Do we need to collect consent again for all data, or only for new types of data?

General Rule: Consent for Existing Data
• Under the DPDPA, consent is required for processing personal data, regardless of whether the data was collected before or after the Act came into force.
• If you are continuing to process existing data for the same purpose for which it was originally collected, and the original consent was obtained in compliance with the DPDPA (or equivalent standards), you may not need to re-ask for consent.
• However, if the original consent does not meet the DPDPA’s requirements (e.g., it was not free, specific, informed, and unambiguous), you must re-obtain consent for continued processing.

When to Re-Ask for Consent
You must re-ask for consent in the following scenarios:
• Change in Purpose:
o If you plan to use the existing data for a new purpose that was not disclosed at the time of collection, you must obtain fresh consent for the new purpose (Section 6(1) of the DPDPA).
• Inadequate Original Consent:
o If the original consent does not meet the DPDPA’s standards (e.g., it was obtained through pre-ticked boxes or unclear language), you must re-obtain consent.
• Withdrawal of Consent:
o If a customer has withdrawn consent for certain data processing activities, you must stop processing the data unless you have a valid legal basis (e.g., compliance with a law or contractual obligation).
• Significant Changes in Processing:
o If there are significant changes in how the data is processed (e.g., sharing with new third parties or using new technologies), you must inform customers and obtain fresh consent.

When Re-Asking for Consent Is Not Required
You do not need to re-ask for consent if:
• The existing data is being processed for the same purpose for which it was originally collected.
• The original consent was obtained in compliance with the DPDPA (or equivalent standards).
• The processing falls under certain legitimate uses under Section 7 of the DPDPA (e.g., legal claims, medical emergencies, or public interest purposes).

Handling New Data Collection
• For new types of data being collected, you must obtain fresh consent in compliance with the DPDPA.
• The consent must be:
o Free, specific, informed, and unambiguous.
o Obtained through a clear affirmative action (e.g., ticking a checkbox).
o Accompanied by a notice explaining the purpose of data processing and the rights of the Data Principal (Section 5(1)).

Example Scenarios
• Scenario 1: Existing Data with Valid Consent:
o A customer provided consent for their email address to be used for marketing purposes before the DPDPA came into force. The consent was obtained through a clear opt-in mechanism.
o You do not need to re-ask for consent unless you plan to use the email for a new purpose (e.g., sharing with third parties).
• Scenario 2: Existing Data with Invalid Consent:
o A customer’s data was collected through a pre-ticked box, which does not meet the DPDPA’s standards for consent.
o You must re-obtain consent for continued processing of the data.
• Scenario 3: New Data Collection:
o You plan to collect a new type of data (e.g., location data) for a new purpose (e.g., personalized recommendations).
o You must obtain fresh consent for the new data and purpose.

Penalties for Non-Compliance
• Failure to obtain valid consent can result in:
o Monetary penalties of up to ₹250 crore under Section 33 of the DPDPA.
o Legal action by the Data Principal or the Data Protection Board of India (DPBI).