Skip to main content

Legacy Notice & Consent Refresh Module

The Legacy Notice & Consent Refresh Module (LNCRM) allows organizations to identify and update pre-DPDPA consents and bring them into compliance with Section 5(2) of the Digital Personal Data Protection Act, 2023. It ensures Data Principals are re-notified and offered the chance to provide granular consent aligned with current legal requirements.

1. Background: Section 5(2) DPDPA

Section 5(2) requires that for consents given prior to the commencement of the Act:

  • The Data Fiduciary must, as soon as reasonably practicable, provide a new notice informing the Data Principal about:

    • The personal data and the purpose for which it has been processed.
    • The manner in which the Data Principal may exercise her rights.
    • The manner in which complaints can be made to the Data Protection Board of India.

  • Processing may continue until and unless consent is withdrawn by the Data Principal.

This makes a “legacy consent refresh” mechanism essential.

2. Objectives

  • Identify legacy consents collected before DPDPA.
  • Send updated notices and request granular consent where needed.
  • Provide multi-channel delivery (website login, mobile app, email/SMS).
  • Maintain audit records of notices sent and consents refreshed.

3. Core Features

FeatureDescription
Legacy Consent DiscoveryScan databases to identify all consents collected pre-DPDPA.
Granular Consent RequestsBreak down purposes and data elements for fresh, specific consent.
Notice Delivery ChannelsDisplay notices on website login, in mobile app pop-ups, or push notifications.
Consent RefreshOffer Data Principals the ability to re-affirm or withdraw consent in line with DPDPA.
Multi-Language & AccessibilityProvide notices in English and Eighth Schedule languages with WCAG 2.1 compliance.
Audit & ReportingTrack notice delivery, user action (accepted/withdrawn), and timestamps for compliance.

4. Workflow

  1. Identify Legacy Consents

    • Query customer/CRM databases to find consents collected before the Act.
    • Map them to their original purposes and data elements.

  2. Create New Notices

    • Draft updated notices per DPDPA Section 5 requirements.
    • Ensure notices describe data, purpose, and rights clearly.

  3. Deliver Notices

    • Web Notification: Show DPDPA notice upon login.
    • Mobile App: Display in-app notice or push notification.
    • Email/SMS: Optional fallback channel.

  4. Capture Granular Consent

    • Provide checkboxes or toggles per purpose/data element.
    • Allow Data Principal to withdraw any or all consents easily.

  5. Store & Update Records

    • Update consent artefacts in Consent Governance Module.
    • Link old and new consent artefact IDs for traceability.

  6. Audit & Report

    • Generate compliance reports showing notices delivered, consents refreshed, and withdrawals.

5. Data Model Overview

  • Legacy Consent ID – Original consent record identifier.
  • New Consent ID – Refreshed consent record identifier.
  • Notice ID – Updated notice template.
  • Delivery Channel – Web, app, email/SMS.
  • Granular Purposes – Array of new purposes for explicit consent.
  • Status – Re-affirmed, partially withdrawn, or fully withdrawn.
  • Timestamp – When notice sent and consent action taken.

6. Compliance & Accessibility Guidelines

  • Language Options: Provide in English and at least one Eighth Schedule language relevant to the Data Principal.
  • WCAG 2.1 Compliance:
    • High color contrast, scalable fonts, keyboard navigability.
    • Screen reader-friendly text and ARIA attributes.
    • Plain language to ensure understandability.
  • Time Bound Action: Offer Data Principals a defined period to review and respond.

7. Example Implementation Channels

7.1 Website Notification

  • Show modal pop-up when the user logs in.
  • Include notice content, granular checkboxes, and “Accept” / “Withdraw” actions.

7.2 Mobile App Notification

  • Push notification leading to an in-app screen with the updated notice.
  • Allow one-tap consent review and refresh.

7.3 Bulk Refresh

  • Email/SMS link directing users to a secure portal to view and update consent preferences.

Tip: Schedule legacy consent refresh campaigns in phases to avoid overwhelming your systems and to provide adequate support to Data Principals during transition.