“The Consent of the Governed is not Consent if it is Not Informed”
Consent is when you say "yes" to something right away. Laws like GDPR, CCPA, and DPDP are a legal way for companies to use your pieces of information. It's like when they ask if collecting your data is okay, and you agree. This agreement is important and follows the rules to make sure everyone is on the same page about using your information.
What is Consent in Privacy?
On websites, you might have noticed checkboxes that you can tick to agree to something or buttons that say "Accept" or "Decline." This is all about getting your permission, or consent, for the website to collect, store, or share your information. To make sure you're okay with it, you have to click or check the box actively. It's like giving a clear "yes" or "no" to what the website is asking you.
General Data Protection Regulation [GDPR]
Under GDPR, consent is about giving you control over your data. Companies must ask for permission in a clear, honest, and straightforward way, ensuring you understand and agree to how they use your information.
In which the key points include the following -
Clear Permission:
GDPR requires companies to be crystal clear about what they want to do with their data.
Before they collect or use it, they must explain why and ask for your permission.
Your Choice Matters:
You have the right to say "yes" or "no" to give your data.
Companies can't force you or trick you into agreeing.
Easy to Understand:
Information about data usage should be easy for anyone to understand.
No confusing or complicated terms.
Specific and Informed:
Companies should tell you exactly what they plan to do with your data.
It's about being specific and not hiding anything.
No Surprises:
If they want to use your data in a new way, later on, they must ask for permission again.
No surprises or unexpected changes without your agreement.
Easy to Say No:
It should be as easy to say "no" as it is to say "yes."
Not making it difficult for you to refuse.
All these are key aspects of consent under GDPR.
California Consumer Privacy Act [CCPA]
Under the California Consumer Privacy Act (CCPA), consent plays a significant role in empowering individuals to control their personal information.
Transparent Information:
Companies must be transparent about what personal information they collect, why they collect it, and how they plan to use or share it.
Right to Opt-Out:
CCPA gives you the right to say "no" to the use of your personal information.
Companies must provide a clear and easy way for you to opt out if you don't want your data being used.
Age Restrictions:
For minors under 16 years old, companies need explicit consent (or the consent of a parent or guardian) before using their personal information.
No Discrimination:
Companies cannot treat you differently or deny you services if you choose to exercise your right to opt-out.
Clear Privacy Notices:
Companies must provide clear and easily understandable privacy notices, including information about your right to opt out.
Limited Collection:
The information collected should be necessary for the purpose disclosed to you, and companies should not collect more than what is needed.
Digital Personal Data Protection Act [DPDP]
India’s new Digital Personal Data Protection Act (DPDP or DPDA ) was passed on august 2023 in parliament after five years of talks which lays down rules for how both companies and the government can collect and use the personal information of Indian citizens. This act aims to ensure transparency and accountability in handling people’s data, and its development involves discussions between the government, companies, and civil society.
Consent under DPDP should have -
Notice Requirement:
Data Fiduciaries must provide a notice before requesting consent.
The notice must specify the purpose of data processing.
Option to access the notice in any Indian language listed in the 8th Schedule to the Constitution.
Limited Consent:
Consent is limited to personal data necessary for the specified purpose.
Prescribed Format:
Format for consent notice may be prescribed under the Rules and Regulations.
Data Minimization and Purpose Limitation:
Consent aligns with principles of data minimization and purpose limitation.
Mandatory Fresh Notice:
A mandatory afresh notice is required each time consent is sought for a specific purpose.
If consent was obtained before enactment, a fresh notice must be served to seek renewed consent.
Challenges for Data Fiduciaries:
Data Fiduciaries face the challenging task of collating and sending notices for seeking fresh consent.
Consent Managers:
Consent Managers serve as single points of contact.
Enable Data Principals to give, manage, review, and withdraw consent.
The platform should be accessible, transparent, and interoperable.
Regulatory Compliance:
Data Fiduciaries are obligated to comply with the Data Privacy enactment in India.
Language Accessibility:
Notices and communication should be accessible in various Indian languages as per constitutional provisions.
Consent Renewal for Pre-Enactment Consent:
Even for consent obtained before enactment, a renewal notice must be served to Data Principals.
Transparent Mechanism:
The mechanism for seeking consent should be transparent, ensuring understanding and awareness of Data Principals.
Accountability of Consent Managers:
Consent Managers are accountable to the Data Principals for managing and facilitating consent-related processes.
These points are necessary for consent under the DPDP act.
For more blogs and updates on Data privacy connect with us at Privacient and secure your data because at Privacient we are Fostering a culture of Privacy.