Decrypting India’s Data Protection Regime: Consent Managers

This article is the second in our series on India’s new digital personal data protection regime and turns from the enforcement “spine” of the framework, the Data Protection Board of India, to one of its most novel features, viz., Consent Managers.

While the first piece examined how the Board will give the DPDP framework institutional teeth, this article focuses on the intermediaries through which Data Principals are expected, in practice, to give, manage and withdraw consent across multiple services. It explores the statutory concept of Consent Managers under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the accompanying Rules.

What is a Consent Manager?

Under the DPDP framework, a Consent Manager is a registered entity that runs an interoperable platform through which a Data Principal can give, manage, review and withdraw consent to multiple Data Fiduciaries. 

Functionally, it relays consent requests from onboarded Data Fiduciaries, records the Data Principal’s choices, and routes both the consent and the underlying data, while ensuring that the content of that data is not readable by the Consent Manager itself. 

The user interface is the primary means of service delivery to Data Principals, via a website or app (or both), and is expected to reflect the Consent Manager’s fiduciary role, security safeguards and independence from conflicted Data Fiduciaries. 

Interestingly, the DPDP Rules do not presently make it mandatory for Data Fiduciaries to work with Consent Managers. In theory, a company can continue to seek consent directly from users, as long as it complies with the Act’s stringent notice and consent requirements.

Obligations 

A Consent Manager registered with the Board is required to:

• Allow Data Principals to give consent for processing of their personal data to a Data Fiduciary, either directly or routed through another Data Fiduciary that holds their data;
• Ensure that personal data being shared or made available through its platform is not readable by the Consent Manager;
• Keep records on its platform of consents given, denied or withdrawn, of the notices that preceded or accompanied those consent requests, and of the sharing of personal data with transferee Data Fiduciaries;
• Give Data Principals access to the aforesaid records on request, and retain them for at least seven years, or longer if agreed with the Data Principal or as required by law;
• Develop and maintain a website or app (or both) as the primary means through which Data Principals can access its services;
• Not sub-contract or assign the performance of any of its statutory obligations under the Act and Rules;
• Take reasonable security safeguards to prevent personal data breaches;
• Act in a fiduciary capacity in relation to the Data Principal;
• Avoid conflicts of interest with onboarded Data Fiduciaries, including in relation to their promoters and key managerial personnel, and implement measures to manage any potential or perceived conflicts;
• Publish, in an easily accessible manner on its website/app, details of its promoters, directors, key managerial personnel and senior management, persons holding more than a prescribed percentage of its shareholding, and such other categories of stakeholders as may be specified;
• Maintain effective audit mechanisms to review, monitor, evaluate and report on its technical and organisational controls, systems and procedures, and to report the outcomes of such audits to the Board at prescribed intervals and whenever the Board calls for them; and
• Not transfer control (by sale, merger or otherwise) without prior approval of the Board and without complying with any conditions the Board specifies.

Liability 

Once registered, a Consent Manager is directly liable wherever it breaches its own statutory obligations. The Act is clear that a Consent Manager is “accountable to the Data Principal”, and the Board is expressly empowered to inquire into breaches of a Consent Manager’s obligations in relation to a Data Principal’s personal data. 

In any incident involving consent or data flows routed through such a platform, the Board is therefore likely to look closely at the Consent Manager’s architecture, records and security posture. If, at the end of an inquiry, the Board finds a significant breach of the Act or Rules by a Consent Manager, it can impose monetary penalties under the Schedule. 

• Up to INR 250 crore (approx. USD 27.7 Million) for failure to maintain reasonable security safeguards;
• Up to INR 200 crore (approx. USD 22 Million) for breach-notification failures and certain children’s-data violations; and 
• Up to INR 50 crore (approx. USD 5.5 Million) for other contraventions, many of which will capture the detailed obligations described above. 

Separately, the Board is empowered, after giving a hearing, first to direct a Consent Manager to cure non-adherence and, where it considers it necessary in the interests of Data Principals, to suspend or cancel its registration and issue protective directions.

Authored by CSL Chambers, New Delhi: Sumeet Lall (Partner - Sumeet.Lall@cslchambers.com), Nikhil Lal (Legal Director – nikhil.lal@cslchambers.com) – The contents of this document are for informational purposes only and should not be treated as a legal opinion. Should you have any queries relating to the content of this insight piece or require further information, please don’t hesitate to contact us.