DPDPA and Consent Management
If principles affirm that consent must be central, consent management systems show us how it can be meaningfully achieved. In this piece, we explore why building such systems is far from trivial, and why the technical challenges ahead will be immense.
This article is the third in a series capturing the Digital Personal Data Protection Act (DPDPA) workshop’s key takeaways and deliberations. You can read the first two parts here and here. In this part, we look at consent management.
On November 30, 2024, experts, policymakers, and industry leaders gathered at IIT Bombay for a workshop co-hosted by the Ashank Desai Centre for Policy Studies and IITB Trust Lab, in partnership with the Ministry of Electronics and Information Technology (MeitY) and the Bureau of Indian Standards.
Structured around four key themes—Overview of the Act, Role of Standards, Consent Management, and Data Privacy & Protection—the workshop served as a forum for identifying real-world challenges, and where participants discussed various questions and ambiguities surrounding the subject matter.
Consent management stands as one of the most formidable challenges in the implementation of the DPDPA, given its foundational role in ensuring data privacy. The Act places significant emphasis on consent being free, specific, informed, revocable, unconditional, and unambiguous— a standard that demands careful attention to detail in both policy design and technical execution.
A key challenge lies in the vast amounts of legacy data that organisations currently hold. If regulators mandate organisations to locate all data tied to an individual and verify or update the associated consent, the logistical burden could be immense. Furthermore, obtaining retroactive consent for this legacy data may prove to be a daunting task, especially for organisations with decades of accumulated information.
India’s rich linguistic diversity introduces another layer of complexity. Consent frameworks and mechanisms must cater to individuals across regions, ensuring accessibility and comprehension regardless of linguistic or educational background. Designing systems that can effectively communicate consent terms to all users, while maintaining legal and technical precision, requires significant innovation.
The Role of the Consent Manager
The DPDPA introduces the concept of a Consent Manager, a centralised entity or mechanism responsible for managing and verifying individuals’ consent. However, this is a novel construct with no parallels in existing legislation, leaving a number of unanswered questions about how it will operate, who will finance its establishment and maintenance, and how will it ensure compliance and mitigate misuse.
Developing an efficient Consent Manager will require collaborative efforts from policymakers, technologists, and industry stakeholders to define its scope and functionality. Given the absence of a reference point in other laws, the implementation of consent management will require both rigorous oversight and flexibility.
Questions
In What Scenarios Can Consent Be Collected?
The law explicitly defines the scenarios under which consent can be collected. Section 7 of the DPDPA outlines “legitimate uses,” ensuring clarity for both Data Fiduciaries and Data Principals.
This level of specificity helps delineate when consent is required versus when data can be processed without explicit consent. Participants expressed satisfaction with the clarity provided by the Act in this area, indicating no significant ambiguity in its provisions.
What Could Be the Business Model for a Consent Manager?
The concept of Consent Managers, while innovative, raises questions about their operational and financial models. At the outset, there seem to be two possible approaches.
Data Fiduciaries could underwrite the cost of operating Consent Management Platforms. While this would ease the financial burden on Data Principals, the cost would likely be integrated into the services provided by Data Fiduciaries, indirectly passing it to end-users.
It is also a possibility that Data Principals could independently engage third-party consent managers to handle their data-related preferences. This model shifts the cost burden directly to the Data Principals, making it an out-of-pocket expense.
There is significant ambiguity regarding the financial dynamics, and viability of these models remain speculative. The ecosystem for consent management is still nascent, and the actual trajectory of its development will depend on market adoption and technological advancements.
