Navigating DPDPA: A Practical Guide to Selecting a Consent Management Platform

The Digital Personal Data Protection Act, 2023, shifts the foundation of data processing from implied or bundled consent to explicit, affirmative, and purpose-specific consent (Section 6, DPDPA 2023). This necessitates a move beyond simple cookie banners to robust Consent Management Platforms (CMPs). Furthermore, the Digital Personal Data Protection Rules, 2025, notified on 6 January 2025 and now in effect, introduce a new regulated entity: the 'Consent Manager' (Rule 4, DPDP Rules 2025). This means that third-party CMP providers will need to register with the Data Protection Board, adding a new layer of diligence for Data Fiduciaries when selecting a vendor.

The DPDPA establishes clear obligations for consent. Section 6 requires Data Fiduciaries to obtain consent that is free, specific, informed, unconditional, and unambiguous before processing personal data, except for certain legitimate uses under Section 7. Section 6(4) grants Data Principals the right to withdraw their consent at any time, with the same ease as giving it. The DPDP Rules 2025, further stipulate that entities providing consent management services, referred to as 'Consent Managers,' must register with the Data Protection Board of India. These managers are required to adhere to specific operational and security standards, including maintaining audit logs for a minimum period.

Businesses must transition from passive policy acceptance to active consent lifecycle management. Key operational steps include:

1. Vendor Due Diligence: Evaluate and select a CMP vendor. A critical step is to verify that the vendor is registered (or has a clear roadmap for registration) as a 'Consent Manager' with the Data Protection Board, as required under Rule 4 of the DPDP Rules 2025. Note that the Data Protection Board's registration process for Consent Managers is not yet operationalised; businesses should monitor official notifications from the Ministry of Electronics and Information Technology (MeitY) and factor registration readiness into vendor selection criteria accordingly.

2. Contractual Safeguards: Execute a DPDPA-specific Data Processing Agreement (DPA) with the chosen CMP vendor. This DPA must explicitly cover data residency in India for consent records, security standards (e.g., ISO 27001), breach notification support in the manner prescribed under the DPDPA 2023 and DPDP Rules 2025, and sub-processor approvals.

3. System Configuration: Configure the CMP to capture granular consent for distinct purposes (e.g., marketing, analytics, personalization). The platform must maintain a detailed, immutable audit trail of all consent actions.

4. Implement Withdrawal Mechanism: Ensure the CMP provides a simple, easily accessible mechanism for users to withdraw consent, as required under the DPDPA 2023. This withdrawal must trigger automated revocation of processing permissions in downstream systems.

5. Core System Integration: A CMP cannot be a silo. It must be deeply integrated with core business systems, including Data Management Systems (DMS), Customer Data Platforms (CDPs), and marketing automation tools, to ensure consent preferences are respected in real-time across all operations.

While the DPDPA provides the framework, several operational details remain pending clarification:

• ✓Rules Notified, Implementation Details Pending: The Data Protection Rules, 2025 were notified on 6 January 2025 (Gazette of India). However, certain procedural and operational details for Consent Managers — including specific compliance timelines and implementation guidance — are yet to be fully established through further official communication.
• ✓DPB Registration Process: The specific technical criteria, timelines, and formal procedures for the Data Protection Board's registration and oversight of Consent Managers are not yet public.
• ✓Technical Standards: The government or the DPB has not yet issued specific technical or interoperability standards for Consent Managers, which could impact how different platforms communicate consent signals.
• ✓Enforcement Posture: The DPB's approach to enforcing non-compliance related to consent management, including the application of penalties for inadequate CMP implementation (which can be up to ₹250 crore), is yet to be established through precedent.

Organizations risk significant penalties by making these common mistakes:

1. Choosing a Non-Registered Vendor: Partnering with a CMP provider that is not registered with the Data Protection Board of India. This is a fundamental compliance failure.

2. Ignoring Data Residency as a Risk Factor: Using a global CMP without a contractual guarantee that consent records and audit logs are stored on servers within India. Note that no explicit data localisation obligation for consent records is currently prescribed under the DPDPA Act 2023 or the notified DPDP Rules 2025; however, ensuring geographic clarity over where consent data is stored is a strongly recommended risk-mitigation best practice, particularly where future rules may impose residency obligations.

3. Accepting a Generic DPA: Relying on a standard GDPR-focused Data Processing Agreement that fails to address specific DPDPA requirements. Under Section 8(2) of the DPDPA Act 2023, a Data Fiduciary remains accountable for ensuring that any Data Processor it engages handles personal data only in accordance with a valid contract and the obligations under the Act. A GDPR-centric agreement will not reflect these obligations, the Data Protection Board of India's adjudicatory powers under Chapter VII of the Act, or the breach notification timelines applicable under Section 8(6).

4. Implementing a Complicated Withdrawal Process: Making it difficult for users to withdraw consent through multiple steps or hard-to-find links. The DPDPA Act 2023 (Section 5) mandates that the process for withdrawing consent must be as easy as the process for giving consent.

5. Failing to Integrate: Deploying a CMP as a standalone 'front-end' tool without integrating it into backend systems. This creates a 'consent theatre' where user preferences are recorded but not acted upon, leading to non-compliant data processing.