In today’s digital economy, people are engaging and interacting with digital services and products and thereby generating data. Data, including personal data, has the ability to generate economic value depending on the manner in which data is processed and used, especially in the digital form. Personal data falls within the species of right in rem and, therefore, requires a pragmatic integration of law and technology to maintain its integrity and to allow individual autonomy. In this context, the consent of individuals whose personal data is collected and processed becomes crucial.
To protect personal data and the autonomy of individuals, the Digital Personal Data Protection Act, 2023 (the DPDP Act) has introduced a concept of consent manager. This well-thought legislative inclusion provides for the engagement and interaction of consent managers with data principals (individuals who provide their personal data) and data fiduciaries (who collect and process such personal data), primarily managing consents of data principals in a digital environment.
The DPDP Act defines a consent manager as a person registered with the data protection board (DPB, to be established under the DPDP Act) to act as a single point of contact to enable a data principal to give, manage, review, and withdraw his/her consent through an accessible, transparent, and interoperable platform. This definition emphasises the role of consent managers as facilitators and custodians of the data principal’s consent, allowing data principals to indicate their choices and preferences to a data fiduciary.
Consent managers are primarily meant to operate as gatekeepers of privacy and are required to foster transparency and trust throughout the lifecycle of personal data. This is increasingly important in an age where a significant power imbalance exists between data principals and data fiduciaries.
One can consider consent managers as repositories of one’s choices and preferences in relation to personal data. Analogous to a bank, which collects, holds and deals with your financial assets on your instructions, consent managers will do the same with personal data. The consent manager will work through a technology interface, wherein any action requiring the issuance or withdrawal or modification of any consent pertaining to your personal data will be routed through the consent manager.
Under the DPDP Act, consent managers operate as independent third parties. They are not directly involved in processing personal data but play a crucial role in managing consent throughout the life cycle of personal data. Their independence from the data fiduciaries ensures an unbiased approach to consent management, which is vital for maintaining trust and integrity in the process.
The role of a consent manager commences with securing free, specific, informed, unconditional, and unambiguous consent from data principals. This initial step requires clear communication of the purpose(s) for which personal data will be processed and ensuring that consent is obtained in a manner compliant with the legal requirements under the DPDP Act. Once achieved, this consent will be translated into definable attributes: validity, obligations, and permissions, which will determine subsequent data processing in adherence to legal requirements. Consent managers will also have to ensure that data fiduciaries can access the attributes of consent provided and are aware of the realm within which the data fiduciaries need to process personal data.
Consent managers are tasked with meticulously recording and managing consents. They will also be required to focus on maintaining current and relevant permissions from a data principal for processing personal data. Very similar to online banking transactions, consent managers might be required to maintain details such as timing, the method via which consent was provided, the period for which consent is provided, etc. Further, they may be required to facilitate essential data rights, enabling data principals to access, rectify, or delete their personal data and thereby maintaining control and transparency over personal data in a user-friendly manner. It will also provide a data principal with information regarding grievance redressal.
In India, we already have a use for consent managers in the banking sector, in the form of account aggregators (AA). These AAs operate using a consent artifact for the collection and use of personal financial data, which among other aspects, includes establishing the identity of participants, consent flows, consent verification, revocation, security standards, purpose limitation, storage and use limitation. Upon being presented with a consent artifact, the financial information provider (data principal) must verify the AA’s credentials, digitally sign (as governed under the Information Technology Act, 2000) the consent and securely transmit the same to the AA in real-time.
It is likely that the consent managers registered under the DPDP Act may also operate similarly and will be governed by the DPB.
While consent managers offer numerous benefits, they also present certain challenges and disadvantages that organisations need to consider for effective data privacy management:
Potential for mismanagement - A significant risk with consent managers is the possibility of mismanaging consent. This could stem from technical glitches, misunderstanding legal mandates, or delays in updating consent records.
Dependence on third-party - Dependence on a third-party consent manager introduces risk. They may not always align with an organisation’s specific data practices or adapt swiftly to changing legal environments, potentially hindering flexibility and responsiveness in data privacy strategies.
Technical challenges - Technical challenges in implementing and integrating consent management systems are significant. These systems must be robust and secure and integrate seamlessly with existing data processing systems. Moreover, the exchange of consent data between the consent manager and the data fiduciary must be carefully managed. If integration with a third-party consent manager is required, usually through APIs, it is vital to determine the extent of data exchange. This exchange should be minimal yet sufficient to ensure that the data fiduciary has the necessary consent information to process data lawfully while maintaining data security and privacy.
It will be interesting to see whether the consent managers under the DPDP Act will be required to adhere to the electronic consent framework established by the Ministry of Electronics and Information Technology (the framework provides a set of technology standards for obtaining electronic consent – the Electronic Consent Framework) and use DigiLocker to allow data principals to securely store consent records.
Cost implications - Implementing consent managers involves development, implementation, and maintenance costs. For smaller organisations or startups, these costs can be a significant factor, possibly limiting their ability to leverage consent managers effectively.
In summary, consent managers play a vital role between data principals and data fiduciaries, ensuring the delicate balance between data processing/ utilisation and privacy rights. However, there is still ambiguity regarding the practical implementation of the consent manager framework. Especially with respect to:
Will it be mandatory for data fiduciaries to integrate with consent managers? If yes, what will the extent of data that will be exchanged between a consent manager and the data fiduciary? Further, large organisations may not require a third-party consent manager as they may develop a superior consent management platform internally, making it complicated for a data principal to keep track of its consent on multiple consent management platforms.
Will consent managers also adhere to all the obligations and compliances prescribed for a data fiduciary under the DPDP Act?
Whether consent managers will effectively tackle the age verification and age gating requirements under the DPDP Act?
The legal, technical, and financial requirements to register as a consent manager.
We will only get clarity on these aspects once the rules under the DPDP Act are enacted.
As we look to the future, the evolution of consent managers will be marked by technological advancements (possibly by integrating blockchain technology for the consent management process), adapting to new legal frameworks, and a stronger focus on empowering data principals. Understanding and effectively leveraging the role of consent managers will be crucial for organisations to navigate the ever-evolving landscape of data privacy.
About the authors: Probir Roy Chowdhury is a Partner and Manas Ingle is a Senior Associate at JSA.