It is an important principle in data protection that the most appropriate basis for processing personal data be applied, in each circumstance. The Digital Personal Data Protection Act, 2023 (the “Act”) emphasises consent as the principal lawful basis for processing personal data. At first look, this appears privacy-enhancing, helping users control their privacy choices in a granular manner.
However, relying only on consent as a lawful basis could be counterintuitively privacy-limiting, by causing significant consent fatigue for data principals. With the draft Digital Personal Data Protection Rules, 2025 again emphasising specific, standalone notices to obtain consent from data principals, we might well find ourselves inundated with privacy notices.
Fortunately, the Act does allow processing of personal data for certain legitimate uses as well. In this article, we review one of the alternative bases for processing personal data under the Act: voluntary provision of data.
The Act allows data fiduciaries to process the personal data of data principals for certain legitimate uses, including where the data principal has voluntarily provided the data as set out in Section 7(a) of the Act (“Voluntary Provision of Data”).
Certain requirements must be met in order to rely on Voluntary Provision of Data to process personal data:
(i) The data must have been provided voluntarily by the data principal to the data fiduciary;
(ii) Processing must be for the specified purpose for which the personal data was provided; and
(iii) The data principal should not have indicated that they do not consent to the use of their personal data, i.e., they should not have expressly withheld or withdrawn consent to the use of their personal data.
When implementing the Voluntary Provision of Data basis, it is essential to ensure proper communication to the data principal, so they are aware of what personal data provided by them will be processed, how, and for what purpose.
Although this appears to blur the line between seeking express consent and processing of data voluntarily provided, in essence, this requirement ensures transparency needs are met. This can be implemented by adopting contextual data collection with adequate disclosures on the nature of processing in privacy policies and notices.
Data principals should also have the opportunity to decide whether to provide data and communicate any objections. That such options were available with the data principal, who then chose to provide the data, should also be recorded for accountability purposes. While this is relatively easy to achieve where interactions with data principals are on software or mobile applications, processes must be established or adapted to effectively record such details during in-person interactions.
Here are some practical scenarios to aid in understanding the Voluntary Provision of Data basis.
The scenarios given in this article are provided as information only. They do not constitute, nor should they be considered, legal advice.
Scenario A
A company provides cloud solutions through a software-as-a-service (SaaS) model. Users are asked to provide their date of birth while signing up, although it is not mandatory. An explanation is also provided on the input screen, and in the company’s privacy notice, that the date of birth, if provided, is used to authenticate the user in case they forget their login password.
In this scenario, if a user creating an account provides their date of birth, the company may use it for password reset authentication based on the Voluntary Provision of Data legitimate use.
However, the Voluntary Provision of Data legitimate use could not justify the company’s sending communications to the user on their birthday, offering a special discount or promotion. This would not correspond to the specified purpose for which the data principal originally shared their data.
Scenario B
A retail outlet has a practice of requesting shoppers for their phone numbers when checking out their purchases. The cashier informs shoppers that they can choose to provide their phone numbers to receive e-receipts. Customers are also informed that their phone numbers could be used to enroll them for the retail store’s loyalty programme, where they would accumulate points and receive special discounts.
If, having listened to this information, shoppers continue to provide their phone numbers without any specific instructions or preferences, their phone numbers could be used both for receipt delivery and enrollment in the loyalty programme, based on the Voluntary Provision of Data legitimate use. Further, communications on loyalty programme status and requirements could also likely be made as these would also relate to the shop’s delivery and maintenance of the loyalty programme.
However, supposing any customer were to request that their data be used only for receipts, that would amount to their withholding consent for the use of their data for the loyalty programme, which should be respected.
Scenario C
In a scenario similar to the above one, an e-commerce store requests shoppers for their phone numbers while collecting their delivery address. The privacy policy of the store states that phone numbers will be collected for fulfilling order delivery, to send e-receipts, and to enroll customers into the loyalty programme.
The form for collecting delivery details from users includes the phone number. No information is provided to the users in the form that they will receive communications on the loyalty programme, on their mobile phones.
In this scenario, the e-commerce store’s practices likely do not satisfy the requirements of the Act. The context surrounding the information gathering could justify the use of customers’ mobile numbers for delivery logistics; however, the processing of their mobile numbers for the loyalty programme would not be apparent as a purpose of use to customers.
This could be solved by:
Requiring users’ affirmative consent for the use of their mobile numbers for the loyalty programme and related communications, through a checkbox; or
Including specific mention of the loyalty programme elsewhere in the form, and allowing users to enter their mobile numbers there, without making this mandatory.
The Voluntary Provision of Data basis can be helpful and enabling to businesses. While adopting it, businesses should ensure that they have a considered privacy programme that addresses data processing holistically, yet granularly.
In some instances, Voluntary Provision of Data could be the most appropriate basis for processing personal data. Yet, as demonstrated above, some changes might be needed to business practices, or the privacy notice, in order to enable its application. Further, adequate records to support its application must be maintained.
This is where expert data protection counsel, coupled with technical, operational and strategic expertise from the business, can enable businesses to reap strategic and competitive advantages from increased customer trust with reduced customer friction.
About the author: Harini Sudersan is a Partner at Poovayya & Co.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.