Data PrivacyGiving Consent: What the Digital Personal Data Protection Act Means

September 3, 20230
Giving Consent: What the Digital Personal Data Protection Act Means

So, there’s a new law that’s going to change how companies can use your personal information. The Digital Personal Data Protection Act of 2023 means companies have to be a lot more upfront with you about what data they’re collecting and what they plan to do with it. No more long, complicated privacy policies filled with legalese — now companies have to explain things in plain English. They also need to get your consent before they can collect or share your data. If a company wants to use your browsing history to target ads, they’ll have to ask you first. If an app wants access to your location or contacts, they need to clearly explain why they need that data and get your OK. This is a big win for consumers who want more transparency and control over their personal information in the digital age. The new law puts the power back in your hands.

What Is the Digital Personal Data Protection Act?

The Digital Personal Data Protection Act of 2023 (DPDPA) gives you more control over how companies collect and use your personal information.

What qualifies as Personal Data?

Anything that can identify you like your name, address, email, location data, browsing history, and purchase history. Under the DPDPA, companies need your consent to collect or share this information.

How does Consent Work?

Companies must clearly explain how they’ll use your data and get your permission before collecting or sharing it. You can give broad consent for certain uses like service personalization or targeted ads. Or choose limited consent and restrict data use. You can withdraw consent at any time.

For example, say you buy a smart speaker. The company asks you to review and approve their privacy policy explaining how they’ll use your voice data to improve their AI. You give limited consent, opting out of data sharing with third parties. A year later, you withdraw consent completely, deleting your data. The company must comply.

What are Your Rights?

You have the right to access your data, correct inaccuracies, delete data, and port data to other companies. You can file complaints with regulators if companies violate the DPDPA.

While the DPDPA adds some extra steps, it gives you reassurance that your personal information is protected. And companies benefit from building trust through transparency and ethical data use. Overall, it’s a step toward data laws that put people first in an increasingly digital world.

Key Data Protection Principles Under the Act

The Digital Personal Data Protection Act establishes key principles around how companies can collect and use your personal data. Here are the main things you need to know:

Consent and Transparency

Companies must obtain your consent before collecting or using your personal data. They have to clearly explain how your data will be used in an easy to understand way. You have the right to withdraw your consent at any time.

Purpose Limitation

Your data can only be used for the purpose you gave consent for – nothing more. If a company wants to use your data for a new purpose, they need to obtain your consent again.

Data Minimization

Companies can only collect data that is necessary and relevant for the specified purpose. They must delete your data when it’s no longer needed.

Accuracy

Your data needs to be kept up to date and accurate. You have the right to correct inaccurate personal data.

Storage Limitation

Your data can only be stored for as long as necessary to fulfill the purpose it was collected for. After that, it must be deleted.

Integrity and Confidentiality

Companies must keep your data safe and secure. They need to protect it from unauthorized access, disclosure, use, modification, or deletion.

The Digital Personal Data Protection Act puts you in control of your data. Make sure you understand your rights and the companies’ responsibilities to you. If you ever feel a company is misusing your personal data, don’t hesitate to contact them or file a complaint. Your privacy is worth protecting!

Obtaining Meaningful Consent for Data Collection

The Digital Personal Data Protection Act of 2023 (DPDPA) requires companies to obtain your meaningful consent before collecting and using your personal data. But what exactly does “meaningful consent” mean?

Transparency

Companies must disclose clearly and concisely how they plan to collect and use your data. They can’t bury this information in a lengthy privacy policy that no one reads. The disclosure should explain:

  • What personal data is being collected (location, browsing history, health info, etc.)
  • How the data will be used (targeted ads, product recommendations, research, etc.)
  • Who the data might be shared with (advertisers, analytics providers, subsidiaries, etc.)
  • How you can withdraw your consent at any time.
Affirmative Action

Simply using a service or visiting a website does not imply your consent. Consent requires an affirmative action on your part, like checking a box to opt-in or clicking a button to accept the terms. Pre-selected checkboxes or “dark patterns” that steer you into consenting when you otherwise might not do not meet the affirmative consent requirement.

Reasonable Alternatives

If consent to data collection is required to use a service, companies must provide reasonable alternatives. For example, a social network could offer both an ad-supported version (where data is collected for targeted ads) and an ad-free paid subscription. As long as the alternatives don’t make the service unusable or impractical, this satisfies the DPDPA.

Meaningful consent ensures you understand how your personal data is used and have freely given your permission. Companies seeking your consent should be transparent in their disclosures, require an affirmative opt-in, and provide reasonable alternatives whenever possible. If done right, obtaining meaningful consent builds trust between you and the companies you choose to share your data with.

Examples of Data Collection Requiring Consent

The Digital Personal Data Protection Act requires companies to obtain your consent before collecting and using your personal data in certain ways. Here are a few examples of data collection and use that will require your consent:

Data Sharing

Companies that share your personal data with third parties for purposes beyond providing a service you requested will need to obtain your consent. For example, if an app collects your location data to provide driving directions but wants to share your location history with other companies for advertising, it will need your consent.

Sensitive Data

The collection and use of sensitive personal data like health information, biometric data, or sexual orientation requires explicit consent. If a fitness app wants access to your heart rate and blood pressure readings to provide health insights, it will need to obtain your consent to collect and use that sensitive data.

Automated Decision Making

If a company wants to use your personal data to make automated decisions about you, such as determining your eligibility for a loan or job, it will need to obtain your consent. The company will have to explain how your data will be used to make the automated decision and allow you to opt out.

Sale of Personal Data

Companies that want to sell or rent your personal data to other organizations will need to obtain your consent for the data sale and disclose the types of organizations that may acquire your data. For example, an streaming music service that wants to sell data about your listening habits and preferences to advertising companies would need your consent.

The DPDPA gives you more control and transparency over how companies collect and use your personal data. Make sure you understand how companies intend to use your data before giving your consent. And remember, you can withdraw your consent at any time if you change your mind.

How the Act Empowers Consumers Over Their Data

The Digital Personal Data Protection Act gives you more control over how companies collect and use your personal information. No longer can businesses gather your data without clearly explaining how they intend to use it and getting your consent.

Opting in vs. Opting out

Previously, most companies used an “opt-out” model for data collection. They’d gather your information by default and it was up to you to opt out if you didn’t want them to have it. Now, the Act requires an “opt-in” approach. Companies must obtain your consent before collecting or using your data in any way. They have to clearly explain how they plan to use your information and you get to choose whether or not to opt in.

Right to Access and Delete

You now have the right to know exactly what personal data a company has about you, where they got it from, and who they’ve shared it with. You can also request that companies delete any information they have on you. They must comply with deletion requests unless they have a legitimate reason for keeping the data, like completing a transaction you requested.

Penalties for Violations

If companies violate the Act by improperly collecting or using your personal data, they face significant penalties. Penalties can go upto Rs 250 crores.

The Digital Personal Data Protection Act puts you back in control of your personal information in the digital age. By understanding your rights and using tools like opt-in consent, data access requests, and data deletion requests, you can keep companies accountable and make more informed choices about how your data is used.

Conclusion

So in summary, the Digital Personal Data Protection Act means you’re finally in control of who gets access to your personal information and how it’s used. No more worrying about the privacy policies you sign without reading or wondering where your data might end up. This law puts you in the driver’s seat by requiring explicit consent for companies to collect and share your data. While it may require a little extra effort to opt in to services now, peace of mind that your information is secure and used properly is worth it. The power is now in your hands to shape how the digital world respects your privacy. Use it wisely!


For any query or feedback, please feel free to get in touch with dataprivacy@amlegals.com or mridusha.guha@amlegals.com


 

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.

 

Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.