Operational Challenges of Consent Managers under DPDPA

The Digital Personal Data Protection (DPDP) Act, 2023 envisages a new type of market entity called Consent Managers (CM). These entities would provide a platform for users or Data Principals to give, manage, review, and withdraw consent for processing of their personal data by any data fiduciary i.e. firms operating digital platforms. They would function as a secure data blind intermediary, registered with and regulated by the Data Protection Board (DPB) of India.

The DPDP is well intentioned and rightly understands that users interacting with multiple digital platforms and services would greatly benefit from having a unified view of notices for consent, consents granted for data sharing and processing, and their corresponding purposes through a single portal. Very similar to how one can view and manage permissions granted to applications on a smartphone.

However, this puts some additional obligations on the data fiduciaries. Firstly, it would require them to develop system integrations with the CM’s platform to support user identification and consent management. Secondly, the rules also require CMs to provide users with the facility to share their data that is currently held by a data fiduciary with another data fiduciary. This will require development of standard formats and secure data exchange pipelines for inter-fiduciary data sharing. Lastly, users are not required to use services of consent managers if they choose not to and can engage directly with data fiduciaries for consent management, requiring platforms to integrate a similar system, resulting in duplication of effort.

The Account Aggregator (AA) framework is a successful example of an existing consent sharing mechanism for digital financial data. AAs act as intermediaries for consent-based sharing of customer data between institutions that hold the data and those that use it to provide financial services. Since its introduction in 2021, 16 firms now provide AA services that have been utilised by 112.34 million users. However, a key distinction between them and the CMs, as pointed out by some industry experts, is the latter’s limited commercial viability.

AAs not only manage consent for sharing data but also share the user’s financial statements in a standard, digitally signed format in real time with firms providing financial services like loans and insurance. There exists a clear business case as the latter benefit from reduced costs of document processing and verification, improved processing time for underwriting and risk evaluation, lower customer acquisition costs and ability to offer personalised financial services based on analysis of aggregate data.

CMs managing consent for personal data processing, on the other hand, largely enable digital platforms to comply with new regulatory requirements as opposed to improving an existing business function. While data fiduciaries derive value out of processing personal data such as through targeted advertising, consent notice and collection is a function they can provide on their own at minimal expense. Consent managers would thus be limited to subscription fees from a subset of digitally literate and privacy conscious data principals as their sole revenue stream. This also deprives them the benefit of economies of scale.

CMs also face stringent regulatory requirements considering the sensitivity of the data they handle. This includes registration with the DPB and providing evidence of their technical and financial capacity, reputation of management and absence of conflict of interest with data fiduciaries. They must ensure robust technical and operational measures for data security verified by means of an independent audit and maintain records of transactions for a period of 7 years. Additional restrictions include prohibition on subcontracting their operations and requiring approval of the DPB prior to sale or merger of the firm. These factors further exacerbate their operational costs.

Consent management models in other jurisdictions

Consent Management Platforms (CMP) are a solution suite that enable digital platforms to comply with data protection regulations such as the GDPR in the EU or LGPD in Brazil. They offer services like displaying notices for consent collection, record keeping to prove compliance, enable users to manage consent and interact with dynamic elements of webpages based on user’s choices.

Given the overlap of regulatory requirements in multiple jurisdictions for lawful data collection and processing, CMPs can be adapted and employed by data fiduciaries for DPDP compliance. The only differentiator being that DPDP additionally establishes CMs as a separate user-facing regulated entity or market participant whereas the same is not the case for CMPs which have emerged solely as a market solution while digital platforms are responsible for satisfying conditions of securing user consent.

Following are some ways in which this impacts consent management

CMs as opposed to CMPs provide users with a unified view of data shared with platforms of multiple data fiduciaries for processing of personal data and allow them to centrally manage the same. This reduces information asymmetry and contributes to increased consumer awareness. With CMPs, however, users have to manage consent with each platform they interact with individually.
Digital personal data comprises any data about a person that enables identification of the individual. This includes not just personally identifiable information like email, phone number, biometrics but also information generated in the process of interaction with a platform such as clicks, page views, duration and frequency of visits etc which is used for targeted behavioural advertising.
This data for unregistered users is typically stored in the form of 3rd party cookies and not in a centralised repository. Notices for this form of data collection would form the bulk of requests by volume which cannot be managed through CMs as user identification is absent and instead handled by a data fiduciary’s integrated mechanism.
CMs provide services to and function as agents of users while CMPs provide services to platforms enabling them to comply with data protection regulations.
This distinction in their operating model restricts CMs to a small customer base while facing a higher regulatory overhead. This translates to a higher financial burden on select consumers while in jurisdictions where CMPs function, these costs are borne by platforms. They in turn are passed on and evenly distributed among their users.

Conclusion

Consent managers, their functioning and accompanying regulations, though well intentioned, fall short on some practical and operational fronts as market participants owing to high compliance costs and viability of their business model. It appears unlikely that the market for CMs will be characterised by competition; it might instead see a natural monopoly or oligopoly with one or few players due to high fixed costs and small market size.

A consent manager platform developed by a public authority in consultation with data fiduciaries as a DPI similar to DigiLocker, a verified credentials digital wallet, could be a way forward. This provides the added benefit of enhanced user trust, promoting adoption and alleviating concerns regarding their financial sustainability.

Operational Challenges of Consent Managers under DPDPA

Contents

Authors

Shubham Shinde

Related Articles

Preparing India for AI Adoption: Challenges and Solutions

Opinion | Better data governance can help states improve welfare delivery

Inside the UPI decade: How a cash-first nation learned to pay differently

An Analysis of DPIs Value-Generating Ability