On 3rd January 2025, the Ministry of Electronics and Information Technology (“MEITY”) unveiled its much-awaited draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) seeking public objections and suggestions. These Draft Rules are aimed at operationalizing the provisions of the Digital Personal Data Protection Act, 2023 (“Act”) which was enacted, after considerable iterations, in the year 2023.


A recurring theme emphasized in both the Act and the appurtenant Draft Rules, is the obligation of Data Fiduciaries to provide clear and comprehensive notices to Data Principals. This principle of transparent communication, however, is not novel.


EU’s General Data Protection Regulation (“GDPR”) also provided for “specific”, “informed” consent for “specific explicit and legitimate purpose”. All of these words and phrases indicate that a communication from the data controller was to be given to the data subject notifying her of the reasons for which the personal data of the data subject was to be collected or processed.


The Act, and the GDPR all adopted a principal-first approach, allowing businesses considerable flexibility in tailoring privacy policies to their needs. However, the Draft Rules' detailed listing of key components for the Notice signifies a shift from this principal-first approach to a more implementation-focused approach. 


Presently, a combined reading of the Act as the Draft Rules signifies that consent seeking notices will have to comply with the following requirements:


Under the Act:


The provisions of the Act mandate that every request made to a Data Principal for consent shall be accompanied or preceded by a notice from the Data Fiduciary stating - (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which the Data Principal may withdraw her consent and/ or seeking grievance redressal; and (iii) the manner in which the Data Principal may make a complaint to the Data Protection Board of India (“Board”).


The Act specifies that the notice requirements are applicable retrospectively i.e., for consent obtained prior to the commencement of the Act. Furthermore, in order to ensure transparency, the Act mandated that the contents of the notice shall be made available in English or any language specified in the Eighth Schedule to the Constitution. The instances where such Data Fiduciary is exempt from obtaining consent and, therefore, from issuing consent-seeking notices are outlined in Section 7 of the Act. These include, but are not limited to, situations where the Data Principal voluntarily provides their personal data or where processing is necessary to address a medical emergency that poses a threat to the life or immediate health of the Data Principal or another individual etc.


The Act vide its Section 33(1) read with the Schedule, specifies that in case the Data Fiduciary fails to issue notice to the Data Principal, it may face a penalty of fifty crores.


Under the Draft Rules:


The proposed provisions provide that the consent seeking notice shall be of the following nature:


  1. Independently Understandable Notice – The first requirement is that the notice must “be presented and be understandable independently of any other information that has been, is or may be made available by such Data Fiduciary”. This requirement is to be divided into two following parts:
  2. “independently” – which means that the notice shall be comprehensible on its own, without relying on any additional information which the Data Fiduciary has made or may make available. This presupposes that the earlier practice of interlinking the terms of use or terms of service with the privacy policy will no longer be considered valid.. Under the new regime, the notice seeking consent must stand as an independent document.
  3. “understandable” – which means that the consent seeking notice must clearly articulate the scope, purpose, and manner of data collection and processing, in a way that is easily understood by the Data Principal regardless of her technical knowledge or familiarity with data protection frameworks.
  4. Clear and Informed Consent – The second requirement is that the notice must “give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data…”. To achieve this, the Draft Rules provide a bare minimum structure of the notice which is to include:
  5. An itemized description of personal data: The notice should explicitly list the categories of personal data being collected, such as name, email address, browsing behaviour, or financial information. The particulars not mentioned in such itemized description cannot be collected. For example – an ecommerce platform having not mentioned “behavioural personal data” cannot collect information reflecting a Data Principal’s refund tendencies.
  6. Purpose of processing: The notice must explain why the data is being processed. For instance, if the data is being used to personalize recommendations or improve a service, this purpose should be stated clearly. Additionally, any secondary uses of the data, such as sharing it with third parties for targeted advertising, must be disclosed.
  7. Goods or services to be enabled: Along with the purpose, the notice should describe the specific goods, services, or functionalities that will result from the data processing. For instance, if the personal data is being collected to facilitate an e-commerce platform’s personalized product recommendations, the notice should explicitly state the same.
  8. Accessible Communication Links and Mechanisms – The second requirement is that the notice must provide accessible link to the website or app of the Data Fiduciary and descriptions, using which the Data Principal can – (i) withdraw her consent as easily as the consent was initially granted; (ii) exercise her rights under the Act; and (iii) make complaints to the Board.


Key considerations:


While the principles of notice provisions under the Act and the Draft Rules are straightforward, practical implementation can pose challenges for organizations. Few tips’ Data Fiduciaries can consider while drafting its consent seeking notices and updating its consent management framework are as follows:


  1. Itemization step: At the outset, considering the focus of the Act and the Draft Rules on increasing transparency, the Data Fiduciaries will have to go back to the drawing board and at minimum systematically list down – (i) the kinds of personal data it requires, (ii) the parties such as data processors, sub-contractor, vendors  having access to personal data of the Data Principals and (iii) the specific purposes for which the data is being collected and processed. This information will now have to be categorically listed in the consent notices to ensure that the Data Principal gives a free, specific, informed as in mentioned in Section 6 (1) of the Act. One may argue that the Act and/ or Draft Rules remain silent on inclusion of details relating to the data processors, sub-contractor, it is crucial for Data Fiduciaries to be mindful that failing to provide sufficiently detailed notices could expose them to penalties which may extend up to Rupees Fifty crores, as outlined in the Schedule of the Act.
  2. Balancing Simplicity with Detail: The Data Fiduciaries shall ensure that, while drafting their consent-seeking notices, the notices are detailed enough to provide comprehensive information yet concise enough to remain user-friendly. Such notices shall avoid usage of technical terms or legal jargons not used in everyday parlance. Additionally, considering the requirement of notice to be published in multiple languages, Data Fiduciaries shall ensure that the iterations in other languages are also clear and concise. Each translated version must maintain the same level of comprehensiveness and clarity as the original, while accounting for linguistic and regional differences that may affect understanding. Achieving this balance requires careful drafting, along with iterative testing across diverse user groups, to ensure clarity and effectiveness.
  3. Designing for Accessibility: The Data Fiduciaries shall ensure that the notices are optimized for accessibility, taking into account users with disabilities or limited internet access of Data Principals, especially in remote or underserved areas. This might include providing notices in multiple languages, using screen-reader-friendly formats, and ensuring compatibility with low-bandwidth environments. Additionally, the notices should be designed to accommodate various disabilities, such as visual, auditory, or cognitive impairments, by incorporating features like alternative text for images, audio or video descriptions, and easy-to-read layouts.
  4. Maintaining consistency across channels: The Data Fiduciary should establish a mechanism to ensure that with every feature update which requires an additional data point to be collected from the Data Principal, the notice presented on the website and/or mobile app, shall be continuously updated to ensure that no personal data is updated without the Data Principal’s active consent.
  5. Ensuring multilingual compliance for notices: To comply with the Act’s requirement of making the contents of the notice available in English and other languages specified in the Eighth Schedule to the Constitution, Data Fiduciaries should beforehand identify and engage qualified individuals or professionals with adequate linguistic proficiency and expertise in translation. These translators must not only possess fluency in the relevant languages but also understand the technical and legal nuances of data protection terminology to ensure accurate and contextually appropriate translations. Furthermore, Data Fiduciaries will also have to establish a review mechanism to verify the quality and consistency of translations, ensuring that the notices effectively communicate the intended message to diverse linguistic audiences.
  6. Managing existing data and Act-compliant consent notices: In alignment with the Act’s intent to renew consent for personal data obtained by the Data Fiduciaries prior to the commencement of the Act, the Data Fiduciaries shall begin the process of identifying all Data Principals’ whose personal data are available with the Data Fiduciary and send them Act compliant consent seeking notices. It is possible that some Data Principals may no longer desire to use the services of the Data Fiduciary and as such may withhold their consent. At such stage, Data Fiduciary will be required to track and delete the personal data of such Data Principal from its repertoire.


Conclusion:


The recent unveiling of the Act and Draft Rules provides clarity on the starting points to draft an Act-compliant consent notice. However, the requirements pose challenges, particularly considering the increased burden placed on Data Fiduciaries in ensuring compliance with these extensive regulations. To ensure compliance with the Act, Data Fiduciaries must start the process of reviewing existing data collection practices, auditing data flows, and ensuring that consent-seeking mechanisms align with the new requirements. Additionally, Data Fiduciaries must begin updating their consent management systems to integrate these new notice requirements, ensuring that all data points and processing purposes are communicated clearly to Data Principals. This proactive approach is essential to mitigate any potential compliance risks, as non-compliance can lead to reputational damage, legal penalties, and loss of trust among users.