DPDP Act 2023: Consent managers crucial in data protection amid transition

Amidst digital transformation, industry grapples with new privacy mandates

As the government deliberates on a transition period for compliance with the Digital Personal Data Protection Act, 2023, a study of 100 companies across various sectors highlights a lack of readiness among digital platforms. Experts underscore the importance of a consent manager in ensuring personal data protection.

PwC India's report analysed the websites of nearly 100 companies from 20 different sectors, considering the privacy features stipulated by the new law. Merely nine out of the 100 companies were observed to seek specific, informed, and freely given consent — a fundamental requirement of the privacy law — before gathering personal data from users. Forty-three per cent of these organisations fail to articulate the reasons for sharing data with third-party entities.

Although the government and industry stakeholders have yet to agree on a timeline to abide by the DPDP Act, passed by parliament over two months ago, experts advise individuals concerned about their digital data to consider the consent manager provision as a straightforward solution.

“Consent manager is a very interesting and novel concept; it is an important innovation that needs to be done, generally in the internet ecosystem, because a ‘consent fatigue’ has set in, where for everything you have to give consent. So, if there’s a central platform on which you can manage your data sharing across platforms, that gives more power to users,” Aparajita Bharti, co-founder at TQH consulting.

Furthermore, the PwC report discloses that a mere 4 per cent of organisations have mechanisms in place to notify of data breaches, which could be seen as a violation of existing sectoral regulations. Sixteen per cent of these companies had a cookie consent, whereas 48 per cent offered an option to retract consent. A scant 2 per cent provided consent in multiple languages.

Bharti attributes the under-preparedness to India's unique approach to data protection. She said, “Companies with a vast user base need to modify their workflows on their platforms and explore technical solutions. Requirements like notifications in various Indian languages and obtaining parental consent mean companies need time to adjust their backend systems."

The law provides for a consent manager, an intermediary between the data principal and the data fiduciary. Registered with the Data Protection Board, this consent manager will serve as a singular touchpoint for individuals to provide, oversee, and retract their consent via an accessible, transparent platform.

The current legislation has omitted the “privacy by design” stipulations present in prior bill drafts. Some experts felt this earlier provision was pivotal for ensuring data privacy from a company's inception, but opinions vary.

“Even though data privacy by design and default has not been included (in the DPDP Act), it is still important for the companies to comply with the law. The reason is that when you are starting any new processing operation, for example starting any new application, it is important that privacy considerations are dealt with at that particular point of time because once the app is up and running, it is very difficult than to introduce the privacy considerations at a later date”, says Akshayy S Nanda of Saraf and Partners on India’s Digital Personal Data Protection law that got enacted in August this year.

Since the bill's approval in parliament, industry voices have called for extended deadlines to meet the law's mandates. Experts opine that the government should focus on raising awareness about the act's provisions and requirements, rather than immediate enforcement and imposing penalties.

“It is a new legislation with a new set of rules and significantly changes how personal data is processed in the country. I think it is important for the government to create more awareness regarding the act, regarding its various provisions and compliances, than for implementations to start and hefty penalties to be levied”, says Nanda.