Client Employee

The Role of Consent Managers Under the Digital Personal Data Protection Act (DPDPA) and the proposed DPDP Rules, 2025

Thursday January 16, 2025. BY Rahul Sundaram | Civil
The Role of Consent Managers Under the Digital Personal Data Protection Act (DPDPA) and the proposed DPDP Rules, 2025
The Role of Consent Managers Under the Digital Personal Data Protection Act (DPDPA) and the proposed DPDP Rules, 2025

The Digital Personal Data Protection Act (DPDPA) in India introduces the concept of consent managers, designed to give individuals greater control over their personal data. These entities act as intermediaries, enabling users to manage their data consent easily, securely, and transparently. Here’s a simplified overview of their roles, responsibilities, and regulatory requirements.

A consent manager is a proposed registered entity that helps individuals, known as data principals, manage their consent for processing personal data. They ensure that people can give, withdraw, or review consent for sharing their personal data with businesses (data fiduciaries) through secure, user-friendly platforms like websites or apps.

Consent managers are part of a broader effort to streamline data privacy and prevent misuse of personal data. The idea originated in the Srikrishna Committee Report (2017) and builds upon successful models already implemented in India’s financial and health sectors.

1. How They Work

Consent managers operate as a bridge between:

  • Data Principals: Individuals whose data is being shared.
  • Data Fiduciaries: Organizations that store the data, like banks or e-commerce platforms.
  • Data Requesters: Entities seeking access to the data, such as advertisers.

For example, if an FMCG Brand requests access to your personal data from an e-commerce platform to run a sales promotion champaign, a consent manager ensures only the data you’ve agreed to share is shared securely, without the consent manager itself viewing or storing your personal data.

2. Conditions for Registration

Consent managers must meet strict criteria, as outlined in Schedule 1 of the proposed DPDPA Rules:

  • Be incorporated in India.
  • Have a minimum net worth of ₹2 crore.
  • Possess strong technical, financial, and operational capacity.
  • Maintain sound management with directors and personnel of integrity and fairness.
  • Operate in the interest of data principals, ensuring privacy and security.

3. Obligations

Once registered, consent managers must:

  • Provide tools to manage, review, and withdraw consent.
  • Maintain a secure, interoperable platform aligned with data protection standards.
  • Avoid conflicts of interest, including with data fiduciaries and their management.
  • Maintain transparency by publishing ownership details and governance structures.
  • Keep records of consents, data-sharing activities, and user communications for at least seven years.

1. Accountability

Consent managers are accountable to data principals and must ensure consent is:

  • Free, specific, informed, and unambiguous.
  • Easy to withdraw at any time.

They must also take strong security measures and avoid conflicts of interest with data fiduciaries.

2. Prohibited Practices

Consent managers cannot:

  • Subcontract or assign their obligations to third parties.
  • Transfer control (e.g., via sale or merger) without prior approval from the Data Protection Board of India.

3. Transparency and Audits

Consent managers must:

  • Publish detailed information about their ownership and governance.
  • Periodically audit their operations to ensure compliance with the DPDPA and report the results to the Board.

Benefits of Consent Managers

  • Empowers Users: People can easily control how their data is shared.
  • Ensures Security: Data-sharing is managed securely, minimizing risks of misuse.
  • Promotes Transparency: Users have access to clear records of their consent and data-sharing activities.
  • Streamlines Compliance: Businesses can rely on consent managers to handle complex privacy regulations.

Conclusion

The introduction of consent managers under the DPDPA marks a significant leap in India’s journey toward a robust and user-centric data privacy framework. These entities not only empower individuals to have greater control over their personal data but also create an environment of trust and accountability between businesses and users. By enforcing strict registration criteria, operational standards, and transparency measures, the DPDPA ensures that consent managers uphold the highest standards of integrity and security. As India progresses in its digital transformation, consent managers will play a pivotal role in fostering a culture of responsible data handling, bridging the gap between innovation and privacy, and setting a global benchmark for data protection.

For further details write to contact@indialaw.in

Tags: , , , , , , , , , , , , , ,
Related posts
SEBI’s Strategic Framework: Ensuring Cybersecurity and Resilience and Business Continuity in India’s Financial SectorSEBI’s Strategic Framework: Ensuring Cybersecurity and Resilience and Business Continuity in India’s Financial Sector
Towards One Nation, One Market: The Impact of State Agriculture Produce Market Committee (APMC) Act Reforms on e-NAM and the Digital Transformation of Agri-MarketsTowards One Nation, One Market: The Impact of State Agriculture Produce Market Committee (APMC) Act Reforms on e-NAM and the Digital Transformation of Agri-Markets
Fair Trade Made Easy “eMaap” The National Legal Metrology Portal is HereFair Trade Made Easy: “eMaap” The National Legal Metrology Portal is Here

Comments are closed.

Get in touch with us

Contact Us
contact us
X