Under the Digital Personal Data Protection (DPDP) Act, 2023, the foundational principle governing the processing of personal data is informed and specific consent. Rule 3 establishes the mandatory requirements for a Notice that every Data Fiduciary must provide to a Data Principal before collecting or processing her personal data. This Notice forms the basis of lawful processing and ensures that the Data Principal clearly understands what data is being collected, why it is being collected, and how she may exercise her rights.
The Notice is a pre-consent disclosure, intended to empower the Data Principal with complete clarity. It must stand independently, meaning it should be understandable on its own without requiring the user to refer to other documents or prior communication. This is a significant shift from traditional privacy practices where complex privacy policies often obscured essential details.
Rule 3 mandates a transparent, plain-language, user-centric Notice that directly supports the principle of “informed consent” under the DPDP Act.
The rule requires that the Notice include a fair, itemised, and clear disclosure of essential information necessary for informed decision-making. At a minimum, the Notice must include the following elements:
A. Itemised Description of Personal Data
The Data Fiduciary must list the specific categories of personal data that it intends to collect or process. This itemised approach prevents ambiguity and ensures that the Data Principal is aware of the exact information being requested. Examples include:
This eliminates broad, generic statements often used earlier, making data collection highly transparent.
B. Specified Purpose of Processing
The Data Fiduciary must clearly describe:
This aligns with the “purpose limitation” principle—data cannot be collected for vague or unspecified reasons. The purposes must be communicated in plain language and should be specific enough for the Data Principal to evaluate the necessity of sharing her data.
Rule 3 emphasises that Data Principals must have simple, consistent, and easily accessible mechanisms to:
The ease of withdrawing consent must be comparable to the ease with which consent was initially given. This prevents the creation of friction or obstacles that discourage users from withdrawing consent.
To facilitate these rights, the Notice must provide:
This ensures that the Data Principal does not have to search for contact information or navigate complex processes.
The Notice must be:
The simplicity requirement ensures that individuals from diverse backgrounds can understand how their data will be used.
The rule also provides guidance on what an appropriate Notice should contain. An ideal Notice should include:
The rule’s sample format demonstrates how to align operational practices with the statutory requirements, ensuring uniformity across the ecosystem.
Organisations must ensure that:
Non-compliance may result in complaints, investigations, and penalties under the Act.
Conclusion
Rule 3 sets a strong foundation for transparency and fairness in data processing under the DPDP Act. By mandating simple, clear, and accessible Notices, the regulation ensures that Data Principals can meaningfully understand and control how their personal data is handled. For organisations, compliance with Rule 3 is not merely a statutory requirement but a key step in building trust and accountability in their data practices.
Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article.