• Data Protection Officers (DPOs) are key to navigating India’s Digital Personal Data Protection (DPDP) Act, 2023—particularly in distinguishing between informed and deemed consent. Mistaking one for the other can cause compliance lapses, reputational damage, and fines.
• This article dissects legal definitions, thresholds, sector-specific uses, and implementable lessons for DPOs to ensure you get your consent practice right from the beginning.

1. What Is Informed Consent vs Deemed Consent?

The DPDP Act provides two forms of consent that are used for different reasons. DPOs need to understand these differences to facilitate legal processing.

Informed Consent:

• Needs the clear, express, and knowledgeable action of the user.
• The user needs to know why data is being collected, what data, and how it will be utilized.
• Express notification and agreement are required.

Deemed Consent:

• This is when consent is tacit in a person's behavior or context.
• The Act identifies certain exceptions where consent is not expressly obtained but taken to be reasonably expected.

Important Takeaways for DPOs:

• Never presume one to be substituted for the other.
• Record both forms in detail.
• Fit usage with well-defined Section 7 of the DPDP Act (in case of deemed consent).

2. Legal Thresholds for Informed Consent: What Must Be Present?

Informed consent is not simply a box to check. It's a legal mandate under Section 6 of the DPDP Act and must be up to standard.

Checklist for Valid Informed Consent:

1. Notice should be clear, transparent, and in more than one language if needed.
2. Purpose Limitation: Data collection is allowed for only data required for the specified purpose.
3. Revocability: Users should be given the facility to withdraw consent at any moment.
4. Granular Control: Enable selection of unique data points for which consent has been provided.
5. Proof of Consent: Keep timestamped electronic records to prove lawful processing.

"Think of informed consent as a contract. If it's not clear, mutual, and revocable, it's not valid."

3. When Does Deemed Consent Apply? Contexts You Must Know

Consent deemed is not an escape clause—it's a lenitively defined rule. Abusing it can boomerang legally and ethically.

Authorized Situations under DPDP (Section 7):

• Medical Crisis: To save lives or for healthcare.
• Legal Obligations: To meet the requirements of a court order or legislation.
• Work Environments: If data processing is reasonably anticipated as a part of an employment.
• Public Interest: For government activity or public safety.

DPO Actionable

• Don't generalize; use deemed consent only where the law authorizes.
• Keep records documenting its use.
• Give post-processing notifications where necessary.

4. The Risk of Misinterpreting Consent Types

Misclassification isn't a technical mistake—it's a compliance risk. Misinterpreting consent results in:

1. Fines through Data Protection Board adjudication.
2. User distrust and bad brand perception.
3. Regulatory audits and possible suspension of data activities.

Common Pitfalls:

• Assuming pre-filled forms are considered informed consent.
• Applying deemed consent for marketing.
• Not recording the reasoning behind opting for deemed instead of informed consent.

Tip for DPOs:

Develop a consent matrix in your data inventory to cross-reference every data activity with the consent type needed.

5. Consent in Practice: Sectoral Examples

To bring it into action, let's observe how informed vs. deemed consent works in major industries:

Insurance:

• Informed Consent: Undergone while taking health history during onboarding.
• Deemed Consent: During disclosure to reinsurers if necessary for claim validation.

Education:

• Informed Consent: While taking student biometric information.
• Deemed Consent: Disclosing educational scores to accrediting bodies.

Healthcare:

• Informed Consent: For elective procedures and retaining medical history.
• Deemed Consent: In emergency situations where patient consent is not possible.

DPO Tip: Keep context-specific consent templates in each use case.

6. Reporting & Documentation Obligations

Consent is incomplete without documentation and process. DPOs must keep a record of every occurrence of consent—whether informed or presumed.

What You Have to Report:

• Data Flow Records with consent type per activity.
• Revocation Logs – When and why the consent was revoked.
• Audit Trails – Who obtained consent, when, and how.
• Notices Sent – Particularly when relying on deemed consent.

Regulatory Tip:

With Rule 10 of draft DPDP rules, entities could be required to prove compliance at short notice—maintain data processing records readily available and audit-compliant.

7. Final Thoughts: How DPOs Can Get Consent Right

• Know the limits—Deemed consent is not an alternative.
• Get your teams trained in dealing with sector-specific consent nuances.
• Leverage technology such as consent management platforms to mechanize records.
• Establish user trust—transparent consent is sound ethics and sound business.