Current Data Consent Law

Data collection has become the new norm

All service providers, regardless of whether online or offline collect and use personal data provided to them at the time of obtaining their goods and services. Due to this, the data that is collected, consumed and processed is done so in numerous comprehensive ways. As soon as someone goes online for any work at all, their activity is registered and their search preferences are analysed (including surfing activity on social media) to create a better insight into customer practices.1 This also includes every financial transaction undertake and then correlated while offering deep insight into the personality of the user beyond what the user himself or herself might be aware of.2 It is due to this reason that several countries have implemented comprehensive laws in place to ensure that the use, collection and storage of personal data is subject to transparent methods and with the prior consent of the subject of the data.3

Data privacy framework in India

While India is critiqued to not have a wide ambit of data privacy laws in place, it still has multiple provisions that deal with data privacy, including but not limited to the Contract Act, 18724, the Penal Code, 18605 and most importantly the Information Technology Act, 20006 (amended in 2008)7. However, service providers are not subjected to any sector-specific regulations nor do they have any guidance on what needs to be done for securing data privacy of the information collected from their customers.8 The primary discussion under the Indian legal framework centres around the topic of “consent” and its difference from “informed consent”. There is indeed a lot of difference between the two for the purposes of ensuring right to privacy.9 However, one strong challenge to the process of obtainment of “informed consent” is that there is no adequate privacy notice, and the users are mostly illiterate about the implications of what is required of a privacy notice. Thus, customers often consent to anything under the belief that they are securing their rights.10

Consent fatigue caused by clickwrap consent forms

One of the primary reasons why consumers end up giving their consent without thinking it through is when they are required to go through multiple and unnecessary documents or forms to fill out consent.11 By the time the consumer finishes going through several documents, they are often fatigued and provide their consent out of the sheer necessity of “getting it over with”. This also includes instances where users have to give consent multiple times throughout the day and routine manner. This is also called “clickwrap consent”. Clickwrap consent is when a person provides his consent after experiencing fatigue from repeatedly providing consent over and over again or where he or she is required to undergo a lengthy process to provide consent.12

Clickwrap consent as an exception to valid consent

Even though clickwrap consents are not considered strictly valid in terms of its legality in India, they are still considered adequate for finalising of online contracts which are categorised as “implied contracts”. Implied contracts can be deemed “voidable” if it is proved that the consent form contained onerous fine print clauses which is neither beneficial to the client nor the service provider.13

Under Section 43-A14 of the Information Technology Act, 2008, the requirement of a “contractual consent” forms the basis for obtaining “reasonable security” in finalising a contract. For instance, when an employer obtains a valid employment agreement requiring the disclosure of personal information and right to process it, it is considered a valid consent that overrides the obligations of privacy.15 No matter how big the company, the obtainment of consent cannot be made redundant. Therefore, unless there are certain exceptions under the law (such as the employer-employee agreement), clickwrap consent will be subjected to strict scrutiny.16

Adequacy of the law to address consent fatigue from clickwrap agreements

Currently, there are no laws in India that explicitly discuss or cover clickwrap agreements. However, there are specific provisions that address the legitimacy of such agreements and the legalities surrounding the same. For instance, Section 11 of the Contract Act, 1872 states that people who are not competent to contract cannot be bound by clickwrap agreements and consent is not deemed to be given.17 People who are not competent to contract include minors and those of unsound mind. This is difficult to comprehend since a huge group of people that go online include minors. Despite the fact that Section 11 of the Contract Act, 1872 makes it illegal for enforcing clickwrap agreements entered into by incompetent individuals, there is no discussion on the nature of such agreements to be void or voidable.18 The ambiguity arising out of the absence of any proper statutory provisions regarding consent was discussed in the age-old case of Mohori Bibee v. Dharmodas Ghose19 which laid down the principles pertaining to agreements entered into by minors. The principle laid down was clear, that “agreements by a minor are void, and that Sections 6420 and 6521 of the Contract Act, 1872 do not apply to such agreements because minors are not competent to contract”. Thus, going by this principle, clickwrap agreements signed by minors will be considered invalid.

One of the first discussion pertaining to establishing the legality of a clickwrap agreement through judicial interpretations was in Hotmail Corpn. v. Vans$ Money Pie Inc.22 In Hotmail case23, a customer had allegedly violated the terms of a contract by making changes to e-mails and messages. The resulting changes by the customer was in violation of the Computer Fraud and Abuse Act, 198624 and amounted to a breach of contract under the Contract Act, 1872 deemed as fraud, misrepresentation and trespass of the defendant’s right to privacy. The question of law at hand was whether the customer who had allegedly signed a “clickwrap agreement on the basis of which he was not supposed to make changes to any data” be held valid against him. The Court observed that in this case, clickwrap agreements are indeed valid since, the customer did indeed click on the “I agree” button at the end of the terms and conditions of the clickwrap agreement and that his failure to read the conditions (which in this case were clear and not riddled with ambiguity) cannot deem the agreement void. Thus, the enforceability of a clickwrap agreement also depends on the clarity of the words used in the agreement.25

The Information Technology Act, 2000 (Section 10-A)26 also lays down that, e-contracts cannot be deemed as unenforceable merely because there were created through an online source. This has been upheld by the courts in various discussions on clickwrap agreements in cases such as Trimex International FZE Ltd. v. Vedanta Aluminium Ltd.27, wherein the Supreme Court referred to Hotmail case28 and held that contracts entered into over-emails are valid, provided the terms are clear and unambiguous. Similarly, in CIT v. Gujarat Pipavav Port Ltd.29, the Income Tax Tribunal held that, in cases where on party holds a higher power of negotiation, then the clickwrap agreements will be unenforceable in the absence of necessary requirements to establish a valid contract.30

Thus, the Indian legal regime does not really have a comprehensive or even specific provisions dealing with clickwrap agreements and their validity be decided on a case-by-case basis by the courts on contractual principles.

Improving the existing law to better accommodate consent fatigue from clickwrap agreements

Introducing self-identification requirements.— To mitigate the effects of minors entering into involuntary clickwrap agreements, it has been suggested that age-verification requirements be introduced, and higher restrictions be developed against such contracts. There are several measures that can be taken to ensure that such agreements are not entered into by incompetent individuals, such as the self-identification requirements prior to signing up. Such self-identification or age verification measures can be introduced by prohibiting the engagement of a particular website for those whose age is lesser than that the prescribed minimum age.31 Such provisions can be borrowed from the US Children’s Online Privacy Protection Act, 199832 (COPPA) which explicitly discusses requirements to prevent children from falling prey to such form of contracts arising from clickwrap agreements.33

Introduce amendments to make the consent forms clearer.— The definition of “consent cannot change; however, efforts need to be made to make the obtainment process better. For instance, legislative provisions can be introduced to make the consent form clear such as highlighting the onerous clauses for better visibility of the consumers and making it faster to make a decision.34

The law must take into account the impact of such agreements on ease of doing business.— When introducing new amendments, it is important to keep in mind that the law must be created while keeping the “ease of doing business” in mind. For instance, most contracts do indeed require to be lengthy in order to keeping multiple factors in mind. For the purposes of compliance, the law simply cannot mandate the shortening of any consent obtainment contract. Compliance ought to be facilitated in a more transparent manner and must not be turned into a hurdle that hampers businesses.35

Introducing data trusts to act as an intermediary to the obtainment of consent.— Data intermediaries are those entities through whom data passes through before being used, stored or sold. They can act as an effective instrument for the collection of consent while also monitoring how data is controlled in the industry. They will act as “data trusts” to know how clickwrap agreements are drafted and the nature of data collected through such agreements. They can thus take on the role of co-regulating such data.36

*Jr. Legal Associate at Blancco Technology Group. Author can be reached at: <>.

**Group Legal Counsel at Blancco Technology Group

1. Neelam Rai, “Right to Privacy and Data Protection in the Digital Age — Preservation, Control and Implementation of Laws in India”, (2020) 1 Indian Journal of Law and Justice 115.

2. Neelam Rai, “Right to Privacy and Data Protection in the Digital Age — Preservation, Control and Implementation of Laws in India”, (2020) 1 Indian Journal of Law and Justice 115.

3. Neelam Rai, “Right to Privacy and Data Protection in the Digital Age — Preservation, Control and Implementation of Laws in India”, (2020) 1 Indian Journal of Law and Justice 126.

4. Contract Act, 1872.

5. Penal Code, 1860.

6. Information Technology Act, 2000.

7. Information Technology (Amendment) Act, 2008.

8. González Gonzales, Rosamunde Van Brackel and Paul De Hart (eds.)., “Introduction to Research Handbook on Privacy and Data Protection Law”, Research Handbook on Privacy and Data Protection Law, (Edward Elgar Publishers, 2022) p. 3.

9. Gurpreet Singh Arora, “Beyond Compliance: Best Practices for Ensuring Data Privacy in Data Collection Services”, Damco Solutions (, 16-2-2024).

10. Deborshi Barat, “Yes Means Yes: Managing Consent under India’s New Data Protection Law” (, 20-9-2023).

11. Komal Gupta and G.C. Prasad, “Consent and Privacy Protection” (, 10-8-2017).

12. Komal Gupta and G.C. Prasad, “Consent and Privacy Protection” (, 10-8-2017).

13. Suneeth Katarki, Namita Viswanath and Nikita Hemmige, “Data Protection Framework for India” (, 2020).

14. Information Technology Act, 2000, S. 43-A.

15. The Institution of Engineering and Technology, Standards, Legal & Privacy (, 2018).

16. The Institution of Engineering and Technology, Standards, Legal & Privacy) (, 2018).

17. Contract Act, 1872, S. 11.

18. Komal Gupta and G.C. Prasad, “Consent and Privacy Protection” (, 10-8-2017).

19. 1903 SCC OnLine PC 4.

20. Contract Act, 1872, S. 64.

21. Contract Act, 1872, S. 65.

22. 1998 WL 388389 : 47 USPQ2d (BNA 1020) (ND Cal 1998; Saransh Jauhari, “Though Click-Wraps are Legal, Can Minors Enter Click-Wraps”, (, 25-4-2023).

23. 1998 WL 388389 : 47 USPQ2d (BNA 1020) (ND Cal 1998).

24. Computer Fraud and Abuse Act, 1986.

25. 1998 WL 388389 : 47 USPQ2d (BNA 1020) (ND Cal 1998).

26. Information Technology Act, 2000.

27. (2010) 3 SCC 1.

28. 1998 WL 388389 : 47 USPQ2d (BNA 1020) (ND Cal 1998).

29. ITA No.7823/Mum/2010, decided on 10-2-2017 (ITAT, Mumbai)

30. ITA No. 7823/Mum/2010, decided on 10-2-2017 (ITAT, Mumbai)

31. “India Passes Digital Personal Data Protection Act” (, 22-08-2023).

32. US Children’s Online Privacy Protection Act, 1998.

33. US Children’s Online Privacy Protection Act, 1998.

34. US Children’s Online Privacy Protection Act, 1998.

35. Vijayashankar Na, “Public Consultation on Data Protection Law….Some Points of Discussion-3” (, 2018).

36. Vijayashankar Na, “Public Consultation on Data Protection Law….Some Points of Discussion-3” (, 2018).

Must Watch

maintenance to second wife

bail in false pretext of marriage

right to procreate of convict

Criminology, Penology and Victimology book release

Join the discussion

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.