Consent managers: an Indian solution for managing consent
Naqeeb Ahmed Kazia
IndusLaw, Bengaluru
naqeeb.ahmed@induslaw.com
Saurabh Sinha
IndusLaw, Bengaluru
saurabh.sinha@induslaw.com
Srika Agarwal
IndusLaw, Bengaluru
srika.agarwal@induslaw.com
Introduction
India’s data protection landscape is undergoing a significant transformation with the introduction of the Digital Personal Data Protection Act 2023 (DPDPA). At this stage, the DPDPA is yet to be enforced, and a draft version of the Digital Personal Data Protection Rules 2025 (the ‘Draft Rules’) has been issued by the Ministry of Electronics and Information Technology (MEITY), which is currently subject to stakeholder consultations. Upon implementation, the DPDPA will replace the existing data protection framework encapsulated under certain provision in the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
The DPDPA draws inspiration from the EU’s General Data Protection Regulation (GDPR) and adopts globally accepted data protection standards, from consent requirements to data principal (referred to as ‘data subjects’ in this article) rights ,while introducing certain unique concepts, such as consent managers, ie, intermediaries tasked with managing the consent of data subjects through a streamlined and single-window approach.[1] While the recently released Draft Rules provide some clarity on the roles and responsibilities of consent managers, a comprehensive understanding will only be possible once the final rules according to the DPDPA are issued and notified by the MEITY.
Where it all began
Designating an entity responsible for managing the consent of data subjects was first envisioned in a report issued by an expert committee that was set up by the Government of India in order to evaluate data protection issues and prepare a draft data protection framework for India (the ‘Committee Report’).[2] With the intent to mitigate consent fatigue, the Committee Report contemplated the introduction of a consent dashboard, through which data subjects could maintain a record of their consent, and exercise their rights in relation to the consent provided by them. This was envisaged to be implemented through a two-step process, with the first step being establishing a dashboard at the data fiduciary (referred to as ‘data controller’ in this article) level, with each data controller having a dashboard through which data subjects can manage their consent provided to such data controller, and the second step being to eventually migrate to a data-subject focused dashboard, according to which the dashboard would enable data subjects to manage their consent across multiple data controllers. Such migration was intended to be carried out in a phase-wise manner, ie, either on a sectoral basis or over a certain period of time. The idea behind such a dashboard was for it to store the fact that consent has been provided by a particular data subject, as opposed to the particular data for which such consent was provided.
With its genesis in the Committee Report, consent dashboards came to be codified as ‘consent managers’ in the Personal Data Protection Bill 2019, which was subsequently withdrawn by the Indian government. In its place, the government introduced the DPDPA, within which it retained the consent manager concept, with the intent of providing data subjects with a seamless and interoperable platform to manage their consent.
The role of consent managers
Under the DPDPA, consent managers are required to be registered with the ‘Data Protection Board’ (ie, the national data protection authority). The DPDPA currently prescribes broad roles and responsibilities of consent managers, including accountability to data subjects and the need to resolve grievances of data subjects within certain prescribed timelines. That said, this intermediary model is not new to India and a comparable model exits in the financial sector, called the account aggregator (AA) framework.[3] Based on this framework, AAs are meant to serve as an intermediary for managing consent during such procedures. The objective of the AA framework is to create a common platform that facilitates the seamless and consent-based flow of data between the data subject and financial institutions.
Consent managers, as envisaged under the DPDPA, can be construed to be similar to AAs in the financial sector. Parallels can be drawn with the AA framework to comprehend the potential roles and responsibilities of consent managers. While AAs predominantly deal with data relevant from a financial services standpoint, given that the DPDPA is sector agnostic, consent managers would consequently be sector agnostic as well and would likely manage the consent of data subjects across different sectors. Another similarity with AAs is that of interoperability, given the number of different financial sector entities to whom data may be submitted by data subjects, and entities who may want to utilise such data, to ensure the seamless flow of consent and data, AAs are required to be interoperable. Accordingly, given that consent managers under the DPDPA are expected to be interoperable as well, it is likely that all consent managers will be required to adhere to related obligations in terms of ensuring ease of access and enabling the provision of consent by data subjects. Further, in terms of ensuring security, AAs are required to encrypt data that is transmitted through their systems and are prohibited from storing or processing such data. A similar obligation of ensuring all appropriate security standards and safeguards are adopted is expected to be imposed on consent managers under rules issued pursuant to the DPDPA as well. Additionally, the established of the role of consent managers has also been envisaged by Niti Aayog, a think tank set up by the Indian government, which contemplates a similar role to consent managers.[4] It broadly provides for consent managers to hold consent logs and ensure that they are agnostic to the data flowing through them. Similar standards of maintaining logs and being data agnostic may be imposed on consent managers, as well vide rules issued under the DPDPA.
It is also relevant to note that as per the Draft Rules, a consent manager, inter alia, must be a company incorporated in India that has the necessary technical, operational and financial capabilities to fulfil its responsibilities. In addition, a company’s charter documents should contain provisions that ensure compliance with their data protection obligations and the establishment of policies to ensure consistent adherence to the relevant rules. Moreover, the consent management platform must conform to established data protection standards and be independently certified to ensure compliance with the relevant technical and organisational measures.
While insights can be drawn from the AA framework, the standards prescribed by the Niti Aayog, and the Draft Rules, it is expected that once rules pursuant to the DPDPA are finalised, there may be more clarity on the various roles and obligations of consent managers, as well the thresholds and eligibility required for registration as a consent manager.
Expected impact and challenges
If properly utilised and widely adopted, consent managers will play a pivotal role in shaping India’s data protection regime. They will simplify the onboarding process and provide data subjects with a centralised platform to manage, review and withdraw their consent, eliminating the need to navigate multiple portals. This streamlined approach will be particularly advantageous in sectors like healthcare, finance and e-commerce, where individuals interact with numerous service providers simultaneously. However, given the substantial volume of data being processed, it is essential for consent managers to ensure robust procedures are in place to protect data, maintain neutrality and prevent conflicts of interest. Achieving seamless interoperability across different sectors will also present challenges, as the integration of varying data formats and technical protocols will be required. Further, given that consent managers will act on behalf of data subjects, their role will be distinct from that of data controllers. Accordingly, it remains to be seen whether stringent compliance requirements will be imposed on consent managers as well.
India’s approach, with oversight from the Data Protection Board of India, offers a centralised model distinct from other global frameworks. Despite the potential benefits in regard to enhancing user control and safeguarding personal data, challenges such as security risks, compliance costs and technical integration must be addressed through coordinated efforts, clear standards and continuous collaboration. Ultimately, the framework’s success will depend on the adoption of a balanced approach to operational efficiency, security and regulatory compliance.
[1] Section 2(g) of the Digital Personal Data Protection Act, https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf last accessed on 18 April 2025.
[2] Page 38, J. B.N. Srikrishna’s Report, A Free and Fair Digital Economy, https://prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill,%202018_0.pdf last accessed on 18 April 2025.
[3] Master Direction - Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016 issued by the Reserve Bank of India, https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MD46859213614C3046C1BF9B7CF563FF1346.PDF last accessed on 18 April 2025.
[4] Discussion Draft of Data Empowerment And Protection Architecture, Niti Aayog, https://www.niti.gov.in/sites/default/files/2023-03/Data-Empowerment-and-Protection-Architecture-A-Secure-Consent-Based.pdf last accessed on 18 April 2025.