Consent management puts users at the core

As online transactions proliferate, platforms increasingly ask users for a variety of consents. Transparency and information are often missing, leading to consent fatigue and permission by default. However, users may want to have a comprehensive view of the sites that have access to their personal data. The new Digital Personal Data Protection Act, 2023 (DPDPA), has introduced the consent manager as a single point of contact for data principals, enabling the latter to have greater control over such data.

The concept of consent managers was introduced in India by Niti Aayog, the government-backed policy think tank, as part of the Data Empowerment and Protection Architecture (DEPA). Practical implementation came with the account aggregator framework (AA framework), regulated by the Reserve Bank of India. An account aggregator under the AA framework enables a user to share the financial information held by regulated entities, that is financial information providers or FIP, with entities who use the data to provide financial-based services, they being financial information users or FIU. Account aggregators are data-blind and cannot access the data shared between these entities.

Under the DPDPA, a consent manager is a platform enabling an individual to give, manage, review and withdraw consent. The consent manager is a privacy-centric entity, as opposed to the AA framework account aggregator that focuses on relaying financial information from an FIP to an FIU on a standardised consent mechanism basis. These differences in objectives lead to different commercial models. Those under the DPDPA will attract users by efficiency and convenience in managing their consent. An account aggregator’s operations serve the commercial needs of FIUs.

When the DPDPA is fully in effect, the standards of consent will be stringent. Businesses will have to reconsider how they process end users’ data. While it is presently unclear whether organisations processing data must have consent managers in place, partnering with them may maintain trust and reassure individuals who are becoming increasingly privacy-conscious.

While their exact role remains unclear, consent managers will promote further competition in the market because businesses will be compelled to incorporate innovative consent management-based solutions into their sales strategies. They will have to prioritise data protection.

Consent managers may commercialise the data to which they have access by offering insights on consent trends and user preferences to companies, which may seek such data.

Borrowing from the DEPA, consent managers will have the ability to access siloed data, increasing data portability and interoperability. For instance, a hospital may request a user’s insurance information from an insurer through a consent manager. Consent managers can facilitate the sharing of otherwise inaccessible cross-sectoral data.

Pricing models and strategies of consent management companies will reflect the investment in technical and operational infrastructure they will need once the DPDPA provides guidance. Charging nominal fees as in the AA framework may not be feasible for new entrants without other, more profitable lines of business to sustain them. Niti Aayog identified various business models under the DEPA, such as separate entities under the AA framework to act solely as consent managers, develop consent manager solutions in-house and engage public sector entities to offer subsidised consent management services. The roles of consent managers will not be determined until the Data Protection Board prescribes technical, operational, and financial rules.

As well as requiring registration with the board, the DPDPA may impose similar supervision and audit requirements to those for account aggregators. Regulatory supervision may be challenging for entities acting as consent managers. The additional costs may put smaller organisations at a disadvantage by restricting their access to necessary technology.

Despite such difficulties, DPDPA consent management promises a more robust and user-friendly data protection framework. Cracking the code on consent management goes beyond compliance. A new era beckons, with businesses aligning their data processing practices with global consent norms. These put the user at the centre of operations with control over their data.

Ada Shaharbanu is a senior associate and Anushka Narayan is an associate at Spice Route Legal.