Consent Managers vs. CMPs: Navigating India's DPDPA in a Global Privacy Landscape
The global privacy landscape continues its evolution, with user control over personal data emerging as a central tenet. In this context, India’s Digital Personal Data Protection Act, 2023 (DPDPA), along with its recently notified Rules, introduces a distinct framework for consent management through ‘Consent Managers’ (CMs). This approach presents a notable contrast to the ‘Consent Management Platform’ (CMP) frameworks prevalent under the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive. For an India-first audience tracking global developments, understanding these differences is crucial.
Foundational Mandates and Regulatory Scope
India’s DPDPA takes a prescriptive stance on consent management. Section 6(8) of the DPDPA explicitly mandates the existence of Consent Managers, empowering Data Principals to manage, review, and withdraw their consent. The DPDPA Rules further elaborate on this, with Rule 11 outlining the registration process for CMs with the Data Protection Board of India (DPBI) and Schedule III detailing the technical, operational, and security standards they must adhere to. CMs are envisioned as regulated entities, acting as a single, independent point of contact for Data Principals across various Data Fiduciaries. This legal mandate and direct regulatory oversight of CMs by the DPBI represent a stricter, more centralised approach.
In contrast, the EU’s GDPR (Regulation (EU) 2016/679) and the ePrivacy Directive (Directive 2002/58/EC) do not explicitly mandate or regulate CMPs. CMPs emerged as market-driven solutions to help Data Controllers (as defined in Article 4(7) GDPR) demonstrate compliance with the stringent consent requirements of Article 7 GDPR and the cookie rules of Article 5(3) of the ePrivacy Directive. While industry standards like the IAB Transparency and Consent Framework (TCF) exist, they are not legal mandates. The EU framework places the onus of ensuring valid consent entirely on the Data Controller, without directly regulating the tools they use. Therefore, India’s DPDPA is significantly stricter in legally institutionalising and regulating the consent management mechanism itself.
Operational Framework and Data Principal Empowerment
Under the DPDPA Rules, CMs are designed to be independent fiduciaries for the Data Principal, facilitating the exercise of their rights, particularly the critical right to withdraw consent (Section 7(1)(a) DPDPA). The intent is for CMs to manage the entire lifecycle of consent, from initial grant to granular modifications and eventual withdrawal, across all Data Fiduciaries the Data Principal interacts with. This model aligns with India’s broader digital public infrastructure initiatives, drawing parallels with the Account Aggregator framework in the financial sector, which provides a functional precedent for consent-driven data sharing. The DPDPA framework aims to provide a comprehensive, user-centric control panel for personal data.
EU CMPs, on the other hand, primarily focus on the initial capture and recording of consent, particularly for online tracking technologies like cookies. They offer users granular choices over different categories of data processing or cookies. While CMPs typically provide a mechanism for users to revisit and change their preferences, the scope of their management is generally limited to the specific website or application of the Data Controller deploying them. There is no overarching system designed to manage a user’s consent across multiple, disparate Data Controllers. The EU approach, while empowering users with choice at the point of interaction, is looser in providing a consolidated, cross-fiduciary consent management system.
Regulatory Oversight and Accountability
The DPDPA establishes a clear line of accountability for CMs. As regulated entities under the DPBI, CMs are directly subject to compliance requirements outlined in the DPDPA Rules, particularly Schedule III. Any failure to adhere to these standards could lead to penalties for the CM itself, as well as for Data Fiduciaries who rely on non-compliant CMs. The DPDPA (Section 33) outlines penalties for various non-compliances, which are applicable to CMs. Furthermore, the IT Rules, 2021 (Rule 3(1)(b)) also provide a foundational context for user consent in India, emphasising the responsibility of intermediaries.
In the EU, accountability for consent lies squarely with the Data Controller (Article 5(2) GDPR). Supervisory Authorities (Article 51 GDPR) investigate controllers for non-compliance with consent requirements, and penalties (Article 83 GDPR) are levied against them. There is no direct regulatory oversight or penalty regime for CMP providers themselves. While a CMP might be found inadequate in assisting a controller to achieve compliance, the ultimate legal responsibility rests with the controller. This makes the DPDPA framework stricter by introducing a new, directly regulated entity into the privacy ecosystem, thereby broadening the scope of regulatory oversight.
Interoperability and Ecosystem Integration
A key feature of the DPDPA’s CM framework, as outlined in Schedule III of the DPDPA Rules, is the emphasis on interoperability standards. This is critical to enable Data Principals to manage consents across various Data Fiduciaries through their chosen CM, fostering a competitive market for CM services. The vision is an integrated ecosystem where data principals have a unified, portable mechanism for consent management, reflecting India’s broader ambition for digital public goods and a federated data economy.
The EU framework, while promoting data portability (Article 20 GDPR) and the right to withdraw consent, does not mandate a similar level of interoperability for consent management across different controllers. CMPs are typically siloed, operating independently for each website or service. While users can manage preferences on each site, there is no mechanism for a single platform to aggregate and manage all consents given to various controllers. The EU’s approach is silent on mandating an interoperable, cross-fiduciary consent management system, leaving it to individual controllers to ensure compliance.
Practical takeaway
Indian businesses, General Counsels, and Data Protection Officers must recognise that the DPDPA’s Consent Manager framework is a paradigm shift, not merely an evolution of cookie banners. Unlike the EU’s market-driven CMPs, DPDPA CMs are regulated entities with specific legal obligations. Businesses need to proactively identify and integrate with DPBI-registered CMs, ensuring their internal data processing systems can seamlessly interact with the CMs for consent acquisition, modification, and withdrawal. This requires a thorough review of existing consent mechanisms, potential re-architecting of data flows, and significant investment in technical integration. For global entities operating in India, this means adding a distinct, legally mandated layer of consent management that goes beyond their existing GDPR-compliant CMP deployments, demanding dedicated strategic planning and resource allocation.