‘Notice and consent’ is a predominant requirement in data protection ecosystems. This requirement has been recognized by the Digital Personal Data Protection (DPDP) Act, 2023 in India. However, there are several reasons why the notice and consent framework could operate sub-optimally. These are reasons because of the ecosystem in which such a framework functions. For instance, the standard operational practices falling under the ‘notice and consent’ framework do not offer real choices to individuals, they do not succinctly capture complex data processing, and they do not capture the psychosocial aspects of individual decision-making. These problems are amplified in India, which has high digital illiteracy and low privacy awareness. This article suggests that the forthcoming rules under the DPDP Act are a means to address the operational problems that affect the notice and consent framework in India. The article takes cookies as an example to suggest the norms that are crucial to consider while implementing an optimal framework.
Global Privacy Law Review