Data Privacy Newsletter – Understanding Consent and Personal Data : March 2024

Introduction

Consent, put in simple terms, is granting permission or approval for something. In legal terms, Consent is when someone voluntarily and willingly agrees to a proposition made by another person. In terms of personal data, ‘Consent’ means giving permission or approval to another person or organization for the collection, use, sharing and access to their personal data.

Consent under Privacy Laws across the Globe

Consent under the global data protection and privacy laws has undergone significant evolution over time. Every newly enacted legislation has provided for further clarification and specification regarding the requirements for obtaining and demonstrating valid consent.

According to both, the European Union’s General Data Protection Regulations (“GDPR”) and India’s Digital Personal Data Protection Act 2023 (“DPDPA”), consent from an individual is any voluntary, specific, well-informed, and clear indication of the individual’s wishes. This indication should signify agreement to the processing of their personal data for a specified purpose and is restricted to the personal data necessary for that purpose. 

Types of Consent Mechanisms

Consent is often perceived as the same as giving an individual the opportunity to opt out, but it is essential to distinguish between the two. Consent requires a clear expression of the individual’s wishes, while opt-out operates on the assumption that lack of objection implies consent.

An Opt-in Consent is one that requires an individual to provide explicit, affirmative agreement to process personal data. Whereas an individual Opt-out Consent would mean an individual indicating that they prefer their personal data not to be processed. The GDPR explicitly requires opt-in consent for certain types of personal data processing. The DPDPA prefers an opt-in consent for all personal data processing.

For instance, a pre-ticked consent checkbox would indicate that an organization will use the individual’s personal data and the individual will have an option to opt out of such an arrangement. However, if the individual does not uncheck such consent checkbox, it should not amount to consent since the individual has not actively expressed an indication of their wishes. The individual has chosen not to exercise their right to opt out but has not consented freely, specifically and unambiguously after being informed about the particular use of their personal data.

Consent for Businesses / Organizations

All global data protection and privacy regulations mandate that organizations process personal data lawfully, fairly, and transparently, and they allow organizations to use consent as a basis for processing personal data. Under the GDPR, consent serves as a lawful basis for processing personal data, while under the DPDPA, it falls within the scope of legitimate uses for processing personal data.

It’s crucial to note that organizations must establish suitable consent mechanisms which enable them to obtain consent from individuals before commencing any processing activities. Additionally, organizations must ensure that individuals are provided with the option to opt out if they decide to withdraw their consent. By implementing effective consent mechanisms, organizations not only fulfill their legal obligations but also respect individual’s rights to manage their personal data.

It is important to note that relying on consent for processing personal data has its own set of challenges, as consent can be withdrawn by the individual at any time. Organizations must assess whether consent is the most appropriate basis for long-term processing activities, as the individual’s ability to revoke consent could impact the planned business activity.

Conclusion

Consent plays a crucial role under global data protection and privacy laws, providing organizations with a lawful method for processing personal data. Organizations must always be able to document consent to demonstrate that it was obtained. Failure to secure lawful consent can expose organizations to regulatory fines and penalties for non-compliance.