New Delhi — The Ministry of Electronics and Information Technology (MeitY) has released a Business Requirement Document outlining the technical and functional framework of a Consent Management System (CMS) under the Digital Personal Data Protection (DPDP) Act, 2023. The CMS is designed to provide a centralized platform that empowers individuals—referred to as Data Principals—to exercise full control over their personal data processing consents.
With the concept of a “Consent Manager” now formalized, the platform will act as a legally compliant interface between users and entities processing their data—Data Fiduciaries—ensuring consent is free, informed, specific, unambiguous, and revocable. The initiative marks a significant step in India’s journey toward enforcing data sovereignty and building citizen trust in digital governance.
1. What is the Consent Management System and Who’s Involved?
The CMS will serve as the single window for individuals to grant, update, withdraw, and renew their data processing consents across multiple services and platforms. This ensures granular control, real-time processing, and transparency.
Key stakeholders defined under the DPDP Act include:
- Data Principals – Individuals whose personal data is being processed.
- Data Fiduciaries – Entities that determine the purpose and means of data processing.
- Consent Managers – Certified platforms that facilitate consent lifecycle management.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Entities applying to become Consent Managers must meet strict requirements: a minimum net worth of ₹2 crore, technical and operational capacity, and compliance with Board-issued standards. The document outlines a role-based access control system for CMS administration, encrypted audit logs, and policy-driven data retention modules to ensure integrity and accountability.
2. Lifecycle of Consent: From Collection to Withdrawal
The CMS details a complete workflow for consent management:
- Consent Collection: Triggered during user onboarding or service access. Users receive language-localized consent notices, allowing purpose-specific decisions via explicit UI controls (checkboxes, toggles) with no pre-checked defaults.
- Validation: Every consent is validated before data processing. APIs allow Fiduciaries to confirm current consent status. If invalid, processing is blocked.
- Updates & Renewals: Data Principals can modify consents or renew expired ones. Any changes in purpose or scope of processing trigger fresh consent prompts.
- Withdrawal: Users can revoke specific consents, immediately halting related data processing. All stakeholders are notified in real time and actions are logged in an immutable audit trail.
The CMS also supports cookie consent management, aligning with privacy standards. Users can choose preferences by cookie type (essential, analytics, marketing) and access a live preferences dashboard to make changes at any time.
3. Dashboard, Notifications, Grievances & Audit Trails: Empowering Users and Ensuring Compliance
The user-facing dashboard serves as the command center for Data Principals:
- View Consent History: A searchable, downloadable log of all consent actions—active, expired, withdrawn—offering full transparency.
- Modify or Revoke Consent: Real-time changes with instant propagation to Data Fiduciaries.
- Raise Grievances or Data Requests: Includes simplified forms for access, correction, and erasure. If unresolved, the system auto-escalates complaints to officers.
The Consent Notifications Module ensures timely alerts to both users and processors. Whether it’s a consent update, expiry reminder, or data processing denial, all events are logged and delivered via email, SMS, or in-app messages using constitutional languages.
Meanwhile, the Grievance Redressal System automates complaint categorization and tracking. It ensures multi-language support and integrates with CMS records for fast resolution.
Finally, the System Administration Module enables secure role-based access, data retention configuration, and cryptographic audit trails—essential for regulatory audits and dispute resolution.
A Step Toward Digital Sovereignty
India’s new CMS framework reflects a visionary move toward data empowerment, national security, and trust-centric governance. As the DPDP Act prepares to be fully enforced, this document provides a clear roadmap for private sector adaptation, user education, and technological compliance.
The government’s next steps are expected to include certification mechanisms, sandbox pilots, and onboarding of Consent Managers—forming the backbone of India’s privacy-first digital economy.