Does Opt-In Consent under DPDPA require a granular and specific approach?

This article was First Published on Bar and Bench on 16th November 2023.

Indian Data Protection Law – Digital Personal Data Protection Act, 2023 (DPDPA) [yet to come into force] - requires Data Fiduciaries to go for opt-in consent while obtaining personal data from Data Principal for processing. As per section 6(1) of the DPDPA, a Data Principal’s consent to the processing of her personal data by Data Fiduciaries shall be free, specific, informed, unconditional, and unambiguous “with a clear affirmative action”, and shall signify an agreement to the processing of her personal data “for the specified purpose” and be “limited to such personal data as is necessary for such specified purpose”. The opt-in consent and the principles of purpose limitation and data minimization are reflected in this provision. Opt-in consent requires a Data Principal to consciously tick the checkbox indicating her agreement to the processing of her personal data for receiving marketing e-mails. If the checkbox meant for the same purpose is pre-ticked or if any marketing e-mail sent to the Data Principal, who opted-in to receive such e-mails, contains an “unsubscribe” link, it shall be an opt-out mechanism. In other words, the opt-out mechanism allows Data Principals to withdraw their consent. It is noteworthy to mention that opt-in consent is mandated by prominent privacy laws such as the General Data Protection Regulation (EU GDPR)[1] and General Data Protection Law (Brazil’s LGPD)[2]. On the flip side, Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM)[3] and Californian Consumer Privacy Act (CCPA)[4] require organizations to adopt an opt-out consent mechanism, thereby enabling the consumers/individuals to opt out of having their personal data processed for certain specific purposes by the organizations. For consent to be unambiguous, specific, and affirmative, it is essential that a Data Principal understands the specified purposes, the extent of personal data processed for such purposes, and indicates her consent with a positive action. Thus, on a comparative analysis, opt-in consent is privacy-friendly as it enables the Data Principal to understand the handling of her personal data by the Data Fiduciaries and consciously make an informed decision.

The European Data Protection Board (EDPB) guidelines on consent state that ”Consent mechanisms must not only be granular to meet the requirement of 'free', but also to meet the element of 'specific'. This means a controller that seeks consent for various purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.”[5] For instance, if an organization wants to send marketing and/or promotional e-mails to a data principal, it should allow the Data Principal to tick the check-box specific for this purpose. Thus, any consent to a bundle of processing purposes would be contrary to the EU guidelines on consent and may be held as invalid.

It is further important to analyze these EU guidelines on consent considering the privacy policy that organizations usually provide when a user/consumer reaches their websites. DPDPA requires the provision of a consent notice outlining the purposes of personal data processing, and the way data principals can exercise their rights or raise a complaint to the Data Protection Board of India.[6] The Office of the Privacy Commissioner (OPC) decision in Home Depot case in Canada and EDPB’s Meta Ireland decision highlight the need for specific opt-in consent for specific purposes. In the Canadian case[7], Home Depot, a retailer, shared the e-mail addresses of its clients, which were originally provided to generate e-receipts, with Meta for understanding the influence of Home Depot’s ads on Meta’s platforms, scaling the offline return on ad spending, and reaching people offline and showing them ads based on their offline actions. Additionally, Meta used the client information shared by HomeDepot for its own purposes, and the terms agreed between HomeDepot and Meta reflected this use case of Meta. As per the principles enshrined in Personal Information Protection and Electronic Documents Act (PIPEDA), the type of consent obtained by an organization would depend on the circumstances and the type of information (including sensitivity) and an organization should consider the reasonable expectations of an individual. Further, the guidelines for obtaining meaningful consent requires organizations to obtain express consent if the information processed (i) is sensitive; (ii) outside the reasonable expectations of an individual; and/or (iii) poses a meaningful residual risk of significant harm.[8] The OPC opined that Home Depot’s sharing of its client e-mail addresses were outside the clients’ reasonable expectations, and the shared information could potentially be sensitive if it is combined with the other information that Meta may hold in its database. Further, the OPC denied Home Depot’s argument that these purposes were covered in its privacy policy because Home Depot neither informed its clients about these purposes nor did it direct them to privacy policy of Home Depot and Meta while requesting their e-mail addresses for generating e-receipts. PIPEDA requires organizations to put reasonable efforts to make the clients understand the purposes for which their information will be processed, and there is no rationale for clients to obtain a privacy statement of Home Depot when the purpose, in view of the clients, was limited to e-receipt generation. The OPC recommended Home Depot to obtain opt-in consent from its clients by specifying about the disclosure of their e-mail address to Meta and the purposes for which they will be used.

Similarly, in EDPB’s decision on Meta’s data processing for behavioral advertising, Meta argued that processing of users’ data for behavioral advertising was a core element of their services rendered to the users, which permitted Meta to rely on “performance of the contract” as the lawful basis of processing users’ data under the EU GDPR. Ireland Supervisory Authority agreed with Meta’s position because this purpose was clearly mentioned in the terms of service between users and the Meta. However, EDPB disagreed and stated that (i) there was no contractual obligation for Meta in its terms and conditions to offer personalized ads to its users, and (ii) a mere reference to processing for behavioral advertising in Meta’s terms would be insufficient information for an average user to understand the privacy impact of such processing for behavioral advertising. Therefore, EDPB stated that Meta should obtain a separate opt-in consent for processing users’ data for behavioral advertising.

Considering the above decisions, practices developed across different industries as an outcome of these decisions, similarity in the undertones of consent provisions among GDPR, PIPEDA and DPDPA, and pending development in the interpretation of the consent requirements in the Indian context, it is reasonable to expect the organizations in India to fine-tune their consent-mechanisms and adopt a granular approach to obtain consent specifically for each and every purpose of personal data processing.