Consent and its meaning in EU GDPR, CCPA, CPRA and Draft India PDPB 2019

consent and its meaning

Part II

The Article has been contributed by Mr Adhit Kulkarni, Final Year Student, D.E.S Law College, Pune with inputs from Data Secure.

Part II

Draft India PDPB 2019: Yet to be passed into Law

The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Ministry of Electronics and Information Technology on December 11 2019. The bill seeks to provide for protection of personal data of individuals and promotes to establish a Data Protection Authority that can oversee and promote the security and protection of personal data.

The various clauses under which “Consent” is covered in the Draft India PDPB 2019 are:

Chapter II Section 7: Requirement of notice for collection or processing of personal data:

  1. Every data fiduciary shall give to the data principal a notice, at the time of collection of the personal data, or if the data is not collected from the data principal, as soon as reasonably practicable, containing the following information, namely:—
  • the purposes for which the personal data is to be processed;
  • the nature and categories of personal data being collected;

(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;

(d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;

(e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in sections 12 to 14;

(f)  the source of such collection, if the personal data is not collected from the data principal;

(g)  the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;

(h)  information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;

(i)  the period for which the personal data shall be retained in terms of section 9 or where such period is not known, the criteria for determining such period;

(j)  the existence of and procedure for the exercise of rights mentioned in Chapter V and any related contact details for the same;

(k)  the procedure for grievance redressal under section 32;

(l)  the existence of a right to file complaints to the Authority;

(m)  where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and

(n)  any other information as may be specified by the regulations.

  1. The notice referred to in sub-section (1) shall be clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable.
  1. The provisions of sub-section (1) shall not apply where such notice substantially prejudices the purpose of processing of personal data under section 12.

Chapter II Section 11: Consent necessary for processing of personal data.

  1. The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.
  1. The consent of the data principal shall not be valid, unless such consent is—

(a) free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;

(b)  informed, having regard to whether the data principal has been provided with the information required under section 7;

©  specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;

  • clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
  • capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
  1. In addition to the provisions contained in sub-section (2), the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained—

(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;

(b) in clear terms without recourse to inference from conduct in a context; and

after giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.

  1. The provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
  1. The burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
  1. Where the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal.

Chapter III Section 12: Grounds for processing of personal data without consent in certain cases.

  1. Notwithstanding anything contained in section 11, the personal data may be processed if such processing is necessary,—

(a) for the performance of any function of the State authorised by law for—

     (i)    the provision of any service or benefit to the data principal from the State; or

     (ii)   the issuance of any certification, licence or permit for any action or activity of the data principal by the State;

  • under any law for the time being in force made by the Parliament or any State Legislature; or

(c)for compliance with any order or judgment of any Court or Tribunal in India;

(d) to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual;

(e) to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health; or

(f) to undertake any measure to ensure safety of, or provide assistance or services to, any individual during any disaster or any breakdown of public order.

Chapter V Section 21: General conditions for the exercise of rights of Data Principal

(1)  The data principal, for exercising any right under this Chapter, except the right under section 20, shall make a request in writing to the data fiduciary either directly or through a consent manager with the necessary information as regard to his identity, and the data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations. 

Chapter VI Section 23. Transparency in processing of personal data.

 (3)      The data principal may give or withdraw his consent to the data fiduciary through a consent manager.

(4)      Where the data principal gives or withdraws consent to the data fiduciary through a consent manager, such consent or its withdrawal shall be deemed to have been communicated directly by the data principal.

(5)      The consent manager under sub-section (3), shall be registered with the Authority in such manner and subject to such technical, operational, financial and other conditions as may be specified by regulations.

Explanation.—For the purposes of this section, a “consent manager” is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.

Kindly read more at India Draft Personal Data Protection Bill 2019 – DATA SECURE


EU General Data Protection Regulation:

  1. The GDPR does not offer for any exception for a controller that isn’t conscious that it offers services to a minor. It isn’t clear whether or not the consent requirement will observe if the child’s non-public information is unintentionally accumulated on-line. while any data is addressed specially to a child, controllers need to take appropriate measures to offer information referring to processing in a concise, obvious, intelligible and easily accessible form, the use of clean and undeniable language, that the kid can without problems apprehend.
  1. One of the permissible uses of special categories of private statistics, apart from on the premise of consent of the facts challenge, is wherein processing is essential for medical or historic research functions on the premise of Union or Member country regulation, which will be proportionate to the intention pursued, admire the essence of the right to statistics protection and offer for appropriate and precise measures to guard the fundamental rights and the pastimes of the information situation.
  1. The GDPR states that records controllers can best technique personal records when there is a criminal floor for it. The legal grounds are: consent, or while processing is important for;
  • the overall performance of a contract which the statistics issue is a part of with the intention to take steps on the request of the statistics problem prior to the getting into a settlement;
  • compliance with criminal duties to which the records controller is concern;
  • to defend the crucial hobby of the information subject or of every other natural person;
  • overall performance finished inside the public hobby or in the legitimate authority vested inside the facts controller; or
  • for the legitimate interest of the records controller whilst this doesn’t override the essential rights of the information concern. further permissible uses are provided for the processing of unique categories of personal facts below Article 9(2). As a standard rule, the processing of special classes of personal facts is confined until an exemption applies.
  1. The GDPR additionally states that information on the following ought to be furnished to individuals:

(i)       identity of the controller

(ii)      contact info of the information officer

(iii)      the legitimate interest of the controller

(iv)     the recipients or classes of personal information

  • information retention duration
  • the facility to withdraw consent at any time
  • the facility to raise a grievance with a supervisory authority.
  • whilst information is important for the performance of an agreement, the feasible consequences of now not doing so should also be soecifically mentioned
  • the lifestyles of automatic decision-making together with profiling, consisting of the logic involved and consequences of such processing.

California Consumer Privacy Act (CCPA):

The CCPA is specifically meant for business purposes only and is geographically bound to California state in USA.

The salient points of CCPA are as follows:

  • The CCPA provides for an exception for businesses that did not have actual knowledge of a child’s age.
  • Undertaking internal research for technological development and demonstration is considered a “business purpose.” Where a service provider uses personal information of a consumer because it is necessary to perform a business purpose, such use is not considered “selling,” and therefore consumers presumably cannot opt out of it. The CCPA excludes clinical trials from its scope of application.
  • The CCPA does not list the legal grounds on the basis of which businesses can collect and sell personal information. It only provides that businesses must obtain the consent of consumers when they enter into a scheme that gives financial incentives on the basis of the personal information provided.
  • The CCPA also states that information on the following must be provided to individuals:
  1. the categories of personal information collected/sold/disclosed for business purposes in the previous 12 months; and
  1. alternatively, if no personal information was sold, that should be written in the privacy policy.

There is a specific requirement that consumers receive “explicit notice” when a third party intends to sell personal information about that consumer that has been sold to the third party by a business. The CCPA specifies that the privacy policy must be updated every 12 months. 

California Privacy Rights Act (CPRA):

The CPRA is an act made through the data protection foundation built as a result of the CCPA. It provides a perspective limited to e-commerce within the privacy sphere. 

According to the Section 14(h) of the CPRA, consent needs to be given, specific, informed, unambiguous.

Consent in the CPRA should be an indication of the wishes of the consumers, or his or her legal guardian, in case of minors, or person who has power of attorney or a person who is acting as a conservator for the consumer.

What does not constitute consent:

  • Hovering over,
  • muting,
  • pausing,
  • closing a given piece of content
  • usage of dark patterns

Section 4 of the CPRA enumerates guidelines for the collection of consumer’s personal information. It mandates that the controller of the consumer’s personal information must inform consumers the following:

  • categories of personal information to be collected and the purposes for which the categories of personal information are collected,
  • categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected,
  • the length of time the business intends to retain each category of personal information,

According to Section 13, companies shall include the following while taking consent:

  • a separate link to the “Do Not Sell or Share My Personal Information” 
  • a separate link to the “Limit the Use of My Sensitive Personal Information” or
  • a single link to both choices, or
  • a statement that the business responds to and abides by opt-out preference signals sent by a platform, technology, or mechanism in:
  • Its online privacy policy or policies if the business has an online privacy policy or policies.
  • Any California-specific description of consumers’ privacy rights.

According to Section 21, the following options are mandatorily to be given to the consumer:

  • a global opt-out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information;
  • a choice to “Limit The Use Of My Sensitive Personal Information”; and
  • a choice titled “Do Not Sell/Do Not Share/Do Not Share My Personal Information for Cross-Context Behavioural Advertising.”


Obtaining, recording, processing consent in lawful manner is becoming the basis of privacy protection around the world.

The Privacy laws are evolving around the world after the EU GDPR came into effect since 25th May 2018.  The entire philosophy of privacy is build upon valid and  “Informed Consent” either of the Data Subject or the Data Principal (as mentioned in Draft India PDPB).  However, there are considerable unforeseen situations where obtaining valid or informed Consent is not the sole criteria for processing the information.  This has been amply demonstrated in various clauses of where consent is not required in EU GDPR, CCPA, CPRA and Draft India PDPB 2019.

We understand that a structural approach for documenting and processing the valid and informed consent has been defined/is being defined by various laws for which the foundation is laid by EU GDPR.  However, CCPA and CPRA goes a step further and have inserted in a clause where the Data Subject can choose to not see their personal information.  Both of them have incorporated a clause that says “Do Not Sell/Share My Personal Information” thus paving the way to give back the power of decision making back to the user or the Data Subjects.

The objective of comparing various kinds of consent clauses as defined in EU GDPR, CCPA, CPRA and Draft India PDPB 2019 is to understand how consent is being made the central theme of various privacy laws in order to safeguard and secure the personal information of the users so that it is less and less misused and abused in the digital world. 

We at Data Secure(  can help you to understand Privacy and Trust while dealing with data and provide Privacy Training and Awareness sessions to improve upon the knowledge of Privacy what you already know.

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution


Leave a Reply

Your email address will not be published. Required fields are marked *