The Role of a Consent Management Under the India’s DPDP Act

Sameer Ahirrao -

Consent management is the process of obtaining, managing, and complying with user consent for the collection and use of personal data. It has become increasingly important for businesses of all sizes, as data privacy laws around the world become more stringent.

The consent management empowers individuals by bestowing them with enhanced transparency and control over their personal data which aligns harmoniously with India’s DPDP Act rights of the Data Principles. Consent management can serve as a mechanism for organizations to standardize their consent-related procedures, ensuring congruence with the Act. In scenarios where consent management is not appropriately implemented, there is a potential for organizations to misuse them as a means to manipulate or coerce users into granting consent without a full understanding of the implications. The incorporation of consent management could potentially augment the compliance complexity, possibly creating challenges for organizations to seamlessly integrate, and for users to navigate.

Hence consent is one of the most important element in Data Protection and it is important for you to understand how to provide consent, when to provide consent and how much of consent is required for certain data, data is your right and it is your duty to provide limited data as required for processing and if any data which is not required withdraw consent through consent managers.

To foster a culture of privacy, organizations must adhere to two key principles:

  1. only collect, use, retain, and disclose personal information that is clearly necessary to achieve their goals,
  2. provide comprehensive training to those handling this information regarding the value of privacy protection while implementing monitoring mechanisms to ensure accountability.

A legal basis for processing user data is consent. Section 6 of the Act addresses Affirmative Consent, stipulating that consent must be precise, freely provided, informed, unconditional and unambiguous. In other words, data subjects must understand that their agreement pertains only to the processing of their data for the intended purpose and the specific personal information required for that purpose. Coercion should play no part in this process. Importantly, data principals retain the right to withdraw their consent at any time, with the same ease with which they initially gave it. The withdrawal of consent will not affect the legality of data processing based on prior consent. Organizations must also adhere to the notice requirements outlined in Section 5.

According to Section 5, notice must be provided each time consent is sought, and even if consent was previously granted before August 11, 2023, new notice must be given before processing data. The format for this notification is still under development, likely subject to rulemaking, with the possibility of additional requirements emerging.

Key Roles of Consent Management in India

Under the DPDPA, consent managers will have several critical responsibilities:

  1. Registration and Compliance: Consent managers must register with the Data Protection Authority of India (DPA) and adhere to the data protection principles outlined in the DPDPA.
  2. Consent Collection and Management: Consent managers must enable data subjects to provide granular and informed consent for the processing of their personal data. This includes providing clear and easily understandable information about the purpose of data collection, the types of data being collected, and the parties involved in data processing.
  3. Transparency and Accountability: Consent managers must maintain transparency regarding their data processing practices and provide data subjects with access to their consent records. They must also implement robust security measures to protect personal data from unauthorized access or misuse.
  4. Grievance Redressal: Consent managers must establish effective grievance redressal mechanisms to address any concerns raised by data subjects regarding their consent or data processing practices.

Businesses are required to implement clear and comprehensive notice and consent mechanisms as per the DPDP Act that provide information providers with a detailed understanding of how their data will be used. Consent should be freely given, specific, and informed, aligning with the DPDP Act’s requirements. Once consent is obtained for processing personal data for a specific purpose, businesses need to ensure that the same is not used for any other purpose.

Ardent’s Solution enables “Transparency, Consent, and Preference Management”

Ardent’s TurtleShield CM (Consent Management) automates required user privacy notices, the gathering and management of consent/opt-out privacy preferences, and the operational honoring of preferences by both internal and downstream third-party data sharers.

Key Features of our solutions

Post Cookie Enterprise Consent
  • Under the Digital Personal Data Protection Act (DPDPA) and all other new privacy regulations, user consent is now key to processing private data. TurtleShield CM stores preferences in a secure database, where they are always accessible via API, unlike deprecated “cookie” solutions that store them inside the user’s browser.
  • We refer to TurtleShield CM as “Enterprise Consent” because it uniquely handles the ingestion of private data from every type of touchpoint used by modern enterprises.
  • TurtleShield CM works with native mobile apps, web apps, email, SMS text messaging, voice commands, on IOT devices, and even in physical locations such as retail, hospitality, and sports venues.
  • When audiences include children under 18 age, TurtleShield CM provides a streamlined compliance flow supporting age estimation, identifying parents and guardians, and gathering their consent as required by regulations.
Integration and Setup
  • Privacy regulations require that consent be gathered whenever private data or tracking will be performed. This means that every data ingestion touchpoint must be set up to properly show privacy notices and capture user preferences.
  • TurtleShield CM has been designed to streamline this process, with full technical API documentation and over 20 functional integration examples.
  • For the required consent management dashboards, enterprises can easily integrate TurtleShield CM into existing preference pages or use the generic dashboards provided.
Understandable Privacy Notices
  • TurtleShield CM offers enterprises an extremely friendly and easy-to-understand privacy notice based on the “Nutrition Facts” placards that have been used on food products for 25 years.
  • The text of the notice can be managed by legal or privacy team members without requiring any attention from IT, because TurtleShield CM provides a content management dashboard, supporting notices in many languages, including the 23 required by DPDPA.
  • These notices can be posted in physical locations by using a QR code

Final thoughts

In an era where personal data is frequently exchanged and processed, the DPDP Acts' emphasis on consent as a cornerstone of data protection marks a significant stride in enhancing individuals' privacy rights. By ensuring that individuals play a clear and active role in determining how their data is used, the Act aims to create a safer and more transparent digital environment. Within the DPDPA framework, consent reinforces the notion that personal data primarily belongs to the individuals to whom it pertains.

As the DPDPA takes effect, organizations must adapt their data collection and processing practices to align with the Act's consent requirements. This shift towards greater transparency and individual empowerment signifies a substantial evolution in data protection laws and reflects the growing recognition of the importance of privacy in our digital age.