Categories
Corporate Law ESG Legal Alerts

ESG Update – National e-Governance Division issued guidelines for consent management under Digital Personal Data Protection Act

Publications

ESG Update – The Karnataka Platform Based Gig Workers (Social Securities and Welfare) Ordinance, 2025

Introduction:

On 6 June 2025, the National e-Governance Division (NeGD) under the Ministry of Electronics and Information Technology (MeitY) released a Business Requirements Document (BRD) for the Consent Management System (CMS).[1] The BRD outlines the key functionalities and requirements in alignment with the Digital Personal Data Protection (DPDP) Act, 2023.

Objective and Scope:

The CMS is intended to facilitate comprehensive Consent Lifecycle Management, which includes the collection, validation, modification, renewal, and withdrawal of consent, aligning with the requirements of the DPDP Act and its rules. It aims to empower Data Principals by providing a user-centric platform where individuals can view, manage, and control their consent preferences and exercise their data rights, ensuring transparency and trust.     Furthermore, the system is designed to adhere strictly to the DPDP Act’s regulations, including purpose limitation, data minimization, and secure processing of personal data. 

Key Stakeholders:

The stakeholders include

  1. Data Principals (individuals to whom personal data relates, having the right to give, manage, and withdraw consent);
  2. Data Fiduciaries (any person or entity determining the purpose and means of processing personal data and responsible for obtaining and managing consent);
  3. Data Processors (a person or entity processing personal data on behalf of a Data Fiduciary, following their instructions); and
  4. Consent Management System (CMS), which manages the consent lifecycle. 

Core Functional Modules:

The BRD defines the CMS’s functional requirements, including a detailed breakdown of core modules such as Consent Lifecycle Management, User Dashboard, Notifications, and Grievance Redressal Mechanisms. 

  1. Consent Lifecycle Management: This includes Consent Collection, which must be explicit, purpose-specific, and lawful, requiring affirmative action from Data Principals and supporting multi-language and accessible interfaces.     Consent Validation ensures explicit and lawful consent exists before processing data, often validated in real time via APIs.     Consent Update enables Data Principals to modify their previously granted consent while logging metadata and notifying relevant stakeholders.     Consent Renewal is available prior to expiration for time-limited consents.     Consent Withdrawal allows Data Principals to revoke consent with immediate effect, leading to the cessation of related data processing. 
  2. Cookie Consent: This module ensures users are informed about cookie usage and provides granular consent options for different cookie categories.     It allows real-time updates, preference management, logging, and compliance with data retention policies. 
  3. User Dashboard: The dashboard allows users to view their complete consent history, grouped by status, with search and filter options.     It also empowers them to modify or revoke their consent for specific purposes in real time and raise grievances or data requests. 
  4. Consent Notifications: This module ensures all stakeholders are promptly informed about consent-related activities through real-time updates via multiple channels, including notifications to Data Principals regarding updates, approvals, and withdrawals, and alerts to Data Fiduciaries and Processors about consent changes.
  5. Grievance Redressal Mechanism: This mechanism ensures Data Principals can raise complaints related to data processing, privacy violations, or consent management issues through a platform for logging complaints with reference tracking and real-time status updates. 
  6. Administrative Capabilities: The document also outlines administrative capabilities, including user role management and data retention policy configuration.
  7. User Role Management: Provides role-based access control, allowing the definition and management of access within the CMS for authorized personnel based on predefined roles such as Administrator, Auditor, and Data Protection Officer. 
  8. Data Retention Policy Configuration: Enables the configuration of data retention policies to comply with the DPDP Act, ensuring personal data and consent records are retained or deleted based on predefined schedules, with options for automated deletion and exemption handling. 
  9. Logging: Ensures that all consent-related activities are documented in a transparent, secure, and tamper-proof manner through immutable audit logs, providing an auditable history for compliance verification and dispute resolution. 

    Conclusion:

    The BRD serves as a guideline for developing and deploying a system that empowers Data Principals to exercise their rights over personal data and provides Data Fiduciaries and Processors with tools for secure and compliant consent processing, ensuring transparency, user empowerment, and DPDP compliance. 

    [1] https://d38ibwa0xdgwxx.cloudfront.net/whatsnew-docs/8d5409f5-d26c-4697-b10e-5f6fb2d583ef.pdf