensure consent is collected before any non-essential processing begins.
Consent Record Storage
Maintain immutable records of each consent interaction including the exact language presented, user response, timestamp, and method of collection.
Consent Status Propagation
Ensure consent decisions are communicated to all systems that process the relevant data. A withdrawal in one channel must take effect across all processing.
Consent Enforcement
Implement technical controls that prevent processing absent valid consent. Do not rely solely on policy compliance.
4Withdrawal Mechanisms
Section 6(4) requires that withdrawal of consent be as easy as giving consent. This seemingly simple requirement has significant operational implications. If users can consent with a single tap, they must be able to withdraw with equivalent ease.
Accessible Withdrawal Options
Provide withdrawal mechanisms through the same channels used for collection. A consent given through a mobile app should be withdrawable through that app.
Clear Withdrawal Process
Users should not need to navigate complex menus or contact support to withdraw consent. Provide direct, obvious options.
Confirmation and Acknowledgment
Confirm withdrawal receipt and communicate the effective timeline. Explain any processing that will continue on other legal bases.
Technical Effectuation
Ensure withdrawal triggers actual cessation of processing within reasonable timeframes. Document the technical mechanisms that enforce withdrawal.
Important Warnings
- •Requiring users to email support or call a helpline to withdraw consent likely fails the accessibility requirement
- •Partial withdrawal may be complex to implement but must be supported for granular consents
5Record Keeping for Accountability
Demonstrating valid consent requires comprehensive records. The burden of proving consent rests with the Data Fiduciary, making record keeping essential for both compliance and dispute resolution.
Consent Receipt Generation
Generate and store a complete record of each consent interaction including identity verification method, exact notice presented, user action, and timestamp.
Version Control
Maintain historical versions of consent notices. When notices change, record which version each user consented to.
Audit Trail
Log all consent related events including grants, withdrawals, and modifications with timestamps and attribution.
6Special Considerations for Children's Data
Processing children's personal data requires verifiable consent from a parent or lawful guardian. This introduces additional complexity in consent collection and verification.
Age Verification
Implement mechanisms to identify users below the threshold age. While DPDPA does not specify the threshold, organisations should adopt a reasonable approach pending Rule clarification.
Guardian Identification
Establish procedures to identify and verify parents or lawful guardians before collecting their consent.
Consent Verification
Implement verification measures proportionate to the risk. Low risk processing may require less stringent verification than sensitive data collection.