In India, after extensive public debate, the Personal Data Protection Act, 2023, received Presidential assent on August 11, 2023. Following a wait of over a year, the Government of India (GOI) has now released the draft rules for the implementation of the Act for public scrutiny and feedback. These rules place significant responsibilities on Data Fiduciaries, who process the personal data of Data Principals (consumers) to deliver various services. According to the rules, data processing must adhere to the principle of necessity, ensuring that personal data is not retained indefinitely without purpose, thereby mitigating the risk of misuse.
Both the Act and the accompanying rules grant substantial rights to Data Principals, empowering them to manage their personal data by giving and withdrawing consent. While this framework appears robust on paper, it presents practical challenges for users. Given the vast number of websites and applications individuals interact with daily, it becomes nearly impossible for users to effectively manage their consents on their own.
To address this challenge, the Act introduces the concept of a Consent Manager—an entity that acts on behalf of users to manage their data consents. This note critically evaluates the role of Consent Managers and examines whether the Act and its rules sufficiently empower these entities to function effectively and serve the interests of consumers as intended. Additionally, it explores potential barriers that might hinder the effectiveness of Consent Managers and suggests measures to overcome these challenges to protect the rights of Data Principals.
Consent Managers: Regulatory Oversight and Operational Risks
The proposed rules (Clause No. 4, Page 29) outline a comprehensive framework for the registration and obligations of Consent Managers. These rules indicate that regulators intend to exercise significant oversight over the functioning of Consent Managers to ensure that they operate in the best interests of consumers, i.e., Data Principals. Notably, Consent Managers are required to adhere to stricter accountability standards compared to Data Fiduciaries. Although both entities are subject to similar monetary penalties for non-compliance, Consent Managers face the additional risk of cancellation of registration if they breach any provision of the Act or the accompanying rules. In contrast, Data Fiduciaries are only subject to financial penalties and are not exposed to the risk of deregistration or operational suspension.
The penalties, capped at ₹250 crores, are relatively lower than international standards. This cap reduces the financial risk for large Data Fiduciaries with deep pockets, making compliance less burdensome for them. Conversely, Consent Managers face a much higher operational risk, as non-compliance could lead to the complete shutdown of their business operations through registration cancellation. This imbalance places a heavier responsibility on Consent Managers to maintain strict compliance, despite operating under a similar penalty framework as Data Fiduciaries.
Can Consent Managers Function Effectively?
A critical question that arises is whether the Digital Personal Data Protection Act, 2023, and its accompanying rules provide a robust framework for Consent Managers to function effectively in serving the interests of consumers (Data Principals). Upon closer examination, several challenges emerge that could hinder the effective operation of Consent Managers.
1. Lack of Mandatory Collaboration with Data Fiduciaries
The Act does not mandate Data Fiduciaries to collaborate with Consent Managers. This voluntary participation creates a significant challenge: businesses that already comply with data protection laws may see no additional benefit in integrating with Consent Managers. Without mandatory integration, Consent Managers cannot access Data Fiduciaries’ systems to manage user consents, rendering their role ineffective.
2. Absence of Standardized Integration Mechanisms
The Act lacks provisions for a standardized API framework or technical guidelines for Consent Managers to integrate with Data Fiduciaries. Without standardized protocols, Consent Managers face technical difficulties in integrating with multiple platforms, leading to fragmented and inefficient consent management.
3. Risk of Selective Engagement by Data Fiduciaries
The framework does not address how Data Fiduciaries should engage with multiple Consent Managers. Data Fiduciaries may choose to work with certain Consent Managers while excluding others, limiting fair market participation. Uneven collaboration could marginalize smaller Consent Managers, creating an unbalanced market.
4. Increased Data Breach Risks
Allowing multiple Consent Managers to operate without clear security protocols introduces additional risks. Multiple integration points can become potential targets for cyberattacks, and the absence of strict security standards increases the risk of data leaks and misuse.
5. Potential Market Consolidation and Consumer Cost Burden
Without regulatory safeguards, the market could consolidate around a few dominant Consent Managers. Larger players with more resources could dominate the market, sidelining smaller firms. Dominant Consent Managers might pass on high service costs to consumers, making consent management unaffordable for lower-income users.
6. Limited Consumer Empowerment
The voluntary nature of business participation and potential high costs could undermine consumer rights. Consumers unable to afford premium consent management services may struggle to protect their data, defeating the intended goal of empowering Data Principals.
These challenges highlight significant gaps in the current framework, raising concerns about whether Consent Managers can fulfill their intended role in protecting consumer data rights under the Digital Personal Data Protection Act, 2023.
International Practices: Consent Management Models and Mitigation of Challenges
Globally, consent management practices are shaped by stringent data protection laws such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. While these frameworks do not mandate dedicated Consent Managers, they have led to the emergence of Consent Management Platforms (CMPs) that help businesses comply with data protection requirements.
The GDPR has encouraged the development of industry standards for consent collection and management. Tools like the Transparency and Consent Framework (TCF) by the Interactive Advertising Bureau (IAB) provide a standardized API for seamless integration between businesses and CMPs, reducing technical complexity and promoting uniformity. Strict regulatory enforcement in the EU and California compels businesses to comply with consent regulations. Heavy penalties (up to 4% of global turnover under GDPR) motivate companies to engage with CMPs to avoid legal risks, ensuring wider adoption despite the absence of mandates. In markets with high consumer privacy awareness, businesses voluntarily integrate with CMPs to build trust and differentiate themselves. Transparency in data handling becomes a competitive advantage, driving businesses to adopt consent management solutions. CMPs operating under GDPR and CCPA must implement rigorous data protection measures. Regular audits, encryption standards, and compliance certifications (e.g., ISO 27001) mitigate security risks, addressing concerns about data breaches. To prevent monopolization, industry-led initiatives promote open standards, allowing both large and small CMPs to operate fairly. This prevents market consolidation and ensures that consent management services remain accessible and affordable.
While international models face challenges such as consent fatigue and user disengagement, these are mitigated through regulatory enforcement, industry collaboration, and the use of standardized integration frameworks. India can draw lessons from these global practices to strengthen its Consent Manager framework and ensure effective data protection for consumers.
How Can the Rules Be Tweaked to Make Consent Managers Function Effectively?
While the current rules appropriately emphasize independence and address conflict of interest between Data Fiduciaries and Consent Managers, they fall short in enabling Consent Managers to operate effectively without being subjected to the influence of large Data Fiduciaries. The absence of mandates or incentives for Data Fiduciaries to collaborate with Consent Managers, coupled with the lack of standardized integration mechanisms like robust APIs, severely limits their functionality.
To address this, the rules must establish safeguards that prevent large Data Fiduciaries from dominating or sidelining Consent Managers- not directly by indirectly through their financial muscle. Implementing a standardized API framework would streamline integration, minimize operational friction, and reduce compliance costs. Additionally, offering incentives for voluntary collaboration—such as compliance certifications or tax benefits—could motivate Data Fiduciaries to engage with Consent Managers without mandating full integration, thus maintaining flexibility.
However, mandating universal integration could be counterproductive, potentially increasing the risk of data breaches and operational inefficiencies. A balanced approach is necessary—one that supports the presence of a limited number of well-regulated Consent Managers who maintain full independence while avoiding dependency on large Data Fiduciaries. This model would encourage cost-effective operations and make consent management services more affordable and accessible, especially for consumers who cannot bear high service fees.s and make consent management services more affordable and accessible, especially for consumers who cannot bear high service fees.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a significant step towards empowering consumers with greater control over their personal data in India. By introducing Consent Managers, the Act acknowledges the growing complexity of managing data consents in an increasingly digital world. However, while the regulatory framework emphasizes independence and conflict of interest safeguards, it falls short in creating a fully functional ecosystem for Consent Managers to operate effectively. The absence of mandatory collaboration between Data Fiduciaries and Consent Managers, coupled with the lack of standardized integration mechanisms, undermines the very purpose of empowering Data Principals.
International practices, particularly under the GDPR and CCPA, highlight the importance of strong regulatory enforcement, standardized integration protocols, and consumer trust in driving effective consent management. These global models offer valuable lessons for India—most notably, the need for technical standardization through APIs, clear security frameworks, and balanced regulatory incentives.
To bridge the existing gaps, India must adopt a balanced approach that fosters cooperation between Data Fiduciaries and Consent Managers without introducing unnecessary complexities. Implementing standardized APIs, encouraging voluntary collaboration through incentives, and ensuring strict security protocols will enable Consent Managers to function independently and effectively. Moreover, limiting the market to a few well-regulated Consent Managers can minimize operational costs and make consent management services more affordable and accessible for all users.
By addressing these challenges thoughtfully, India can establish a robust and inclusive consent management ecosystem that truly protects consumer data rights and aligns with global best practices. This will not only strengthen user trust but also ensure that the objectives of the Digital Personal Data Protection Act, 2023 are fully realized.