Consent Manager Experiment in Indian DPDPA: A Critical Analysis
Briefing on the Concept of Consent in Data Privacy
In the domain of Data Protection, the concept of consent has been amplified from a mere contractual formality to a constitutional safeguard, deeply rooted as the core legal principle in the right to privacy, particularly in the scenario of collecting and processing sensitive personal data of an individual.
The DPDP Act reflects this by articulating consent to be collected in a free, specific, and informed manner.1
The recognition of the Right to Privacy in this seminal judgment has shifted the priority of protecting privacy as a fundamental right to upholding the dignity of an individual to live life to the fullest. This constitutional mandate now underpins all consent requirements in Indian data protection law.
Therefore, the procedures of processing personal information escalate only when the consent of the individual is taken as a primary aim legal for the lawful processing of sensitive data. The DPDP Act explicitly enables Data Principals to exercise their consent rights through a registered Consent Manager.2
Role of the Consent Manager under DPDPA
According to the Act, a Consent Manager is a registered person with the Data Protection Board of India (DPBI) whose role revolves around managing and reviewing the consent of the Data Principal. The consent collected must be free, specifically informed, and in an unambiguous manner.
Primary Roles and Obligations
- Consent Review & Modification: Allow the data principal to review, modify, and withdraw consent in a clear and accessible manner.
- Consent Validation: Ensure that the consent collected was obtained in a free, specific, informed, and unambiguous manner.
- Easy Withdrawal: Making the withdrawal of consent as simple and frictionless as giving consent.
- Neutral Intermediary: Act as a neutral intermediary between Data Principals and Data Fiduciaries.
- Registration Requirement: Must get registered with the Data Protection Board of India.
- Record Retention: Retention of consent records only for as long as necessary to demonstrate compliance.
Foundational Frameworks Regarding the Consent Manager
To understand the detailed operational guidance of the consent managers in India, we can look through these established frameworks:
1. RBI Account Aggregator Framework
In the financial sector, the RBI has operationalized a consent-based data model designed by allowing entities with a net owned fund of INR 2 crore to be registered as NBFC-Account Aggregators. They act as intermediaries between FIPs (Financial Information Providers) and FIUs (Financial Information Users) based solely upon consent-based flow of financial data, without having access for storage of such data.3
2. NITI Aayog's DEPA Framework
The Data Empowerment and Protection Architecture (DEPA) released by NITI Aayog provides a practical framework for data governance through the appointment of User Consent Managers with the role to manage consent as per digital standards.4
3. Healthcare Sector Guidelines
Management of consent in the healthcare sector must be collected for a clearly stated purpose related to the service provided, along with:
- Approachable manner to refuse research but not treatment
- Easy revocation mechanisms
- Complete auditability of consent records5
Core Working Principle and Its Exceptions under DPDPA
Consent-based data processing has formed the core working principle of the DPDPA, implementing that the personal data related to the Data Principal can only be processed after obtaining consent from the Data Principal freely.
Legitimate Uses Without Consent (Section 17, DPDPA)
- For the use of personal data to enforce any legal right or claim
- Data processed by courts, tribunals, or statutory bodies for supervisory functions
- Processing for investigation, detection, and prosecution of any offence
- Data processed outside India related to a person based in India
- Data needed for mergers, amalgamations, or demergers
- Processing for ascertaining financial information of defaulters6
This closely resembles the concept of "Deemed Consent" as mentioned in the earlier DPDP Bill. The legitimacy is limited to direct use of data directly connected to service conditions, helping reduce consent fatigue while ensuring smooth continuity of services with fairness.7
Global Trends in Consent-Based Frameworks
| Jurisdiction | Framework | Key Features |
|---|---|---|
| European Union | GDPR Consent Management Platforms (CMPs) | Clear consent banners allowing users to accept, reject, or customize consent for specific purposes8 |
| Singapore | Personal Data Protection Act (PDPA) | Clear disclosure, deemed consent, opportunity to object, purpose limitation, data destruction requirements9 |
| Canada | CPPA + PIDPTA | Three-tier consent: Explicit (sensitive data), Implicit (known purposes), Opt-out (presumed consent)10 |
| California, USA | CCPA/CPRA | Consumer rights: Right to Limit, Correct, Delete, Opt-out, Know; Global Privacy Control signals11 |
Regulatory Gaps in the DPDPA Framework
Despite the progressive approach, several regulatory gaps remain:
- Unclear Accountability: Regarding the liability of data fiduciaries and consent managers upon violations of the framework. This regulatory silence creates uncertainty around governance, causing difficulty for data principals to approach an entity for redressal of complaints.
- SME Compliance Burden: The burden of compliance cost on small businesses and start-ups is often overlooked, causing increasing burden of implementing technical and financial capacity, resulting in entry barriers and discouraging innovation.
- Lack of Proportionality Tests: For the legitimate uses of information without consent, causing overuse by expanded interpretation of specified exceptions. This weakens the consent-centric architecture of DPDPA.
- No Specified Penalties: Lack of a specified penalty for consent managers upon violation creates situations where consent managers may function with limited regulatory discipline.
Conclusion
The role of the consent manager under DPDPA represents an ambitious approach to highlight the core obligation of consent-based processing of information. By introducing this intermediary role, the Act seeks to reduce consent fatigue and enhance the applicability and working systems of data processing.
However, when compared with global regimes such as GDPR and CCPA, some limitations are highlighted with differences regarding the management of consent in various frameworks. Therefore, the need for:
- Defined liability standards
- Stricter alignment with purpose limitation principles
is essential to be addressed. Ultimately, the efficient application of the framework depends not only on digital infrastructure but rather upon the meaningful principle-based enforcement of compliance in this sector.
References & Footnotes
1 Digital Personal Data Protection Act, 2023, ยง 6.
2 Salma Khan et al., Understanding India's DPDPA Consent Manager, Securiti, https://securiti.ai/india-dpdpa-consent-managers/
3 Master Direction โ Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 (Updated Sept. 06, 2024), RBI/DNBR/2016-17/46, RBI Directions
4 Data Empowerment and Protection Architecture: A Secure Consent-Based Data Sharing Framework (NITI Aayog, Aug. 2020), NITI Aayog DEPA
5 Healthcare Privacy Guide, Data Security Council of India (DSCI), DSCI Healthcare Guide
6 Digital Personal Data Protection Act, 2023, ยง 17 (India).
7 Analysis of deemed consent provisions under DPDPA framework.
8 General Data Protection Regulation (GDPR), Articles 6-7 on Consent.
9 Singapore Personal Data Protection Act 2012.
10 Consumer Privacy Protection Act (CPPA) and Personal Information and Data Protection Tribunal Act (PIDPTA), Canada.
11 California Consumer Privacy Act (CCPA), https://oag.ca.gov/privacy/ccpa