Notice As it is - An ode to notices and consent
Introduction to Notice:
As we enter the new world where personal data is collected with consent, the DPDP Act 2023 highlights the involvement of the "Notice", which not only guides Data Principal through the data collection terrain but also empowers them with comprehensive instruction on the 'why,' 'how,' and 'what' relies upon the PII data collected from them. This notice acting as a key orchestrator technically understands the journey the data principal is involved in and displays the relevant data points mapped for processing purposes making it easy for the principal to make a call on their preference leading to agreeing or denying the consent so that a free, specific, informed, unconditional and unambiguous with a clear affirmative action is taken.
Why does Notice take center stage?
As per the Act, every request made to the data principal must be accompanied or preceded by a notice with the following:
- The personal data and the specified purpose for which the same is proposed to be processed.
- The manner in which they may exercise their rights.
- The manner in which the Data Principal may make a complaint to the Board.
- The Way to exercise the grievance redressal system provided by the data fiduciary.
- Notice shall be made available for reading in 22 Indian languages.
- The Data Protection Board has the power to guide the manner in which the notice can be made available.
- Notice to be shared with the data principal to notify in the event of any data breach.
Blueprint for Transparency: Sample Notice Structure
%2520(2).jpeg)
In Conclusion, the Act highlights the need for transparency and clarity of the notice and calls the data fiduciary to mention the specified purpose of the data collected and processed, the above-mentioned image is a visualisation of how a DPDP-compliant notice would look like. Starting with information as to how the data will be used, stored, and processed in the coming days followed by a list of data types mapped with various mandatory/optional purposes of consent. On choosing the preference the data principal accepts/denies the notice to continue the journey for product/service access. The notice should also have the freedom to be viewed in 22 Indian languages and links leading to the privacy policy, terms & conditions, and product details as configured by the data fiduciary.
Recognizing and Avoiding Deceptive Practices in Creating and Configuring Notices
A. Obfuscated Opt-Outs: The design of the notice should not make the data principal opt out of the optional purposes, not steering them towards unintentional data sharing.
B. Tricky Language and Jargons: Using confusing language or legal keywords in notices can confuse users, making it difficult for them to grasp the true implications of data sharing.
C. Hidden Data Collection Points: Concealing data points collected for different purposes under the same purpose block can result in users unknowingly granting access to sensitive information.
D. Difficulty in Revoking Consent: The flow to revoke or reconsent should be made clear so that the consent lifecycle management is truly available to the data principal.
E. Nudging Toward Unwanted Disclosure: The Notice design should not nudge users toward divulging more information than they initially intended, further exploiting nudging techniques to maximize data collection.
