Where international businesses already largely comply with major data protection regimes such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, it may indicate an existing culture of high privacy standards. Such familiarity will be tested, however, by India’s enacted but not-yet-in-force Digital Personal Data Protection Act 2023 (DPDPA) – the DPDPA’s unique requirements may present additional challenges for companies, particularly in relation to consent management.

Most global data protection laws require businesses to give privacy notices to consumers, informing them of the company’s data collection practices. The DPDPA, however, imposes an additional requirement: a “consent request form”. This raises the question of whether existing privacy notices are sufficient, or whether businesses must implement a separate consent request form.

Globally, approaches to consent vary greatly. The GDPR requires consent to be free, informed, specific and unambiguous, obtained through clear affirmative action and subject to unrestricted withdrawal. The CCPA is opt-out based. It allows consumers to restrict the sale of their personal data, with opt-in required only for sensitive information or data relating to minors. Both regimes provide grounds for processing data without consent. The DPDPA adopts a markedly different stance by making affirmative consent the primary legal basis for processing personal data in India, with limited exceptions.