Understanding "Consent" Under the Digital Personal Data Protection Act, 2023 (DPDPA) [By Adv. (Dr.) Prashant Mali, Cyber Law Consulting]

1. Introduction to Consent in DPDPA

Consent is the foundational principle that governs how personal data is collected, processed, and utilized. Under the DPDPA, consent ensures that individuals have control over their personal information, empowering them to make informed decisions about who accesses their data and for what purposes. When it comes to personal data, consent is the golden ticket—it’s what separates ethical data practices from intrusive overreach. Think of it like a gatekeeper for your personal information. Without it, anyone could waltz in, rifle through your details, and use them however they please. Under the Digital Personal Data Protection Act (DPDPA), consent is more than just a checkbox on a form; it’s a fundamental principle that puts you, the individual, in the driver’s seat. Let’s break it down. Consent, in this context, means you have the final say over how your personal data is collected, processed, and used. It’s not just about saying “yes” or “no”—it’s about ensuring you’re fully informed, in control, and protected. This is a game-changer in a world where data has become the new currency.

Why Consent Matters: The Three Pillars

Consent isn’t just a buzzword; it’s the backbone of ethical data handling. Let’s explore why it matters so much under the DPDPA.

1) Empowerment: Grants individuals autonomy over their personal information. Imagine you’re handing someone the keys to your house. Would you do it without knowing why they need access, how long they’ll stay, or what they plan to do inside? Of course not. The same logic applies to your personal data. Consent empowers you by giving you autonomy over who gets to use your information and for what purpose. The DPDPA recognizes that your data is yours—plain and simple. With clear, upfront consent requirements, it ensures you have the power to decide whether a company can collect your browsing history, your shopping habits, or even sensitive details like your health records. This shift flips the script, making you the decision-maker rather than a passive participant in the data ecosystem.

2) Transparency: Promotes clear communication between data fiduciaries and data principals. Ever felt like you signed up for a service but had no idea what you were really agreeing to? You’re not alone. In the past, terms and conditions often resembled a never-ending maze of legal jargon—designed more to confuse than clarify. The DPDPA changes that by prioritizing transparency. Here’s how it works: when a company seeks your consent, it must clearly explain what data it’s collecting, why it’s doing so, how it will be used, and who it might share it with. No fine print, no surprises. This level of transparency fosters trust, making you feel more confident about sharing your information. It’s like walking into a restaurant where the chef explains every ingredient on the menu—you know exactly what you’re getting.

3) Accountability: Holds organizations accountable for responsible data handling. Consent isn’t just about empowering individuals—it’s also about holding organizations accountable. Think of it as a safety net. When a company mishandles your data or uses it for purposes beyond what you agreed to, the DPDPA ensures they can’t just shrug it off. Data fiduciaries (the entities handling your data) are required to stick to the conditions of your consent. If they deviate or act irresponsibly, they face penalties. This isn’t just about protecting individuals; it’s about setting a gold standard for responsible data management. Accountability keeps everyone honest, creating a culture where organizations take data privacy seriously.

2. Key Terms Related to Consent

Understanding consent within the DPDPA framework requires familiarity with several key terms:

Understanding consent under the Digital Personal Data Protection Act (DPDPA) isn’t just about knowing your rights—it’s about speaking the same language as the law. To make sense of how consent functions within this framework, it’s essential to familiarize yourself with a few key terms. Think of these as the building blocks of a secure and ethical data ecosystem. Once you know these terms, navigating the DPDPA becomes as straightforward as following a well-marked map.

1) Data Principal: The individual to whom the personal data pertains.the STAR of the Show At the heart of the DPDPA is the data principal—that’s you. Simply put, the data principal is the individual to whom the personal data pertains. If your email, phone number, or health records are being collected, you’re the data principal. Think of yourself as the owner of a treasure chest, and your personal data is the treasure. The DPDPA emphasizes that as the data principal, you have ultimate authority over how your treasure is handled. It’s like being the captain of a ship—you decide who gets to come aboard, what they can do while they’re there, and when they need to leave.

2) Data Fiduciary: An entity (individual or organization) that determines the purpose and means of processing personal data.The Trusted Guardian Now, let’s talk about the data fiduciary. This is the entity—whether it’s a company, an organization, or an individual—that determines the purpose and means of processing your personal data. If you’re the captain, they’re like the crew you’ve hired to handle your ship. But here’s the catch: they’re legally bound to act in your best interest. The word “fiduciary” implies trust, and under the DPDPA, this trust is non-negotiable. Data fiduciaries are expected to handle your information responsibly, transparently, and only for the purposes you’ve agreed to. If they overstep, misuse your data, or fail to protect it, they can face serious consequences. In a way, they’re like stewards of a valuable museum artifact—you own it, but they’re responsible for keeping it safe.

3) Explicit Consent: A clear and specific agreement by the data principal for the processing of their sensitive personal data.The Gold Standard When it comes to sensitive personal data, the DPDPA insists on explicit consent—and for good reason. Explicit consent means you’re fully aware of what’s being collected, why it’s being collected, and how it will be used. You’ve given your permission in a clear, unambiguous way. It’s like signing a contract where every clause is explained in plain language. For example, if a healthcare app wants to access your medical records, it can’t just bury that request in a lengthy terms-and-conditions document. Instead, it must explicitly ask for your consent, detailing how your data will be stored, processed, and shared. This level of clarity is crucial for ensuring trust and fairness.

4) Implicit Consent: Assumed consent based on the context of data collection, typically not suitable for sensitive data.The Gray Area Unlike explicit consent, implicit consent is more contextual. It’s assumed based on your actions, but it’s generally not suitable for sensitive personal data. For instance, if you hand your email address to a retailer to receive a receipt, it’s reasonable to assume they have your implicit consent to send you that receipt. However, they can’t assume they have the right to add you to their marketing list without asking explicitly. Think of implicit consent as a handshake—an agreement based on mutual understanding. While it works in certain everyday situations, it’s not robust enough for more serious or sensitive data-sharing scenarios. For anything beyond the basics, the DPDPA leans heavily on explicit consent as the preferred standard.

5) Revocable Consent: The ability of the data principal to withdraw consent at any time.Taking Back Control Here’s where things get really interesting. Under the DPDPA, consent isn’t a one-time deal—it’s revocable. That means you can withdraw your consent at any time, no questions asked. If you decide that you no longer want a company to hold onto your data, you can simply revoke your permission, and they’re obligated to comply. Imagine you’ve rented out your spare room to a tenant. You gave them the keys and agreed on a set of rules, but later, you realize you’re no longer comfortable with the arrangement. Revocable consent is like saying, “Thanks, but I need those keys back now.” The tenant (or in this case, the data fiduciary) has no choice but to res pect your decision.

Why These Terms Matter

These terms aren’t just legal jargon—they represent the foundation of a more ethical and transparent approach to data handling. They ensure that:

• You stay in control of your personal data at all times.

• Organizations act responsibly and are held accountable.

• Consent is dynamic, giving you the flexibility to adapt as your comfort level changes.

By defining roles like data principal and fiduciary and setting standards for explicit, implicit, and revocable consent, the DPDPA creates a framework that prioritizes clarity, fairness, and empowerment.

A Practical Example: Bringing It All Together

Let’s say you’re using a fitness app. As the data principal, you own the rights to your workout logs and health data. The app acts as the data fiduciary, collecting and analyzing your information to provide personalized recommendations.

• When you sign up, the app seeks explicit consent to access your health metrics. It explains how the data will be used to improve your experience.

• By using the app to track a workout, you provide implicit consent for the app to record that session.

• Six months later, you decide you no longer want the app to retain your data. Thanks to revocable consent, you can request deletion of your records, and the app must comply promptly.

This seamless interplay between these concepts ensures that your data journey is secure, transparent, and entirely under your control.

3. Rights of Individuals Regarding Consent

The DPDPA enshrines several rights for individuals to manage their consent effectively:

In a world where data is currency, knowing your rights is like holding the keys to your digital kingdom. The Digital Personal Data Protection Act (DPDPA) takes this responsibility seriously, placing the control firmly in your hands. Gone are the days of blindly signing off on vague terms and conditions. With the DPDPA, individuals are equipped with a robust set of rights to manage their consent effectively and ensure their data is handled with the respect it deserves. Let’s break down these rights, each of which is designed to give you more power, transparency, and peace of mind in the increasingly complex digital landscape.

1) Right to Informed Consent: Individuals must be fully informed about how their data will be used before providing consent.Knowledge Is Power

Imagine agreeing to a deal without knowing the terms. Sounds reckless, right? The DPDPA ensures this doesn’t happen with your data. The Right to Informed Consent means you have the right to know exactly how your personal data will be used before you agree to share it. When a company seeks your consent, it’s not enough for them to say, “We’ll use your data.” They must explain what data they’re collecting, why they’re collecting it, how it will be used, and who it might be shared with. This is like reading a clear, easy-to-understand menu before placing your order, rather than being surprised by a dish you didn’t expect. This right empowers you to make informed decisions, giving you the confidence to either give your consent or say, “Thanks, but no thanks.”

2) Right to Specific Consent: Consent must be obtained for specific purposes and not be blanket approval for all data processing activities.

Have you ever signed up for a service and felt like you gave them the keys to your entire life? That’s exactly what the Right to Specific Consent aims to prevent. Under the DPDPA, companies must obtain your consent for a specific purpose. They can’t ask for blanket approval to process all your data for any reason they choose. For example, if you’re signing up for a food delivery app, they can ask for your location to find nearby restaurants, but they can’t use that consent to track your movements 24/7 or sell your data to advertisers. It’s like granting someone access to your garden to water the plants—not to throw a party or start digging up your lawn. Specific consent ensures your data is used for the purpose you agreed to and nothing more.

3) Right to Withdraw Consent: Individuals can revoke their consent at any time, and data fiduciaries must cease processing personal data upon withdrawal.

What if you change your mind about sharing your data? No problem. The Right to Withdraw Consent gives you the power to revoke your permission at any time. This isn’t just a symbolic right—it’s actionable. When you withdraw your consent, the data fiduciary (the entity handling your data) must stop processing your information immediately. If they’ve shared it with third parties, they’re obligated to inform those parties to cease using your data as well. Think of this as taking back the keys you lent someone. Whether you trusted them initially but later had second thoughts, or simply decided it’s no longer necessary, you have every right to pull the plug. It’s your data, your call.

4) Right to Access and Control: Individuals can access their data and understand how it is being used, ensuring transparency.

How often have you wondered, “What are they doing with my data?” The Right to Access and Control gives you the answer. Under this right, you can access the personal data a company has about you and understand how it’s being used. Are they storing your email address securely? Are they sharing it with third parties? This level of transparency is crucial for building trust and ensuring accountability. Moreover, if you notice something that feels off—like outdated or inaccurate information—you can request corrections. It’s like being able to audit your financial records whenever you want, ensuring that everything is in order and nothing shady is happening behind your back.

How These Rights Work Together ?

Let’s consider an example to see these rights in action. Imagine you’re signing up for a healthcare app.

1.Right to Informed Consent: The app clearly explains that it will collect your health data to provide fitness recommendations and secure it with encryption.

2.Right to Specific Consent: The app asks for your consent specifically to track your daily steps and calorie intake—not to share this data with advertisers.

3.Right to Withdraw Consent: Three months later, you decide you no longer want the app to track your calorie intake. You withdraw your consent, and the app immediately stops collecting this data.

4.Right to Access and Control: You also request a summary of the data the app has collected so far and notice an error in your recorded weight. You ask for a correction, and the app updates your profile accordingly.

Together, these rights create a system where you remain in the driver’s seat, fully informed and fully in control.

4. Obligations of Data Fiduciaries Concerning Consent

Data fiduciaries bear significant responsibilities to uphold the consent framework:

Data fiduciaries, the entities entrusted with managing personal data, play a critical role in upholding the principles of consent under the Digital Personal Data Protection Act (DPDPA). They’re like the custodians of a digital vault, responsible for ensuring the data inside is handled ethically, securely, and transparently.

1) Obtain Clear Consent: Ensure that consent is explicit, informed, and freely given, avoiding any form of coercion.

At the heart of any consent framework is clarity. Data fiduciaries must ensure that consent is explicit, informed, and freely given. This means individuals should fully understand what they’re agreeing to, without being coerced or misled. Imagine you’re about to sign a contract. Would you do it without knowing the terms? Of course not! Similarly, consent under the DPDPA must be crystal clear. Fiduciaries are required to explain, in plain language, why they need your data, how they’ll use it, and for how long. Ambiguity or fine print? Not allowed. This obligation empowers individuals to make informed choices and eliminates manipulative practices like pre-ticked checkboxes or vague consent forms. By ensuring consent is genuine, data fiduciaries set the foundation for trust.

2) Provide Detailed Information: Clearly communicate the purpose, scope, and duration of data processing activities.

Transparency is like a window into the data processing world—it lets individuals see exactly what’s happening with their personal information. Data fiduciaries are required to provide detailed information about their activities, including: • Purpose: Why is the data being collected? • Scope: What specific data will be processed? • Duration: How long will the data be retained? Think of this as the fiduciary laying all their cards on the table. When you sign up for a service, they can’t just say, “We’ll use your data to improve user experience.” They need to spell out what “improve user experience” means—whether it involves personalized recommendations, behavioral analysis, or something else entirely. This level of transparency not only builds trust but also ensures individuals are never left in the dark about how their data is being used.

3) Implement Consent Management Systems: Develop robust systems to record, track, and manage consent, including mechanisms for withdrawal.

Managing consent isn’t a one-and-done task—it’s an ongoing responsibility. Data fiduciaries must develop robust consent management systems to record, track, and manage consent. These systems should make it easy for individuals to: • View the data they’ve shared. • Understand the permissions they’ve granted. • Update or withdraw their consent at any time. Picture it like a dashboard for your digital life—a place where you can see who has access to what, and adjust those permissions as needed. For fiduciaries, this isn’t just about compliance; it’s about creating a user-friendly experience that reinforces trust.

4) Ensure Data Security: Protect personal data through technical and organizational measures to prevent unauthorized access or breaches.

What good is consent if the data isn’t secure? Data fiduciaries are obligated to implement strong technical and organizational measures to protect personal data. This includes: • Encryption: Ensuring data is stored and transmitted securely. • Access Controls: Restricting who can access sensitive information. • Incident Response: Having a plan in place to handle data breaches swiftly. Imagine entrusting a bank with your money, only to find out they leave the vault door wide open. That’s the equivalent of poor data security. Fiduciaries must treat personal data with the same level of care and vigilance, ensuring it’s protected against unauthorized access, theft, or misuse.

5) Regular Audits and Compliance Checks: Conduct periodic reviews to ensure ongoing adherence to consent requirements under the DPDPA.

Compliance isn’t a one-time box to tick—it’s an ongoing journey. Data fiduciaries must conduct regular audits and compliance checks to ensure they’re adhering to the DPDPA’s consent requirements. These audits serve as a health check for their data practices, identifying any gaps or vulnerabilities before they become major issues. It’s like taking your car in for regular servicing—you address small problems early to avoid costly breakdowns later. By committing to continuous improvement, fiduciaries not only stay compliant but also demonstrate their dedication to ethical data management.

Why These Obligations Matter

You might be wondering, why all these rules? The answer is simple: to protect individuals and create a fair digital ecosystem. These obligations ensure that:

• Consent is meaningful, not just a checkbox.

• Transparency is prioritized, eliminating hidden agendas.

• Data is secure, reducing the risk of breaches.

• Trust is built, fostering better relationships between fiduciaries and individuals.

In essence, these responsibilities transform data fiduciaries from passive collectors into active stewards of personal information.

Real-Life Example: A Healthcare App

Let’s put these obligations into perspective with an example. Imagine a healthcare app that tracks your fitness progress:

1.Obtain Clear Consent: The app explains that it needs your health data to provide tailored fitness recommendations.

2.Provide Detailed Information: It specifies that it will collect your step count, calorie intake, and heart rate, and retain the data for six months.

3.Implement Consent Management Systems: You can log in anytime to review the permissions you’ve granted or withdraw your consent.

4.Ensure Data Security: The app encrypts your data and uses secure servers to prevent unauthorized access.

5.Regular Audits and Compliance Checks: It conducts periodic reviews to ensure its practices align with the DPDPA.

This holistic approach ensures your data is handled with care, respect, and transparency.

5. Role of the Data Protection Board in Consent Issues

The Data Protection Board (DPB) is the regulatory authority responsible for enforcing the DPDPA. Its roles concerning consent include:

Monitoring Compliance: Oversee data fiduciaries to ensure they adhere to consent protocols.

Handling Complaints: Address grievances filed by individuals regarding misuse or mishandling of their consented data.

Imposing Penalties: Enforce fines and corrective actions against entities that violate consent requirements.

Guidelines and Recommendations: Issue directives to clarify consent-related provisions and best practices for data fiduciaries.

6. Role of the Consent Manager under the DPDPA

Let’s face it—managing consent in the digital age can feel like walking a tightrope. The Digital Personal Data Protection Act (DPDPA) 2023 introduces a game-changer in this regard: the Consent Manager. But who is this mysterious entity, and why does it matter? Think of a Consent Manager as a digital traffic cop, directing the flow of your personal data and ensuring it doesn’t get misused. Under the DPDPA 2023, Consent Managers act as intermediaries between data principals (that’s you and me) and data fiduciaries (companies handling our data). Their primary job? To make giving, withdrawing, and managing consent for data usage seamless, transparent, and secure. Here’s the cool part: Consent Managers must be registered with the Data Protection Board of India, ensuring they meet high standards of accountability and data security. They simplify the complex world of consent by offering easy-to-use interfaces, where individuals can control who gets access to their data and for what purpose—no more fine-print nightmares or shady opt-ins. Why is this important? Because in a world where data is the new oil, your consent is your power. With Consent Managers, DPDPA 2023 places control firmly in your hands, making data privacy not just a right, but a reality.

What Does a Consent Manager Do?

The Consent Manager is responsible for simplifying the process of providing, withdrawing, or managing consent. We’ve all faced those confusing consent forms full of legal jargon and endless checkboxes. Consent Managers aim to eliminate this frustration by offering user-friendly interfaces where you can control who gets access to your data and for what purpose.

For instance:

• You can easily grant or revoke consent for specific data uses with just a click.

• They ensure that you’re fully informed before granting consent, including details like why your data is being collected and how it will be used.

• If you ever feel like withdrawing your consent, it’s as simple as toggling a switch—no lengthy processes or endless customer service calls.

Essentially, Consent Managers act as a guardian of your digital rights, making data privacy accessible and actionable.

Why Are Consent Managers Crucial?

In a world where data is the new oil, having control over who accesses your personal information is non-negotiable. Without proper checks and balances, data misuse can lead to identity theft, targeted scams, or even manipulation through behavioral profiling. Consent Managers ensure that your personal data is handled ethically and legally, aligning with the principles of informed consent. But their role doesn’t just stop at safeguarding your data rights. They also benefit businesses by reducing compliance risks. Companies that integrate Consent Manager services can demonstrate their commitment to data privacy, building trust with customers in a hyper-competitive market.

DPDPA 2023: Consent empowerment through Consent Manager The Consent Manager is more than just a tool—it’s a cornerstone of the DPDPA 2023’s mission to make data privacy a reality for everyone. By bridging the gap between individuals and organizations, Consent Managers ensure that your consent is not just a checkbox but a meaningful, enforceable
agreement. With this innovation, India takes a significant leap toward a privacy-first digital future, where your data remains truly yours.

7. Latest Amendments, Notifications, and Guidelines on Consent

Staying abreast of the latest changes is crucial for compliance. Recent updates should include:

Enhanced Consent Mechanisms: Introduction of more stringent requirements for obtaining explicit consent for sensitive data.

Clarifications on Consent Withdrawal: Detailed guidelines on how data fiduciaries should facilitate the withdrawal process.

Digital Consent Platforms: Encouragement of using secure digital platforms to manage and document consent interactions.

Periodic Audits: Mandatory regular audits to verify consent management practices and data handling procedures.

Clarity on Consent Managers Role Consent manager to be within organisation or outsourced. Consent managers liability and indeminity

Stay Updated:

Regularly consult the Data Protection Board of India's website for the latest amendments and official notifications.

8. Comparison with Other Indian Laws

Indian Contract Act, 1872

The Indian Contract Act, 1872 also touches upon consent, albeit in a different context:

1) Definition of Consent: Consent must be free, informed, and without coercion for a contract to be valid.

The Indian Contract Act, 1872 establishes consent as the cornerstone of valid agreements. It requires that parties willingly agree to the terms without coercion, fraud, undue influence, misrepresentation, or mistake. This principle, often referred to as consensus ad idem or “meeting of the minds,” ensures that all parties understand and agree to the same terms. Consent in this context is crucial because it validates the integrity of the agreement, making it enforceable under the law. For instance, if someone is misled into signing a contract based on false information, the consent is considered tainted, rendering the contract voidable at their discretion. This emphasis on free and informed consent creates a balance of power, safeguarding individuals from exploitation in contractual relationships.

2) Linking Consent to the DPDPA’s Framework

The Digital Personal Data Protection Act (DPDPA), 2023 adopts and adapts this concept of consent, bringing it into the digital age. Like the Contract Act, the DPDPA prioritizes informed and voluntary agreement. However, it takes this principle further by requiring explicit consent for the collection and processing of personal data, particularly sensitive information. The DPDPA also empowers individuals with dynamic control through the right to withdraw consent at any time, a feature not commonly emphasized in traditional contracts. By combining the foundational principles of the Indian Contract Act with modern requirements for transparency and individual control, the DPDPA transforms consent into a robust tool for protecting personal autonomy in a data-driven world. Together, these laws illustrate how the concept of consent has evolved to address both physical and virtual interactions, ensuring fairness and accountability across domains.

9. Landmark Case Laws on Consent in India

Several pivotal cases have shaped the understanding and enforcement of consent in India:

Justice K.S. Puttaswamy (Retd.) vs Union of India (2017): Affirmed the right to privacy as a fundamental right, underscoring the importance of consent in data protection.

Shreya Singhal vs Union of India (2015): Struck down Section 66A of the IT Act for being unconstitutional, highlighting the necessity for clear and lawful consent in data-related provisions.

Anurag Srivastava vs Google India Pvt Ltd (2021): Addressed issues related to consent and data privacy in the context of search engine data handling.

Vasundhara Raje vs Union of India (2018): Dealt with data breach notifications and the role of consent in governmental data processing.

These cases collectively emphasize the judiciary's stance on consent, reinforcing its critical role in data protection.

10. Real-World Examples Illustrating Consent

To better grasp the practical applications of consent under the DPDPA, consider the following scenarios:

Example 1: Online Shopping Platforms

Scenario:
When you make a purchase on an online platform, you provide personal details like name, address, and payment information.

Consent Implications:
The platform must obtain your explicit consent to process this data for order fulfillment, marketing, and improving user experience. You should have the option to opt-out of receiving promotional emails at any time.

Example 2: Healthcare Apps

Scenario:
A health tracking app collects sensitive data such as your health metrics, biometric data, and lifestyle information.

Consent Implications:
The app must obtain explicit consent before collecting this data, clearly stating how it will be used. Additionally, it must provide mechanisms for you to revoke consent and ensure that your data is securely stored and processed.

Example 3: Social Media Platforms

Scenario:
When signing up for a social media account, you agree to share personal information and interact with targeted advertisements.

Consent Implications:
The platform must ensure that consent is informed and specific, detailing how your data will be used. Users should have the ability to control the extent of data sharing and withdraw consent whenever desired.

11. Conclusion

The Future of Consent in a Data-Driven World As technology continues to evolve, the concept of consent will need to adapt. With the rise of artificial intelligence, predictive analytics, and IoT devices, data collection has become more pervasive and less visible. You might not even realize when your data is being collected—think smart speakers, wearable devices, or connected cars. The DPDPA’s emphasis on consent ensures we don’t lose sight of individual rights amid this technological boom. By requiring transparency and accountability, it sets a framework that can evolve alongside innovation. In a sense, it’s like setting the rules of the road for self-driving cars before they dominate the streets—future-proofing the system to ensure safety and fairness. Consent isn’t just a legal requirement; it’s a fundamental right that empowers, protects, and respects individuals in the digital age. Under the DPDPA, consent takes center stage as the cornerstone of ethical data practices. It promotes autonomy, fosters trust, and ensures accountability, creating a fairer and more transparent data ecosystem. As we navigate an increasingly data-driven world, the importance of consent will only grow. It’s not just about ticking a box; it’s about reclaiming control over what’s yours—your data, your decisions, your power. In this landscape, the DPDPA acts as a guiding light, ensuring that consent remains the bedrock of data privacy. stands as a pivotal element within the Digital Personal Data Protection Act, 2023 (DPDPA), safeguarding individual autonomy over personal data and fostering trust between data principals and fiduciaries. As data becomes increasingly integral to our lives, understanding and adhering to consent mechanisms is paramount for the general public, businesses, and legal professionals alike. By aligning with the DPDPA's stringent consent requirements, organizations not only ensure compliance but also contribute to a more secure and transparent digital ecosystem.

Stay Informed:
Data protection laws are ever-evolving. Regularly updating your knowledge and practices in line with the latest guidelines and amendments is essential for maintaining compliance and protecting individual privacy.

By: Advocate (Dr.) Prashant Mali (Founder, Cyber Law Consulting).

Additional Resources

Official DPDPA Documentation: Ministry of Electronics and Information Technology

Data Protection Board of India: Data Protection Board Website yet to be launched

Indian Contract Act, 1872: Full Text of the Act

Landmark Case Laws:

Justice K.S. Puttaswamy vs Union of India (2017)

Shreya Singhal vs Union of India (2015)

Anurag Srivastava vs Google India Pvt Ltd (2021)

Educational Materials:

Webinars and workshops on DPDPA compliance offered by industry bodies and educational institutions.

Online courses on data protection and privacy laws.