The DPDPB has placed consent as one of the grounds of processing of data.
- Data Fiduciaries must obtain the consent of Data Principals before processing their Personal Data. Using an itemized notice that explains the collection of Personal Data and its intended use, consent should be obtained.
- Consent must be clear, plain language in the consent form as well as translations in the 22 (twenty-two) languages listed in the Eighth Schedule of the Constitution of India.
- DPDPB introduces the concept of ‘deemed consent’. As long as the Data Principal is “reasonably expected to provide Personal Data”, it will allow processing without explicit consent.
- The deemed consent may also apply to purposes related to employment (such as biometric information) and public interest such as debt recovery and fraud prevention. The consent requirement is also simplified in this way.
- Consent must be collected in such a way that it can be withdrawn by the data principal at any given time.
- Consent can also be collected, withdrawn or managed through a consent manager.