Why organizations would require "Consent Form" for DATA PROTECTION ACT

India is changing its Data Protection rules and organizations have to follow the rules of Digital Data Protection Act 2023("DPDP Act") for consent.

In my last article i wrote about "consent" as per the new Digital Data Protection Act 2023 from the perspective of consumers but how can organizations write consent form and how will they process it.

Consent is defined as "The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."

As organization would require an agreement of consent with the consumers for processing of their personal data. From any organization's perspective " How should we write a consent request?"

Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.

It must have 3 layers and following terms should be followed:

• keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
• use clear, straightforward language;
• adopt a simple style that your intended audience will find easy to understand – this is particularly important if you are asking children to consent, in which case you may want to prompt parental input and you should also consider age-verification and parental-authorisation issues;
• avoid technical or legal jargon and confusing terminology (eg double negatives);
• use consistent language and methods across multiple consent options; and
• keep your consent requests concise and specific, and avoid vague or blanket wording.

We know that consent has to be free, unambiguous and unconditional and must be legally required with some affirmative action.

So Second question arises "What information would a consent form require?"

Consent must be specific and informed. You must as a minimum include:

• the name of your organisation and the names of any other controllers who will rely on the consent – consent for categories of third-party controllers will not be specific enough;
• why you want the data (the purposes of the processing);
• what you will do with the data (the processing activities); and
• that people can withdraw their consent at any time. It is good practice to tell them how to withdraw consent.

Organizations have to provide clear objective of the purpose of consent and if it is not free, it can always be objectionable. Consent has to be free and consumers should know the purpose for their consent. Consent, when asked, has to provide clear and organizations would require special skill and knowledge to determine what type of data required, use of data and timeline of that data processed.

Consumers can always give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

It is time that organizations provide a clear and organized way for determining consent and proper documentation would be required and also specialized skill personnel who can prepare Consent form and always keep it in check.