My personal data is not your stock | India

The draft Digital Personal Data Protection Rules, 2025 prioritise individual consent. The DPDP Act, 2023 and the draft rules require fiduciaries, who determine the purpose and means of processing personal data, to obtain clear, affirmative consent from data principals, to whom the data relates, before processing their data. Organisations must implement robust consent management systems (CMS) for the entire consent life cycle. Setting out the expectations of such systems, the Ministry of Electronics and Information Technology recently published a business requirement document (BRD).

A CMS will manage user consents end-to-end. The BRD requires consent to be traceable at all stages including collection, validation, updating, renewal and withdrawal. CMSs should allow data principals to access, monitor and modify consent through digital dashboards. The CMS must, therefore, be accessible, intuitive and accessibility compliant.

Many stakeholders are involved in a CMS. The data principal provides or withdraws consent and the data fiduciary receives and maintains it. Data processors act on behalf of fiduciaries and process data strictly within consent limits. The DPDP regime introduces a new responsible entity, the consent manager (CM), a registered intermediary facilitating principal and fiduciary consent transactions. CMs must be neutral, adhere to security standards and register with the Data Protection Board.

The DPDP regime requires consent to be free, specific, informed and unconditional, and given by clear affirmative action. Consent bundling and ambiguous language are expressly forbidden. Individuals must be informed of the categories of personal data collected, the specific purposes of processing and their legal rights. Notices must be clear and accessible, with support for India’s regional languages to ensure inclusivity and compliance.

The DPDP framework enshrines the principles of purpose limitation and data minimisation. Data may be collected and processed only for purposes for which the user has granted express consent. A CMS ensures these principles are followed by linking consents to specific purposes and blocking unauthorised use.

Revocability and the ease of exercising it are fundamental. The DPDP legislation requires that withdrawing consent be as seamless as granting it. A CMS must allow users to seamlessly revoke their consent and ensure that associated processing ceases immediately. Metadata such as timestamps, purpose ID and user identity must be logged unchangeably for audit. Once consent is withdrawn, the CMS must notify all stakeholders, including internal teams and third-party processors, to immediately stop processing personal data.

The CMS must integrate technical functionality with legal requirements. Consent collection is the capture of explicit user permissions through forms or interfaces, ensuring that no processing begins without affirmative action. Consent validation ensures that data processing aligns with the scope of consents. Prior to data processing, the CMS must check for valid and active consent. The absence of such consent must block processing.

Consent updates and renewals allow users to modify or extend their consents. On a purpose change, the system must notify the user and request updated consent. Users should be reminded to renew to ensure continuous compliance. All changes must be logged with relevant metadata.

Consent withdrawal requires processing to stop and data linked to the withdrawn purpose deleted. The CMS must generate withdrawal indicators and log the transaction and change status in all systems. Users and teams have to be informed of the withdrawal.

Additional functions ensure comprehensive compliance. These include cookie consent management and audit logging to record every consent-related transaction unchangeably with a verifiable trail. The system must generate audit logs containing identifiers, timestamps and action types. CMSs are required by statute to provide grievance redress mechanisms to log complaints, assign reference IDs and track resolution.

The DPDP Act regards consent as evolving and participatory. Success depends on the effectiveness of CMSs. Well-structured and seamless CMSs are not only regulatory requirements but strategic assets, honouring user autonomy, achieving data governance maturity and bolstering stakeholder trust.

Aman Avinav is a partner at Phoenix Legal