C&M E-Alert: Navigating the Digital Personal Data Protection Act, 2023: A Business Guide to Consent Management

The Ministry of Electronics and Information Technology has released a Business Requirement Document for a Consent Management System (“CMS”) under the Digital Personal Data Protection Act, 2023 (“DPDPA”). The document offers a detailed breakdown of the core components of a CMS, including consent lifecycle management, a user dashboard, notifications, and grievance redressal mechanisms. It also outlines administrative capabilities, including user role management and data retention policy configuration to ensure operational efficiency and compliance.

This guide will help your business understand the core requirements of consent management under the DPDPA, ensuring compliance and building trust with your customers.

The DPDPA aims to create a framework for collecting, processing, and storing digital personal data in a way that protects/ safeguards individuals’ privacy rights. DPDPA sets out clear obligations for organizations, collecting and processing personal data and grants specific rights to individuals to protect their personal data. For businesses, DPDPA brings about a significant shift in how personal data is collected, processed, handled, and stored, with a strong emphasis on obtaining clear, informed, affirmative, and unambiguous consent from individuals before processing their personal data. For organizations, non-compliance with DPDPA can result in substantial financial penalties, legal action, and reputational damage.

To navigate the complexities of the DPDPA, businesses need a robust CMS. A CMS is a platform that helps organizations to seamlessly collect, manage and track consent throughout its entire lifecycle from collection, validation to updates, renewals, and withdrawals while maintaining audit readiness.

The primary objectives of a CMS are:

1. Enable Comprehensive Consent Lifecycle Management: Manage the entire journey of consent, ensuring alignment with the DPDPA.

2. Empower Data Principals: Provides individuals with a user-friendly platform to view, manage, and control their data preferences, fostering transparency and trust. CMS ensures individuals are clearly informed about what personal data is being collected, for what purposes, and how it will be used or shared, thereby empowering users to make informed choices about their data.

3. Ensure Compliance: Designs the system to strictly adhere to the DPDPA, including purpose limitation, data minimization, and secure data processing.

4. Audit Trails: Maintains detailed records of consent, making it easy to demonstrate compliance during audits or regulatory investigations.

In summary, implementing a CMS is essential for organizations to transparently and efficiently manage user permissions for data processing.

Understanding the roles of different stakeholders is crucial for effective consent management. The key players in consent management include:

1. Data Principal (“DP”): The individual whose personal data is being collected and processed. The DP’s have the right to grant, review, and withdraw consent at any time through a CM (defined below) or directly with the DF (defined below).

2. Data Fiduciary (“DF”): Any person or entity that determines the purpose and means of processing personal data.

3. Data Processor: A person or entity that processes personal data on behalf of a DF, following their instructions.

4. Consent Manager (“CM”): A registered entity, with the Data Protection Board of India, that acts as an intermediary between DPs and DFs. CMs provide accessible, transparent, and interoperable platforms that allow individuals to give, manage, review, and withdraw their consent for data processing. They must operate in a manner that is fair, transparent, and accountable.

5. Data Protection Officer (“DPO”): A primary compliance authority appointed by a significant DF, overseeing adherence to the DPDPA.

The consent management lifecycle is a series of critical stages/steps that businesses must manage effectively and efficiently:

1. Consent Collection:

This is the initial step where a DF must explicitly collect purpose-specific, free, informed, and unambiguous consent from a DP. Key functional requirements for consent collection are as below:

1. Pre-Condition: The CMS initiates the process of consent collection when a DP initiates a service request, such as registration or service onboarding, that requires personal data collection or processing.

2. User-Friendly Interface: The consent collection interface must be intuitive and accessible, ensuring that users understand the terms of data processing.

3. Purpose-Specific Consent: Consent must be obtained for each distinct purpose (e.g., account creation, marketing, analytics, newsletters, etc.).

4. Granular Consent: Consent should not be bundled up. Users must be able to provide or withhold consent for each purpose separately.

5. Explicit and Affirmative Action: Users must take a clear, affirmative action (e.g., clicking "I Agree”, ticking a checkbox) to provide consent. The default settings should not have pre-ticked checkboxes.

6. Multi-Language Support: Consent notices should be available in English and other languages listed in the Eighth Schedule of the Constitution of India.

7. Consent Metadata Logging: Each consent entry must be logged with metadata such as User ID, timestamp, Purpose ID(s), consent status (granted or denied), and language preference.

2. Consent Validation:

Before processing any personal data, DFs must validate whether the DP has provided

explicit, clear, unambiguous, free, and affirmative consent for that specific purpose. It is

the role of the CM to validate whether the DP has provided explicit and lawful consent

for a specific purpose before the DF processes their personal data. Key functional

requirements for consent validation are as below:

1. Existence and Activity: Verify that consent exists for the given User ID and Purpose ID, and that it is still active (not expired or withdrawn).

2. Metadata Validation: Verify User ID, Purpose ID, timestamp of consent, and consent status.

3. Real-time Response: Consent is not a one-time event. Organizations may need to re-confirm or re-affirm consent when the purpose of data processing changes, the data retention period expires, or regulatory requirements demand periodic re-confirmation. The CMS should send a real-time response to the DF indicating whether the consent is valid or invalid.

4. Ground Rules for Consent Validation:

   1. All consent validation actions must be logged in the CMS for compliance and reporting purposes.

   2. If a valid consent does not exist, the CMS must return an error or deny the processing request, and the user must be notified accordingly.

3. Consent Update:

The DPs have the right to modify their previously granted consent. Businesses/CMS must

enable a seamless process for these updates. CMS must manage consent updates and

track actions. Key functional requirements for consent update are as below:

1. Notification of Changes: Users must be notified when the scope or purpose of processing changes, or when additional purposes are added. Notifications must clearly explain the new purpose/scope, how it affects data processing, and the need for updated consent.

2. Granular Updates: Users should be able to update consent for specific purposes without affecting other previously granted consents.

3. Simplified User Action: The updating process should be as simple and intuitive as the initial consent process.

4. Auditability: All consent updates must be logged with metadata (timestamp, Purpose ID, User ID).

5. Ground Rules for Consent Update:

   1. Consent cannot be assumed. The DP must actively agree to the update.

   2. Updated consent must specify the duration for which it remains valid.

   3. CM to notify all stakeholders (DF and Data Processors) of updated consent status immediately.

4. Consent Renewal:

For time-limited consents, businesses must provide options for DPs to renew their

consent before expiration. It is the responsibility of CMS to manage and track renewal

actions.

Key functional requirements for consent renewal are as below:

1. Timely Notifications: The system should notify the DP when their consent is set to expire, in a timely manner, to provide a seamless renewal process.

2. Simplified Renewal: The renewal process should be as simple and intuitive as the initial consent process.

3. Metadata Logging: Record all renewal metadata, including User ID, timestamp, renewed Purpose IDs, and status.

4. Ground Rules for Consent Renewal:

   1. Renewed consent must include a clear explanation of the changes (e.g., retention policies).

   2. Consent for renewal cannot be assumed. The DP must actively agree to the renewal.

   3. Renewed consent must specify the duration for which it remains valid.

   4. CM to notify all stakeholders (DF and Data Processors) of the renewed consent status immediately.

      
      
   
   

5. Consent Withdrawal:

DPs have the right to withdraw their previously provided consent at any time. This

withdrawal must lead to the immediate cessation of related data processing. It is the duty

of the CM to facilitate the withdrawal process and notify all relevant stakeholders.

Key functional Requirements for consent withdrawal:

1. Ease of Withdrawal: Users must be able to withdraw consent through a user-friendly dashboard, and the process should be as simple as giving consent.

2. Real-Time Processing: Upon withdrawal, all processing activities related to the withdrawn purpose must immediately stop, and internal records must be updated. Downstream systems and third-party processors must also be notified to cease processing.

3. Confirmation to User: The user must be notified immediately upon successful withdrawal, with a confirmation message and information on implications (e.g., loss of specific features).

4. Metadata Logging: Withdrawal metadata (User ID, Purpose ID, timestamp, status updates) must be logged in an immutable audit log.

5. Legal Exceptions: Withdrawal does not apply where data processing is required by law or exempted under the DPDPA.

Upon withdrawal of consent, the DP may also exercise their right to erasure, unless the data is required to be retained for legal purposes.

Beyond the core lifecycle, the DPDPA outlines several other crucial areas:

1. Cookie Consent 

   Organizations using cookies must ensure transparent and user-controlled consent management by providing clear cookie banners informing users about the use of cookies and seek their consent. They should explain the types and purposes of cookies and offer granular choices such as essential, performance, analytics, and marketing cookies. A multi-language cookie policy must be displayed, and user preferences should be set to auto-expire after a defined period.

2. User Dashboard

   A user dashboard is essential to empower DPs. It should allow users to view their consent history, modify, or revoke existing consents, and manage preferences easily. The dashboard must also provide real-time updates and notifications related to consent status and data processing.

3. Consent Notifications

   The CMS must ensure timely communication to all parties involved. Users should be notified via email, SMS, or in-app messages about consent approvals, withdrawals, renewals, and data request updates. Similarly, DFs and Data Processors must receive real-time alerts via secure Application Programming Interfaces (“API[V1] s”) to act on consent changes promptly.

4. Grievance Redressal Mechanism

   A robust system must be in place to handle user complaints about data misuse or rights violations. The CMS should enable easy grievance logging, provide real-time status tracking, and automatically escalate unresolved issues to the DPO for further resolution.

5. System Administration and Logging

   The CMS must support strong administrative controls. This includes managing user roles, configuring data retention policies, and maintaining immutable audit logs for all consent-related actions. The audit logs should be tamper-proof and retained for a minimum duration to demonstrate compliance. These logs ensure transparency and provide records for resolving disputes.

The DPDPA represents a significant step towards a more secure and transparent digital environment in India. For businesses, embracing these consent management requirements is not just about compliance; it's about fostering trust, respecting user privacy, and building a responsible data culture. By implementing a robust CMS and adhering to the guidelines outlined in this document, your business can confidently navigate the new landscape of data protection and thrive in the digital era.

You may also contact the authors below: