DPDP rules implementation: Demand for consent managers likely to rise

Will maintain log of consents given, denied, or withdrawn

The newly notified administrative rules under the Digital Personal Data Protection (DPDP) Act are likely to increase both the demand and the role of consent managers that act on behalf of users, according to experts. 

 

The rules, notified on Friday, set out a 12-month deadline for India-incorporated companies with a minimum net worth of ~20 million to apply to be consent managers. Such companies must register themselves with the Data Protection Board (DPB) and fulfil the obligations mentioned by the board from time to time.

 

The consent manager will be required to maintain a log of the consents given, denied, or withdrawn by the user on its platform. They will also have to keep track of notices sent by data fiduciaries preceding or accompanying requests for consent to process personal data.

 

Such platforms will need to provide users with access to their data at all times. Records of this data will have to be maintained for at least seven years, or an extended period if agreed upon between the platform and the user, or if required by law.

 

These rules are also likely to require a significant overhaul of business operations for such consent management companies, as well as internet and social media intermediaries, as they will need to implement dedicated consent management platforms that must capture consent across all touchpoints, have separate consent mechanisms for each purpose, allow one-click withdrawal functionality, and conduct periodic comprehensive audit logging, as well as have re-consent mechanisms, said Akshayy S Nanda, a partner at law firm Saraf and Partners.

 

“Organisations ultimately face a choice: treat DPDPA compliance as a transformational business initiative requiring executive sponsorship and genuine business process redesign, or attempt incremental adjustments and compliance theatre. Those choosing transformation will successfully navigate the transition. Those attempting incremental compliance will likely face enforcement action, financial penalties, and operational disruption beginning in May 2027,” Nanda said.

 

Consent managers registered with the DPB cannot, at any time during the duration of their operations, sub-contract or assign the performance of any of their obligations under the DPDP Act, according to the rules. These rules also expand the need for consent managers or data protection officers (DPOs)-related roles, experts said.

 

“The entire CISO (Chief Information Security Officer) role elevates itself going forward. This is now part of core product integration with a focus on consent and governance rather than just security frameworks,” said Ashok Hariharan, chief executive officer (CEO), IDfy, an identity verification firm. 

 

Going forward, focus will be on training staff on redesigning processes and subsequently implementing applicable themes to the technology and audit functions of entities and their vendors, executives added.

 

Each entity within a company’s group structure will require its own DPO to oversee areas such as consent, data governance, privacy management, third-party risk, breach response, ticketing and legal implications.

 

“The key priority is the whole data governance. If an entity is collecting the PII (personal identifiable information) or any other data, they have to explicitly mention how long this is going to be kept,” said Sandeep Raghuwanshi, head of DevOps & InfoSec at Bureau, a compliance and fraud monitoring platform. 

What the rules say on verifiable parental consent for children

 

All users below the age of 18 to be considered children

 

Ensure verifiable parental consent before processing children’s data

 

Companies must ensure individual identifying as a child’s parent is adult

 

Age, relation to child must be verified through voluntarily provided ID

 

Age of parent, adult related to child can also be verified through Digital Locker