Data>Nuance Logo
Home/DPDPA Resources/How to Comply with Section 6 of the DPDP Act, 2023
Consent Guide

How to Comply with Section 6 of the DPDP Act, 2023

Comprehensive framework for obtaining and managing consent from Data Principals

10 min read
Consent Guide
Updated Dec 2024

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first data protection law. The enactment of the DPDPA will mark a significant advancement in the data privacy framework of India. Section 6 of the DPDP establishes a comprehensive framework for obtaining and managing consent from Data Principles. The article aims to examine the key consent requirements that Data Fiduciaries are required to adhere to failing which hefty penalties will be imposed on them.

Characteristics of Valid Consent

As per Section 6(1), the characteristics of a valid consent are as follows:

Free

Given voluntarily without coercion

Specific

Related to clearly defined particular purposes

Informed

Based on adequate information about processing

Unconditional

Not contingent upon other terms

Unambiguous

Clearly indicating agreement

Affirmative

Expressed through clear action

Proportionate

Limited to data necessary for the specified purpose

Practical Implementation:

Let us understand this with the example of an example we all can relate to. We all order groceries or other everyday essentials using Blinkit, Zepto, Instamart and similar platforms. They request access for your personal data including phone number and location details for making available the groceries you ordered. Let us say for instance, they request access to your contact list or your email Id, and you provide consent for the processing of all of these details.

In this case, valid consent will be limited to processing your personal details, that is, your phone number and address for the delivery of goods. This is because your contact list and email address are not required for making available the delivery services.

Invalidity of Unlawful Consent Terms

Section 6(2) invalidates any consent that contravenes provisions of the DPDP Act, its rules, or any other law. Let us understand this with the help of an example. If an employee enters into a contract with his employer and consents to the insurance policy and waives of his right to file a complaint with the Data Protection Board in case his personal details are used for purposes other than the insurance policy, the consent for the latter will be automatically invalidated. This is because it violates the provisions of the DPDPA.

Language Requirements of the Notice

As per Section 6(3), every notice sent to the Data Principal for obtaining her consent must be:

  • Presented in clear, plain language
  • Give her the option of accessing the request in English or any language specified in the Eighth Schedule to the Constitution
  • Include contact details of the Data Protection Officer or authorized representative to ensure she can exercise her right to withdraw consent, utilise the grievance redressal mechanism or approach the Data Protection Board, as the case may be.

Data Principal's Right to Withdraw Consent

Section 6(4) and 6(5) address withdrawal of consent:

  • Data Principals have the right to withdraw consent at any time
  • The withdrawal process must be as easy as it is to give consent
  • The Data Principal will be liable to bear the consequences of withdrawal
  • Withdrawing the consent will not affect the legality of processing based on consent before its withdrawal.

Practical Implementation

We all order our favorite outfits from various online shopping websites including H&M, Zara and alike. Let us say you ordered a particular pair of jeans and gave your consent for processing your personal details, that is, your phone number, banking details and address details for the delivery of those jeans. However, 2 days later you withdraw the consent for processing these details. Herein, these platforms might not let you use the app for placing further orders. However, for the pair of jeans you have already ordered, the processing of your personal information will not be suspended.

Processing Ceases after Withdrawal of Consent

Section 6(6) requires that upon the withdrawal of consent:

  • The Data Fiduciary must cease processing of the personal data within a reasonable time period.
  • The Data Fiduciary must ensure its Data Processors also cease the processing of personal data.
  • Processing may continue only if it is required or authorized by law without obtaining the consent of the Data Principal.

Consent Managers

Sections 6(7), Section 6(8) and 6(9) introduce Consent Managers:

  • Data Principals may give, manage, review, or withdraw consent through a Consent Manager
  • Consent Managers are accountable to the Data Principal and act on their behalf
  • All Consent Managers must be registered with the Board and comply with prescribed conditions

Burden of Proof

Whenever there is a question regarding the processing of personal data in a preceding, the burden of proof shall lie upon the Data Fiduciary under Section 6(10) to prove:

  • That the Data Fiduciary provided a notice to the Data Principal
  • The Data Fiduciary obtained the consent of the Data Principal in accordance with the DPDPA

Compliance with DPDP Act

In order to comply with Section 6 of the DPDPA, organisations and businesses must take the following measures:

  1. Redesigning Consent Mechanisms: Organizations must redesign their consent collection processes to ensure they meet all requirements of specificity, clarity, and ease of withdrawal.
  2. Data Minimization: The requirement that consent be limited to necessary data enforces the principle of data minimization.
  3. Processor Management: Data Fiduciaries must establish systems to promptly communicate consent withdrawals to all Data Processors.
  4. Documentation: Comprehensive records of consent collection and withdrawal are essential for meeting the burden of proof requirement.
  5. Multilingual Support: Systems must accommodate consent in multiple languages as specified in the Constitution.

Conclusion

Section 6 of the DPDP Act fundamentally transforms how organizations must approach consent. The section's provisions ensure that Data Principals have meaningful control over their personal data through informed, specific consent that can be easily withdrawn. Organizations must implement robust systems to comply with these requirements while maintaining efficient data processing operations where legally permitted.

Get Started with Data>Nuance

Stay compliant, stay safe. Reach out to Data>Nuance to comply with Section 6 and the other provisions of the DPDPA. Ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!

Section 5 of the DPDPASection 7 of the DPDPA

Need Expert DPDPA Implementation Support?

Get personalized guidance on implementing Section 6 compliance requirements for your organization.

Schedule Expert ConsultationBook Free Call