How do we handle consent collection for customers who have unsubscribed or deleted their account?

Viewed 83
customer dpdp consent

When a user unsubscribes from your service or deletes their account, it often means they no longer wish to interact with your app or have their personal data stored. However, from a legal standpoint, especially under regulations like the DPDP (Data Protection and Privacy) Act, businesses may still be required to handle their data in specific ways, even after these users have left.

Imagine a scenario where a customer named Sarah used your mobile app for a while, but after some time, she unsubscribed from notifications and eventually deleted her account due to personal reasons. Now, as per the new data privacy rules, your company is required to collect consent from users for certain data uses, but Shweta is no longer active on your platform. In this case, what do you do?

Legally, if Shweta has unsubscribed or deleted her account, she has effectively withdrawn her active consent for your service to continue using her data. That means you should no longer process her data unless there’s a valid reason, like fulfilling a contractual obligation or complying with a legal requirement. Under the DPDP Act, her data should be handled according to her wishes, and you shouldn’t continue processing it unless she gives new, informed consent.

Rahul Jain349
1 Answers

  1. Understand the Status of the Customer
    • Unsubscribed: The customer has opted out of receiving communications (e.g., marketing emails) but may still have an active account.
    • Deleted Account: The customer has explicitly requested the deletion of their account and all associated data.

  2. For Unsubscribed Customers
    • Stop Processing for Marketing Purposes:
    o If the customer has unsubscribed, you must immediately stop using their personal data for marketing or any other purpose for which they have withdrawn consent.
    o This is in line with Section 6(6) of the DPDPA, which requires Data Fiduciaries (DFs) to cease processing personal data upon withdrawal of consent.
    • Retain Necessary Data:
    o You may retain the customer’s data if it is necessary for legal compliance (e.g., tax records) or to fulfill a contractual obligation (e.g., processing a refund).
    • Re-consent for New Purposes:
    o If you wish to use the customer’s data for a new purpose (e.g., a new marketing campaign), you must obtain fresh consent in compliance with Section 6(1) of the DPDPA.
    o The consent must be free, specific, informed, and unambiguous, and the customer must take a clear affirmative action (e.g., ticking a checkbox).

  3. For Customers Who Have Deleted Their Accounts
    • Erasure of Data:
    o Under Section 8(7) of the DPDPA, if a customer deletes their account, you must erase their personal data unless retention is necessary for:
     Legal compliance (e.g., tax laws, court orders).
     Fulfilling a contractual obligation (e.g., processing an ongoing order).
    o The erasure must be done within a reasonable time after the account deletion request.
    • Notify Data Processors:
    o If you have engaged Data Processors, you must ensure they also erase the data unless retention is required by law (Section 8(7)(b)).
    • Record Keeping:
    o Maintain records of account deletion requests and erasures to demonstrate compliance with the DPDPA.

  4. Re-engaging Unsubscribed or Deleted Customers
    • For Unsubscribed Customers:
    o If you wish to re-engage an unsubscribed customer, you must obtain fresh consent for any new processing activities.
    o Ensure the consent request is clear and transparent, explaining the purpose of data processing and how the data will be used.
    • For Deleted Customers:
    o If a customer has deleted their account, you cannot use their past data unless they create a new account and provide fresh consent.
    o Any attempt to re-engage must be based on new interactions and new consent.

  5. Compliance with DPDPA and Rules
    • Notice Requirements:
    o When collecting consent, provide a clear notice under Section 5(1) of the DPDPA, explaining:
     The purpose of data processing.
     The rights of the Data Principal (e.g., withdrawal of consent, erasure).
     How to file a complaint with the Data Protection Board of India (DPBI).
    • Consent Manager:
    o If you use a Consent Manager (as defined in Section 2(g) of the DPDPA), ensure it is registered with the DPBI and complies with the obligations under Rule 4 of the DPDP Rules.
    • Data Protection Impact Assessment (DPIA):
    o For Significant Data Fiduciaries, conduct a DPIA to assess the risks of re-engaging customers and ensure compliance with the DPDPA.

  6. Example Scenarios
    • Scenario 1: Unsubscribed Customer:
    o A customer unsubscribes from marketing emails but retains their account for future purchases.
    o You must stop sending marketing emails but can retain their data for transactional purposes (e.g., order history).
    o To re-engage them for marketing, you must obtain fresh consent.
    • Scenario 2: Deleted Account:
    o A customer deletes their account and requests erasure of their data.
    o You must erase their data unless required by law (e.g., tax records).
    o To re-engage, you must treat them as a new customer and obtain fresh consent.

  7. Penalties for Non-Compliance
    • Failure to comply with consent requirements can result in:
    o Monetary penalties of up to ₹250 crore under Section 33 of the DPDPA.
    o Legal action by the Data Principal or the DPBI.

Bhardwaj Kulkarni 241
Related Questions
Do we need to collect consent again for all data, or only for new types of data?
1 answers
How to collect consent from old data principal if we provide services by only mobile app?
How can we inform inactive users about new consent requirements?
How do we handle consent collection for customers who have unsubscribed or deleted their account?
1 answers
What should the consent request look like to ensure it's legally compliant?