JSA Prism | Infotech | June 2025

Please click here to download the Prism as a PDF.

Ministry of Electronics and Information Technology releases blueprint for consent management

As India moves toward implementing the Digital Personal Data Protection Act, 2023 (“DPDP Act”), a key focus area has been developing robust frameworks for user consent management. In this context, the National e-Governance Division under the Ministry of Electronics and Information Technology (“MeitY”), has published a Business Requirement Document (“BRD”) for consent management.

The BRD is a non-binding technical reference issued by MeitY’s Startup Hub and is not part of the DPDP Act. The BRD was published as part of an Innovation Challenge, inviting participants to build a prototype Consent Management System (“CMS”). It is accessible on the MeitY Startup Hub website here. While the document is not intended to serve as official guidance under the DPDP Act, it does, however, serve as an early indication of how the government may be thinking about consent architecture.

Regulatory context

The DPDP Act is not currently enforceable. The Government released the Draft Digital Personal Data Protection Rules, 2025, in January 2025, to operationalise the law. These draft rules address procedures and technical standards for compliance, including obligations around security, notices, and breach notifications. The public consultation period closed in March 2025, and final rules are awaited.

Key features of the BRD

The BRD lays out a modular, privacy-by-design CMS architecture, supporting the full consent lifecycle – collection, validation, renewal, withdrawal, and auditing. Some of the notable features include:

Consent collection

Consent is triggered when an individual initiates a service requiring personal data processing, such as account registration or onboarding. The CMS identifies the relevant processing purposes and generates consent requests accordingly. In this context:

consent must be unbundled, granular, and purpose-specific, collected via explicit UI controls (e.g., toggles, checkboxes), with no pre-checked options;
consent must be validated as free, specific, informed, unambiguous, explicit, and affirmatively given;
upon validation, the CMS generates a consent artefact containing key metadata (user ID, purpose ID, session ID, timestamp, consent method), which is securely stored in the consent database;
the system synchronises consent status across internal and external processors in real time via application programming interfaces; and
users receive an acknowledgement notification confirming submission, and all events are logged for auditability.

Consent validation

Before any data processing activity occurs, the CMS must validate the consent whether the required consent exists and remains active. Consent may be validated in the following manner:

when a data controller initiates a processing action or system query, the CMS checks its database for an active consent artefact matching the specified purpose and user ID;
consent must be current and not withdrawn or expired;
importantly, processing must remain within the scope of the consent provided. For instance, personal data collected for authentication cannot be reused for marketing without separate consent;
based on the outcome, the CMS either approves or denies processing. The user is notified of any denial; and
all validation actions are immutably logged to maintain a verifiable audit trail.

Cookie consent

The cookie consent component ensures transparency and control over tracking technologies used on websites and apps, empowering users to make informed choices about their data.
On the first visit, a cookie banner must inform users of the use of cookies and similar technologies.
Users must be provided granular consent options across cookie categories such as essential, performance, analytics, and marketing.
Only essential cookies may be enabled by default; all others require explicit, opt-in consent.
The CMS must offer a dedicated cookie preference interface where users can modify or withdraw consent at any time, with preferences updated in real time.

Grievance redressal

The BRD outlines a comprehensive redressal system as described below, that allows individuals to raise complaints related to data processing, privacy violations, or consent issues:

complaints will be automatically categorised (e.g., consent violation, data breach, processing error) and assigned unique reference IDs;
acknowledgement notifications will be sent upon submission, and all complaint data (user ID, timestamp, complaint type, and description) will be securely transmitted using TLS 1.3 (one point three) encryption;
a real-time resolution tracking dashboard will display complaint status (e.g., submitted, in progress, resolved), with updates and outcome notifications issued to the user; and
an escalation workflow will auto-forward unresolved complaints to the data protection officer if not closed within specified timeframes.

Conclusion

The BRD offers a preview of the operational contours of consent management under India’s evolving data protection regime. While non-binding, it can help organisations future-proof their systems and prepare for robust, compliant consent workflows.

This Prism has been prepared by: