ARTICLE
18 July 2025

From Policy To Practice: Decoding Consent Management For Businesses Under The Dpdp Act, 2023

C
Clasis Law

Contributor

Clasis Law, based in Delhi, is a full-service Indian law firm that is truly international in vision, scope, experience and capability. Being solutions oriented, the firm offers efficient, cost-effective services of the highest quality and prides at providing practical and commercially relevant legal advice, combining specialist legal skills and industry experience, specific to the needs of the client. The firm advises domestic as well as international clients, ranging from Fortune 500 companies to individuals, across industry sectors on all aspects of Indian law.
India's data protection regime is undergoing a transformational shift. With the enactment of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and draft Digital Personal Data Protection Rules, 2025 ("Rules"), the country has moved from a fragmented and sector-specific framework to a unified, rights-based legislation more focused on digital personal data.
India Privacy

Introduction

India's data protection regime is undergoing a transformational shift. With the enactment of the Digital Personal Data Protection Act, 20231 ("DPDP Act") and draft Digital Personal Data Protection Rules, 2025 ("Rules"), the country has moved from a fragmented and sector-specific framework to a unified, rights-based legislation more focused on digital personal data. This transition brings with it a new set of compliance obligations for businesses. In an effort to operationalise these new mandates and assist businesses in implementing robust consent management systems ("CMS"), National e-Governance Division of the Ministry of Electronics and Information Technology ("MeitY") recently released Business Requirement Document for Consent Management under the DPDP Act2 ("BRD"). This article aims to decode the BRD, exploring the core technicalities it outlines, how it aligns with the broader compliance architecture of the DPDP Act and how it serves as a practical guide for businesses in preparing their systems, processes and governance frameworks for the new data protection era in India.

Consent Management: A Core Compliance Pillar

A cornerstone of the DPDP Act's compliance framework is the requirement for meaningful and verifiable consent. Under the DPDP Act, consent is no longer a procedural formality; it must be free, specific, informed, unambiguous and signified by clear affirmative action3. The DPDP Act also obligates Data Fiduciaries4 to provide Data Principals5 with purpose-specific notices that explain what data is being collected, the reason for its processing and the rights available to individuals including the right to withdraw consent at any time through simple, accessible mechanisms6.

To support this architecture, the DPDP Act introduces Consent Managers7 (registered entities) that help users manage consents across multiple services through a unified platform. For Data Fiduciaries, this necessitates not only integrating with such managers where required but also ensuring that their internal consent systems are technically interoperable and centred around user control. However, many practical aspects, such as consent artifact structures, real-time validation standards, integration workflows and user experience expectations remain, undefined in the DPDP Act and even in the draft Rules. This is where the BRD steps in as a crucial interpretive and operational tool, offering clarity to businesses on these ambiguous elements.

Mapping Consent Compliance: How the BRD Guides Data Fiduciaries?

The BRD serves as a guideline and represents a significant step toward translating the DPDP Act's abstract consent-related obligations into implementable and system-ready procedures. It aims to help Data Fiduciaries bridge compliance gaps through scalable, auditable and user-centric design principles. By outlining the architecture of CMS its core modules, functional requirements and administrative controls the BRD attempts to show how legal duties like purpose limitation, data minimisation and user autonomy can be operationalised in practice. Below herein, we examine the aspects that BRD offers in terms of guidance for implementing these consent obligations and to what extent it addresses the practical and procedural uncertainties left unresolved by the DPDP Act and its Rules.

  1. Key Stakeholders and their responsibilities: The BRD outlines a structured ecosystem of stakeholders, each with defined roles and responsibility to ensure lawful, transparent and accountable data processing in line with the Act and its Rules. These four key stakeholders include:
  • Data Principals - Individuals to whom the personal data relates and who hold the right to provide, manage and withdraw consent at any time.
  • Data Fiduciaries - Entities or individuals that determine the purpose and means of processing such data and bear primary responsibility for obtaining and managing consent in compliance with the law.
  • Data Processors – Entities or individuals that support Data Fiduciaries by processing data strictly on their instructions, without exercising independent control.
  • Data Protection Officer8 ("DPO") – An individual appointed by Significant Data Fiduciaries to act as the internal compliance lead responsible for ensuring adherence to the Act's provisions.

Together, these roles defined and elaborated in the BRD, form the backbone of the consent management and compliance framework under India's evolving data protection regime.

  1. Consent Management Lifecycle: The Consent Management Lifecycle ("CML"), as outlined in the BRD, translates the DPDP Act's high-level consent obligations9 into a structured and system-driven process. While the DPDP Act mandates the requirements of the consent obtained, it does not define how businesses should implement these requirements operationally. The BRD fills this gap by detailing each stage of the CML collection, validation, update, renewal and withdrawal along with clear functional steps, interface design norms, metadata requirements and audit protocols. For Data Fiduciaries, this provides a practical blueprint to embed legal compliance into digital systems, reduce regulatory risks and enable user-centric consent governance.
  • Consent Collection: Consent collection is the foundation of lawful data processing. While the DPDP Act mandates that consent be free, specific, informed and unambiguous, the BRD operationalizes this with system-level clarity. It prescribes user-friendly, multilingual and WCAG-compliant interfaces not merely as design preferences, but as compliance necessities. Critically, it enforces granular, purpose-specific consent, ensuring users are not pushed into bundled approvals. It introduces the concept of a Consent Artifact, a structured digital record that captures metadata like purpose ID, timestamp and user ID, securely stored and audit-ready. It also mandates real-time system integration, ensuring that data processing internal or third-party only begins after consent is verified. For businesses, this means reduced legal exposure and a clear audit trail that proves both user intent and integrity.
  • Consent Validation: The DPDP Act requires that data be processed only for the consented purpose10 but doesn't specify operational mechanism to enforce this limitation. The BRD fills this gap by requiring real-time consent validation through system-triggered API calls before any data processing (e.g., sending marketing emails, enabling analytics). This includes checks for whether consent given exists and is still valid (i.e., not expired or withdrawn) and whether the intended purpose matches what was originally agreed upon. All validations are logged for auditability. If the consent is not valid, the CMS must return an error or deny the processing request and the Data Principal must be notified. In effect, this safeguards against purpose drift, reinforces data minimisation and allows businesses to demonstrate compliant behaviour under scrutiny.
  • Consent Update: As Data use evolves with the introduction of new features, services or analytics pipelines, the DPDP Act requires fresh consent whenever there is a change in the purpose, scope or conditions of data processing ensuring that consent remains informed, current and purpose-specific11. The BRD builds on this by mandating that such changes trigger a fresh consent request, not merely issuing a generic notification. Data Fiduciaries must issue clear, updated notices and the CMS must support selective updates enabling one purpose to be modified without affecting others. Updated Consent Artifacts are synchronized across all systems, ensuring that only valid permissions govern data flows. The updated consent notice must also specify the duration for which it remains valid and a notification to Data Fiduciaries and Data Processors must be given.
  • Consent Renewal: The DPDP Act requires consent remains valid and current12 and for ensuring the same, the BRD introduces renewal protocols. Systems must alert users prior to expiry and request fresh, affirmative action implied or auto-renewals are deemed non-compliant. Like initial collection, renewals must be logged with updated metadata and synced with all relevant systems. This guidance is especially relevant for industries handling long-duration personal data (e.g., financial services, health tech), helping them avoid lapses in permission while ensuring ongoing user control.
  • Consent Withdrawal: While the DPDP Act gives Data Principals the right to withdraw consent at any time13, the BRD turns this into an enforceable system process. Businesses must allow easy, real-time withdrawal, with immediate cessation of related data processing. Withdrawal must be purpose-specific (e.g., opting out of marketing while retaining transaction alerts) and the CMS must log the event, notify all relevant systems and confirm the change to the user. Legal exceptions (e.g., statutory obligations) are acknowledged, but must be narrowly applied. This ensures businesses respect autonomy and enforce revocation of consent without delay.
  1. Cookie Consent: Cookie consent management plays a critical role in governing lawful digital tracking. The BRD operationalizes this by mandating that users must be informed clearly and granularly about the use of cookies such as essential, performance, analytics or marketing and must have the ability to provide, modify or withdraw consent for each category. Consent must be obtained through an accessible, multilingual interface with only essential cookies enabled by default. Additionally, consent actions must be securely logged with metadata (e.g., timestamp, category selected), supporting auditability and compliance with purpose limitation and data minimization principles. From the perspective of Data Fiduciaries, the BRD transforms cookie consent into a compliance checkpoint. It requires real-time consent enforcement, renewal prompts when policies change and the ability to auto-expire cookies as per declared retention timelines. Users must be able to revisit and revise preferences anytime, with systems immediately reflecting such changes. This ensures transparency and reduces legal risk during regulatory scrutiny.
  1. User Dashboard: The DPDP Act imposes clear obligations on Data Fiduciaries to enable Data Principals to exercise their rights over personal data such as accessing consent history, modifying or revoking consent, and raising grievances or data-related requests such as access, correction or erasure. While these rights are outlined in principle, the DPDP Act lacks operational clarity.

The BRD bridges this gap by mandating a structured User Dashboard (a central interface that transforms legal obligations into functional, traceable and user-friendly features). Far beyond a mere compliance checkbox, the dashboard enables real-time, auditable enforcement of user rights and fosters transparency, accountability and trust between Data Fiduciaries and Data Principals. The dashboard comprises of the following three key modules:

  • View Consent History – This feature aligns with the DPDP's transparency mandate by requiring a searchable log of all consent actions in form of active, expired and withdrawn along with relevant metadata (timestamp, purpose ID, status).
  • Modify or Revoke Consent – This module empowers users to change or withdraw consent for specific purposes in real time, with automatic updates across internal and external systems and full audit logging.
  • Grievances and Data Requests – This section allows users to raise complaints or make structured requests (access, correction, erasure), with case tracking, reference IDs, notifications and automated escalation to the DPO if unresolved within prescribed timeline.
  1. Consent Notifications: The DPDP Act mandates that consent must be informed and revocable14. The BRD provides on how Data Principals should be notified of consent-related actions by introducing a Consent Notifications Module, which delivers real-time, multi-channel alerts to ensure transparency, traceability and compliance at every stage of consent lifecycle management. For User Notifications, the BRD mandates automatic alerts triggered by events such as consent approval, withdrawal, expiration, renewal, or responses to data requests. These alerts must be delivered via the user's preferred communication channel (email, SMS, or in-app), using predefined templates in multiple Indian languages as per the Eighth Schedule and may optionally require user acknowledgment to enhance traceability.

For Data Fiduciary and Processor Alerts, the BRD deploys API-based systems to instantly notify relevant stakeholders of changes in consent status, such as withdrawals or modifications, accompanied by actionable metadata (e.g., user ID, purpose ID, timestamp). All alerts are immutably logged and, if unacknowledged within a specified timeframe, escalated to the DPO or designated authority.

  1. Grievance Redressal Mechanism: Under the DPDP Act, Data Principals have the right to seek redress for unlawful processing, consent violations or data misuse15. The BRD expands on this right by introducing a structured, system-driven grievance mechanism that emphasizes timeliness, transparency and auditability.

For complaint logging, the BRD mandates a multilingual, user-friendly interface with predefined categories (e.g., consent misuse, data breach), where each submission is tagged with a unique ID and linked to relevant Consent Artifacts for context-specific handling. Metadata such as user ID, timestamp and complaint category are logged securely with TLS 1.3 encryption.

For resolution tracking, the BRD ensures end-to-end visibility through real-time dashboards, status notifications and time-bound escalations to senior officials or the DPO, ensuring compliance with the Act's prescribed timelines. Each resolution step is immutably logged and the complaint is marked "Closed" only after providing a resolution summary and collecting user feedback, thus ensuring both regulatory compliance and a user-centric accountability.

  1. Governance Controls and Compliance Logging: The DPDP Act obligates Data Fiduciaries to implement appropriate technical and organizational measures for lawful and secure processing of personal data16. The BRD specifies internal system controls or recordkeeping protocols through a structured framework for system Administration and logging.

Under this, Data Fiduciaries must implement role-based access control (RBAC), secure authentication mechanisms such as MFA and SSO and configure data retention policies that ensure timely purging or preservation of consent artifacts based on the legal requirements.

On the other side, the Logging module mandates the creation of tamper-proof, immutable audit logs capturing every consent-related action such as grant, withdrawal, or update along with metadata (timestamp, user ID, purpose ID, IP address and audit hash) to ensure traceability and accountability.

Way Forward: Interpreting the BRD in Practice

The BRD serves as a crucial operational companion to the DPDP Act, offering Data Fiduciaries and other stakeholders a structured blueprint for implementing lawful, accountable and user-centric data processing practices. For some extent, it translates the DPDP Act's broad obligations into actionable modules and aligned with the DPDP Act's core principles of transparency, fairness and purpose limitation.

That said, Data Fiduciaries are advised to approach the BRD not as a final word, but as a living framework one that provides operational clarity but does not settle all legal questions. The allocation of responsibility and liability among stakeholders such as Data Fiduciaries, Data Processors and Consent Managers remains an open issue in the absence of detailed regulatory guidance. The true effectiveness of CMS and the boundaries of accountability may only become apparent through real-world implementation and regulatory scrutiny. In this context, Data Fiduciaries should proactively interpret and apply the BRD in ways that anticipate future compliance expectations. While much of the legal framework may still evolve, the BRD allows organizations to begin architecting consent systems that are compliant, adaptive and proportionate to their operational needs, ensuring readiness while reinforcing trust with Data Principals.

Footnotes

1 The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India)

2 Ministry of Electronics and Information Technology (MeitY). (2024) Business Requirement Document for Consent Management under the Digital Personal Data Protection Act, 2023, Government of India, https://www.meity.gov.in/

3 S. 6, The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 6.Consent: Theconsentgiven by

theDataPrincipal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of herpersonaldatafor the specified purpose and be limited to suchpersonaldataas is necessary for such specified...........prove that a notice was given by her to theDataPrincipal andconsentwas given by suchDataPrincipal to theDataFiduciary in accordance with the provisions of thisActand the rules made thereunder.

4 S. 2 (i), The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 2 (i) Data Fiduciary: means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

5 S. 2 (j), The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 2 (j) "Data Principal" means the individual to whom the personal data relates and ......with disability, includes her lawful guardian, acting on her behalf;

6 S. 5, The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 5. Notice: (1) Every request made to a Data Principal....... in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.

7 S. 2 (g), The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 2 (g) "Consent Manager" means a person registered with the Board, who acts as a single point of............transparent and interoperable platform.

8 S. 2 (l), The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 2 (l) "Data Protection Officer" means an individual appointed by the Significant Data Fiduciary under clause (a) of sub-section (2) of section 10.

9 Supra Note 3

10 S. 4, The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 4. Grounds for processing personal data: (1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and ......purposes of this section, the expression "lawful purpose" means any purpose which is not expressly forbidden by law.

11 Supra Note 3

12 Supra Note 3

13 Supra Note 3

14 Supra Note 3

15 S. 10, The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 10. Additional obligations of Significant Data Fiduciary: The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary......other measures, consistent with the provisions of this Act, as may be prescribed.

16 S. 8, The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), 8. General obligations of Data Fiduciary: A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out......Data Fiduciary for such performance, in person or by way of communication in electronic or physical form.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More