The voluntary provision of personal data through registration forms, account creation interfaces, and onboarding workflows occupies a difficult interpretive space under the Digital Personal Data Protection Act, 2023 (the “DPDP Act“). In most digital interactions, a data principal actively enters personal information into a platform’s interface and submits it in order to access a service. At the same time, the information required is typically specified by the data fiduciary and requested for through a structured form before the user can proceed.
Instances like these raise an important question under the DPDP Act: whether the provision of such personal data can truly be regarded as “voluntary” when the data fiduciary has designed the process of data collection and determined the information required? The answer matters because Section 7(a) permits processing without formal consent where the data principal has voluntarily provided personal data for a specified purpose and has not indicated that they do not consent to its use for that purpose.
Section 7(a) and its relationship with Section 6
Section 7(a) recognises one of the DPDP Act’s “legitimate uses” of personal data. It allows a data fiduciary to process personal data for the specified purpose for which the data principal has voluntarily provided that data, provided the data principal has not indicated that they do not consent to such use. By contrast, Section 6 contemplates a formal consent framework in which processing is grounded in notice and an explicit indication of consent.
The distinction may be stated simply. Section 6 applies where the data fiduciary seeks to rely on consent as the legal basis for processing. Section 7(a), on the other hand, operates where personal data is voluntarily provided in the course of an interaction initiated for a specified purpose, and the data principal has not objected to that use. The provision is therefore best understood as a narrow alternative ground for processing, not as a substitute for the consent architecture of the DPDP Act.
The interpretive challenge lies in identifying which instances of data collection qualify as “voluntary provision”. The text of Section 7(a) does not expressly state whether the provision must be wholly unprompted, or whether it is sufficient that the data principal initiates the interaction in the course of which the data is provided.
The Initiation Test
A useful way to analyse this question is through what may be described as an “initiation test”, a concept that has been adopted in several jurisdictions to distinguish between the voluntary provision of personal data and the consensual collection of personal data. In this approach, the key inquiry is not merely who physically enters or transmits the data, but who initiates the interaction that necessitates the processing. Where the data principal approaches a platform or organisation seeking a service, benefit, or transaction, and provides the information necessary for that purpose, the processing may reasonably fall within Section 7(a). In such cases, the provision of personal data is incidental to obtaining the requested service.
For example, where an individual registers on an e-commerce platform, submits their name and delivery address to place an order, or provides contact details to receive a quotation, the interaction has been initiated by the individual. Processing the information for fulfilment of the requested service appears consistent with the rationale underlying Section 7(a). By contrast, where a data fiduciary initiates the interaction and seeks personal information for its own purposes, reliance on Section 7(a) becomes more difficult. If a company reaches out to individuals through marketing campaigns and requests personal information for profiling or promotional activities, the interaction is driven by the data fiduciary rather than the data principal.
A possible objection is that a structured registration form may leave the user with no meaningful practical choice if access to the service is conditional on submission of the requested data. On that view, the data may not appear truly “voluntary” in any substantive sense. That concern is important, but it is better addressed through limits of purpose, necessity, and fairness rather than by treating every user-initiated registration flow as falling outside the scope of the exception carved out by Section 7(a). If every response to a platform’s standard registration prompt were excluded from the scope of voluntary provision, Section 7(a) would become unduly narrow while Section 6 would risk swallowing ordinary service interactions entirely.
Limits of the exception created by Section 7(a)
Section 7(a) is not a blanket exemption from consent requirements. It permits processing only for the “specified purpose” connected to the voluntary provision of the data. Accordingly, where a data principal provides personal data to register on a platform or application, the data fiduciary may process that data for activities necessary to create and maintain the account. This may include sharing this data with its data processors in order to carry out this specific purpose. However, the same information cannot automatically be repurposed for unrelated activities such as behavioural advertising, extensive profiling, or disclosure to third parties.
The nexus between the purpose for which the personal data was provided and the subsequent processing remains critical. The further a processing activity moves away from that purpose, the weaker the justification under Section 7(a) becomes. In addition, the provision expressly requires that the data principal must not have indicated an unwillingness to permit such use. Any express objection by the individual would undermine reliance on this ground.
Practical implications for platforms and data fiduciaries
For platforms and other data fiduciaries, Section 7(a) may offer a workable basis for processing data required to fulfil a user-requested service, particularly in account creation, transaction fulfilment, and similar user-initiated interactions. However, it should not be treated as a general licence for all downstream uses of the same personal data. Where the intended processing extends to unrelated profiling, cross-context behavioural advertising, or disclosures beyond what is necessary to provide the requested service, reliance on Section 6 consent is likely to be more defensible.
Conclusion
Section 7(a) plays an important role in enabling ordinary digital and commercial interactions without requiring formal consent for every instance of processing. Yet the meaning of “voluntary provision” remains contestable, especially in the context of platform registration flows and onboarding interfaces.
The initiation test offers a useful interpretive framework. Where the data principal initiates the interaction by seeking a service and provides the information necessary to obtain it, the provision of personal data should ordinarily be regarded as voluntary, even if the information is requested through a structured form designed by the data fiduciary. This reading reflects the practical realities of digital services while preserving a meaningful boundary between Section 7(a) and the consent mechanism under Section 6.
This interpretation also sits comfortably with the structure of the DPDP Act. An illustration that has been provided in Section 5 of the Act contemplates a situation in which an individual opens a bank account using the mobile app or website of the bank. In order to complete the Know-Your-Customer requirements that are required under law for opening of bank account, the customer opts for processing of personal data to complete a live video-based customer identification process. In such as case, the bank must accompany or precede its request for personal data with a notice describing the personal data and the purpose of processing. While the illustration does not directly concern Section 7(a), it reflects a legislative understanding that personal data may be both requested by a service provider and voluntarily furnished by an individual in the course of obtaining a service. The illustration therefore suggests that voluntariness should be understood as agreeing to provide personal data entirely unprompted or unsolicited, regardless of whether any additional personal data is requested for by the data fiduciary during the process of creating such user account.
Accordingly, a data principal who elects to register on a platform, create an account, or access a service may be said to voluntarily provide personal data notwithstanding that the platform specifies the information required and collects it through a structured interface. The decisive questions are whether the request for service was initiated by the data principal and whether the subsequent processing remains confined to the purpose for which the information was provided.
English
Chinese (Simplified)
Japanese