Indian Data Protection Law - the Digital Personal Data Protection Act, 2023 (DPDPA), which is yet to come into force - requires data fiduciaries to go for opt-in consent while obtaining personal data from a data principal for processing.
As per Section 6(1) of the DPDPA, a data principal’s consent to the processing of her personal data by data fiduciaries shall be free, specific, informed, unconditional, and unambiguous “with a clear affirmative action” and shall signify an agreement to the processing of her personal data “for the specified purpose” and be “limited to such personal data as is necessary for such specified purpose.”
The opt-in consent and the principles of purpose limitation and data minimization are reflected in this provision. Opt-in consent requires a data principal to consciously tick the checkbox indicating her agreement to the processing of her personal data for receiving marketing e-mails.
If the checkbox meant for the same purpose is pre-ticked or if any marketing e-mail sent to the data principal, who opted-in to receive such e-mails, contains an “unsubscribe” link, it shall be an opt-out mechanism. In other words, the opt-out mechanism allows data principals to withdraw their consent.
It is noteworthy to mention that opt-in consent is mandated by prominent privacy laws such as the General Data Protection Regulation (Article 4(11) of EU GDPR) and General Data Protection Law (Article 5(XII) and 8(4) of Brazil’s LGPD). On the flip side, Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (Section 5(5) of CAN-SPAM) and the Californian Consumer Privacy Act (Section 1798.120 of CCPA) require organizations to adopt an opt-out consent mechanism, thereby enabling the consumers/individuals to opt out of having their personal data processed for certain specific purposes by the organizations.
For consent to be unambiguous, specific, and affirmative, it is essential that a data principal understands the specified purposes, and the extent of personal data processed for such purposes, and indicates her consent with a positive action. Thus, on a comparative analysis, opt-in consent is privacy-friendly as it enables the data principal to understand the handling of her personal data by the data fiduciaries and consciously make an informed decision.
The European Data Protection Board (EDPB) guidelines on consent state that:
”Consent mechanisms must not only be granular to meet the requirement of 'free', but also to meet the element of 'specific'. This means a controller that seeks consent for various purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.”
For instance, if an organization wants to send marketing and/or promotional e-mails to a data principal, it should allow the data principal to tick the check-box specific for this purpose. Thus, any consent to a bundle of processing purposes would be contrary to the EU guidelines on consent and may be held as invalid.
DPDPA requires the provision of a consent notice outlining the purposes of personal data processing, and the way data principals can exercise their rights or raise a complaint to the Data Protection Board of India [Section 5 of the DPDPA].
The Office of the Privacy Commissioner (OPC) decision in the Home Depot case in Canada and EDPB’s Meta Ireland decision highlight the need for specific opt-in consent for specific purposes.
Similarly, in EDPB’s decision on Meta’s data processing for behavioral advertising, Meta argued that processing of users’ data for behavioral advertising was a core element of their services rendered to the users, which permitted Meta to rely on “performance of the contract” as the lawful basis of processing users’ data under the EU GDPR. The Ireland Supervisory Authority agreed with Meta’s position because this purpose was clearly mentioned in the terms of service between users and the Meta. However, EDPB disagreed and stated that (i) there was no contractual obligation for Meta in its terms and conditions to offer personalized ads to its users, and (ii) a mere reference to processing for behavioral advertising in Meta’s terms would be insufficient information for an average user to understand the privacy impact of such processing for behavioral advertising. Therefore, EDPB stated that Meta should obtain a separate opt-in consent for processing users’ data for behavioral advertising.
Considering the above decisions, practices developed across different industries as an outcome of these decisions, similarity in the undertones of consent provisions in the GDPR, PIPEDA and DPDPA, and pending development in the interpretation of the consent requirements in the Indian context, it is reasonable to expect the organizations in India to fine-tune their consent-mechanisms and adopt a granular approach to obtain consent specifically for each and every purpose of personal data processing.
About the author: Sandeep G is an Associate at NovoJuris Legal.