Bundled consent mechanism likely to end as Meity plans stricter rules

DPDP Act may also ask intermediaries to keep detailed meta data records

The government is likely to direct data fiduciaries, such as social media platforms and internet intermediaries, to obtain separate user consent for optional and mandatory services, doing away with the “bundled” consent mechanism, according to people in the know.

 

The move, expected as part of the administrative rules under the Digital Personal Data Protection (DPDP) Act, would mean that consent management systems must not include options that allow users to agree to all purposes simultaneously. “The idea here is that both the data principal (users) and data fiduciaries are clear about the limitations. A user must know what they are consenting to — whether that consent is for an optional service or a mandatory one — and if they can withdraw it, how long their data will be stored, and so on,” a senior government official told Business Standard.

 

The rules, which are expected to be published soon by the Ministry of Electronics and Information Technology (Meity), will also require data fiduciaries to maintain detailed metadata records. These must include logs of users’ identification, timestamps of when consent was given, updated or withdrawn, the stated purpose for which consent was provided, and the user’s preferred language, the sources said. 

 

If a user updates consent for any particular tool or service, data fiduciaries will be required to notify the user. The notification must explain the revised scope and purpose of the consent, how it will affect data processing, and why the updated consent is necessary. “Users must also be provided with options that display all active consents they have given since joining the platform, including expiration dates. If a user withdraws consent, the data fiduciary must immediately halt processing of any data linked to that withdrawn consent,” another official said.

 

However, this right to withdraw consent will not apply to data processing mandated by law, the official clarified.

 

The upcoming guidelines are also expected to tighten oversight on cookies and behavioural tracking. Websites, apps, and intermediaries that use cookies to monitor user behaviour will have to present clear choices: Essential, performance, analytics, and marketing cookies.

 

Users should also have access to real-time tools allowing them to modify or revoke cookie consent at any time, said one of the officials quoted above.

 

In addition to consent management, platforms will need to allow users to request access to all data held about them, and to demand correction or deletion where required. 

 

The guidelines, according to the sources, may also propose a mechanism to automatically escalate unresolved user complaints to a designated officer or data protection officer after a defined time period.

India has been trying to come out with a comprehensive regulation to ensure the online safety and privacy of its citizens for nearly 15 years. In 2011, a group of experts under the chairpersonship of former Delhi High Court Chief Justice A P Shah made the first attempt and submitted its report in 2012.

 

Another expert committee, chaired by retired Supreme Court judge Justice B N Srikrishna, was formed by the IT ministry in 2017 and submitted its report in 2018. The following year, the government introduced the Personal Data Protection (PDP) Bill in the Lok Sabha. However, the Bill was referred to a joint parliamentary committee, which spent two years revising the draft with numerous amendments. The final version, though ready for presentation, was withdrawn by Union Electronics and Information Technology Minister Ashwini Vaishnaw in 2022. 

 

At the time, Vaishnaw said the aim was to introduce a simpler version of the legislation. A year later, the revamped Bill -- now known as the DPDP Act -- passed both Houses of Parliament and was ratified into law shortly afterwards.

 

Consent matters

 

Key requirements likely under DPDP Act rules:

 

• Consent must be obtained separately for each specific purpose
• Upon withdrawal of consent, user data must be deleted immediately
• Consent notices must be clear and concise
• Related actions must be recorded in audit trail for regulatory compliance
• Explicit user consent must be sought for non-essential cookies, including those for marketing and analytics