The introduction of the Digital Personal Data Protection Act, 2023 (“DPDPA”) marked a long-awaited step in the privacy journey of India, moving the focus from merely granting rights and obligations on paper towards the real challenge of implementing these standards in practice. To facilitate this transition, the Ministry of Electronics and Information Technology (“MeitY”) has released a Business Requirements Document (“BRD”) for Consent Management Systems (“CMS”), which, although not legally binding, serves as an important reference for building compliant consent management infrastructure for a range of sectors from e-commerce, healthcare, finance and telecom.
The following sections explore how these key components of the CMS are intended to function in real world contexts, demonstrating their relevance and application across different domains.
Consent Collection
Central to the reference CMS framework is the necessity for free, specific, informed, unconditional and unbundled collection of user consent, collected for each distinct purpose before processing any personal data and clearly associated with the data principal’s identity. In sectors where consent is repeatedly required for numerous and varied purposes such as in e-Commerce, this means that platforms must explicitly request and receive consent before personalizing user experiences or engaging in retargeting advertisements. For instance, the CMS interface could be used to seek the customer’s consent to allow use of their purchase history and/or browsing data for enabling personalized recommendations for the said customer. Ideally, this consent must be unbundled from the overall terms of service and must clearly describe the intended use of each type of personal data collected.
Validating Consent
The CMS could also assist with the validation of authenticity and specificity of consent, ensuring that it is always the result of an affirmative action by the user, as opposed to pre-checked boxes, ensuring that it is always traceable back to its stated purpose. In the healthcare sector for instance, companies that handle health data must capture consent separately for different purposes such as identity verification, diagnostics, data sharing, or marketing. This consent so obtained must be individually tagged by purpose and authenticated before any processing, ensuring that data collected for one purpose cannot then be reused for another without obtaining separate, fresh consent. A real-life demonstration for this would be a telemedicine application which collects data such as digital copies of prescriptions of patients, their Aadhar, address details and their payment details for verifying the identity of a patient or even before issuing digital prescriptions. Should the company owning the telemedicine application seek to sell the said data to other companies that could use this data for making targeted advertisements or for advertising promotional offers, the CMS would prevent such an action, since the original consent was limited to the purpose of verification of patients identity and/or issuance of digital prescriptions. When attempting to use personal data for any purpose other than the one for which consent was originally granted, the CMS would generate a prompt for explicit consent before allowing any other use of the patient’s data.
Updating and Renewing Consent
It is relevant to note that the consent under the DPDP Act and the reference of CMS framework is not indefinite, as its duration and validity are closely managed. Consent must be renewed not only when its original purpose is modified but also when the data retention period expires, particularly where consent is revoked or as required by sectoral practices. This process is required to be as simple as granting of the original consent, with the CMS tracking expiry periods and automating necessary workflows. It is a routinely observed practice in the Telecom sector for operators to use customer information like geolocation data to provide targeted, value-added services to its customers. With the implementation of a CMS based on the BRD reference specifications, attempts of a telecom company to use already collected data for a new purpose can be automatically detected and would prompt the customer to update their consent. Needless to say, unless new consent is granted by the user, further data processing would be denied by the system.
Consent Withdrawal
Recognizing that individuals may want to change their decisions related to consent after onboarding, is a salient feature of the CMS which facilitates easy and centralized withdrawal of consent. For instance, if a customer decides to opt out of sharing their insurance claim history with a partnered wellness platform, the CMS ensures that the revocation is logged and updated both internally and across relevant partner systems through which consent rights are shared, immediately halting further processing of the user’s data for that particular purpose.
Other Important Features
Beyond the scope of consent lifecycle, BRD also recommends several operational features to ensure that a CMS remains transparent, secure, and user-centric. This includes a user dashboard where individuals can view, modify, or revoke their various active, expired, or withdrawn consents, encompassing a robust cookie management system as well, where users are able to manage their preference for analytics, personalization, or advertisements, in real-time. Real-time alerts are proposed to be dispatched between all stakeholders whenever a consent event occurs, thereby ensuring awareness and accountability.
The framework further envisions a grievance redressal mechanism, enabling users to file complaints, track progress, and escalate issues where necessary. Administrative tools are also envisioned within the CMS, where administrators can designate user roles, manage access permissions and set data retention rules. All actions related to consent are comprehensively logged under a tamper-proof records system and relevant metadata must also be recorded to support traceability and legal compliances.
Global Prevalence
Consent Management Systems, more commonly referred to as Consent Management Platforms (CMP) outside of India and have been a popular and essential tool employed by companies, especially in jurisdictions where data privacy laws are strict and comprehensive. Owing to this global proliferation and the large penalties imposed by laws such as EU’s GDPR and Brazil’s LGPD, companies have chosen to err on the side of caution and adopt CMPs into their everyday operations. This signifies not just the convenience they offer but also the importance of committing to air-tight compliance with data privacy laws. In the context of cross-border by automating workflows and providing real-time user dashboards, notifications and consent analytics, these CMS solutions have therefore already become integral to maintaining customer trust and ensuring legal protection on a global scale.
Conclusion
The CMS framework proposed by MeitY marks a significant shift away from the superficial checkbox style compliance that is currently prevalent and towards a model where consent is purpose-specific, dynamic and decisions of the users are enforceable. Even though implementing a CMS as imagined under the BRD is not yet mandatory, its sector-agnostic design offers a comprehensive blueprint for businesses to adequately align their data practices with the core philosophies of the DPDP Act, ensuring that consent management truly becomes a traceable and structured process embedded within the day-to-day operations of all relevant industries.
