Navigating Consent: India's Managers vs. EU's CMPs
As India’s Digital Personal Data Protection Act, 2023 (DPDPA) moves towards full operationalization, with critical rules now in effect, the concept of a “Consent Manager” stands out as a distinctive feature. This framework offers a unique Indian approach to consent management, prompting a comparative look at how it aligns with, or diverges from, established Consent Management Platform (CMP) models prevalent under the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive.
Defining the Landscape: Consent Managers vs. CMPs
At its core, the DPDPA introduces the concept of a “Consent Manager” as a distinct, regulated entity. Section 6(7) of the DPDPA mandates that a Data Principal (the individual whose data is being processed) may give, manage, review, and withdraw consent through a Consent Manager. The recently notified DPDPA Rules (e.g., Rule 5, which details registration and operational standards) further elaborate on their functions, technical requirements, and accountability. These managers are envisioned as fiduciaries, acting on behalf of the Data Principal, providing a centralized mechanism for consent lifecycle management. India’s prior experience with regulated consent architectures, such as the Account Aggregator framework under the Reserve Bank of India (RBI), provides a foundational context for this model.
In contrast, the EU’s GDPR and ePrivacy Directive do not explicitly define or mandate a “Consent Management Platform.” CMPs emerged as market-driven solutions to help data controllers comply with the requirements for obtaining valid consent (GDPR Article 6 and 7) and for the use of cookies and similar technologies (ePrivacy Directive, Article 5(3)). While frameworks like the IAB Transparency and Consent Framework (TCF) provide industry standards for CMPs, particularly for online advertising, there is no central regulatory body that registers or directly oversees CMPs as a distinct class of entities in the EU.
Regulatory Mandate and Accountability
The DPDPA’s approach to Consent Managers is significantly more prescriptive and centralized. Section 6(7) explicitly requires the registration of Consent Managers with the Data Protection Board of India (DPBI) or an entity authorized by it. This mandatory registration, coupled with the detailed operational and technical standards outlined in the DPDPA Rules, places direct regulatory oversight and accountability on these entities. Consent Managers, therefore, bear a direct legal obligation to comply with the DPDPA and its rules, including their fiduciary duty to Data Principals. This makes the Indian regime stricter in its direct regulation of the consent management entity itself.
Under the GDPR, the primary legal burden for obtaining valid consent rests squarely with the Data Controller (GDPR Article 7). While CMPs assist controllers in meeting these obligations, they are typically third-party vendors, and their accountability is generally indirect, flowing from their contractual relationship with the controller. Enforcement actions by EU Data Protection Authorities (DPAs) target data controllers for non-compliant consent practices, rather than directly penalizing CMP providers for their platform’s design or functionality, unless they are themselves acting as controllers or processors in specific contexts. This makes the EU framework looser in its direct regulation of the consent management tool provider.
Scope and Functionality
The envisioned scope of Consent Managers under the DPDPA is broad. They are designed to facilitate consent for all personal data processing activities requiring consent under the Act, moving beyond just website cookies or online tracking. Consent Managers are expected to provide Data Principals with a comprehensive dashboard to view, manage, and withdraw consent for various services and data fiduciaries (DPDPA Section 6(4) and 6(5)). The DPDPA Rules will also stipulate technical standards to ensure interoperability and secure data exchange between Consent Managers and Data Fiduciaries.
In the EU, while CMPs can technically manage consent for various GDPR purposes, their primary utility and market penetration have largely been driven by the ePrivacy Directive’s requirements for cookie consent. Their functionality is often geared towards web-based tracking and advertising, and there is no universal, interoperable standard for a centralized consent management hub across diverse services or offline data processing. The EU framework is silent on such a centralized, regulated entity, allowing for a more fragmented, albeit mature, market of solutions.
Practical Takeaway
Indian businesses, including Data Fiduciaries and those aspiring to become Consent Managers, must recognize the fundamental differences in approach. For Data Fiduciaries, the imperative is to prepare for integration with registered Consent Managers, ensuring internal systems can receive, process, and act upon consent signals in a standardized, auditable manner, as required by DPDPA Section 6. This requires moving beyond simple website banners to a more robust, manager-driven consent lifecycle. For those considering offering Consent Manager services, a thorough understanding of the DPDPA Rules, including registration requirements, technical standards, and the explicit fiduciary duties, is paramount. The Indian framework, with its emphasis on a regulated, accountable intermediary, presents both opportunities for enhanced data principal control and significant compliance obligations for all stakeholders.