DPDP Frequently Asked Questions

We are beginning to see the DPDP Era take root at an incredible pace. With the DPDP Act’s stringent mandates, understanding how to manage user consent is now a critical priority for every organization. This FAQ guide answers the most pressing questions about Consent Managers—what they are, how they work, and why they are essential for compliance. Whether you're a tech leader or a compliance officer, this guide will equip you with the knowledge to harness the full power of Consent Managers and protect both your users and your business from costly mistakes.

‍
Consent FAQs

‍
Q1. What is a Consent Manager?

Under the DPDP Act, a Consent Manager is a person registered with the Data Protection Board who acts as a single point of contact to enable a user to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

In simpler terms, a Consent Manager ensures that individuals have full control over their personal data and how it is processed.

For businesses, a Consent Manager can generally be understood as a specialized software that helps in compliance with data protection laws like the DPDP Act by managing user consent efficiently and transparently. A Consent Manager integrates with businesses to:

• Collect and manage consent across multiple channels.
• Store consent records in a unified and interoperable system.
• Provide users with infrastructure to exercise their data rights, including access, correction, and deletion.
• Ensure internal and third-party systems process data based on valid consent and delete it where necessary.

Q2. How does a Consent Manager work?

A Consent Manager works by automating and centralizing consent management across an organization’s systems. The process typically involves:

1. Consent Collection: Gathering user consent via websites, apps, email, or other touchpoints, with clear and specific notices.
2. Secure Storage: Storing consent records with timestamps and purpose information for easy audits.
3. Consent Check Integrations: Connecting with CRM, marketing tools, and other systems to ensure no data is processed without valid consent.
4. User Rights Management: Allowing users to review, withdraw, or modify their consent through an accessible platform.
5. Compliance Support: Generating detailed audit trails and ensuring data retention and deletion practices align with legal requirements.

By simplifying these tasks, a Consent Manager ensures compliance while building trust with users.

Q3. What does an Ideal Consent Notice look like?

An ideal consent notice is clear, concise, and compliant with legal requirements. Under the DPDP Act, it should:

1. Be Specific and Informative: Clearly state what personal data is being collected, why it is needed, and how it will be used.
2. Use Simple Language: Avoid jargon and present information in a way that is easy to understand, with local language options if required.
3. Highlight Rights: Inform users about their rights to withdraw consent, access their data, and file grievances.
4. Seek Explicit Action: Require users to give affirmative consent, such as ticking a box or clicking a button.
5. Include a Contact Point: Provide information on how users can contact the organization for further assistance.
6. Provide Local Language Options: Ensure that users can access the notice in the 22 local languages mentioned in the Eighth Schedule of the Indian Consitution.

Example: 

Q4. How can I prove user consent was taken legally?

To prove that user consent was taken legally under the DPDP Act, you must maintain verifiable records that demonstrate compliance with legal requirements. This includes:

1. Timestamped Records: Keep logs of when, where, and how the user consented, including the exact time and date.
2. Consent Artefacts: Store digitally signed consent artifacts that detail the data collected, its purpose, and the user’s explicit agreement.
3. Clear Audit Trails: Maintain an audit trail showing the consent flow, including the consent notice presented and the user’s affirmative action (e.g., ticking a box, clicking “Accept”).
4. Consent Notice Details: Ensure the notice provided was compliant, including specifics on data usage, rights, and local language options.
5. Withdrawal Logs: Track and document any instances of consent withdrawal, including how the request was processed and acknowledged.

Using a Consent Manager simplifies this process by automatically storing and organizing these records in a secure and accessible format, ensuring readiness for audits or regulatory reviews.

Q5. Why should I onboard a Consent Manager?

Onboarding a Consent Manager Solution offers several advantages, including:

1. Ensured Compliance: Automates consent collection, management, and audit trails to meet DPDP Act requirements.
2. Enhanced Customer Trust: Provides transparency by allowing users to manage their consent preferences.
3. Operational Efficiency: Streamlines consent-related workflows, ensuring consistency across platforms.
4. Audit Preparedness: Maintains detailed records of all consent interactions for seamless audits and regulatory reviews.
5. Interoperability: Store all consents in one place using our trusted and interoperable consent records.

By ensuring accurate consent tracking and secure management, a Consent Manager helps mitigate compliance risks and potential regulatory penalties up to ₹250 Crore.

Q6. Can I process personal data without user consent?

Yes, the DPDP Act permits processing personal data without user consent in specific scenarios, referred to as "legitimate uses" which include:

1. Voluntary Sharing of Data: When users voluntarily provide their data for a specific purpose, businesses can process it until consent is withdrawn.
2. Employment-Related Processing: Employers may process employee data for activities like background checks, health insurance, or safeguarding confidential information.
3. Compliance with Judicial Orders and Laws: Data can be processed to comply with legal obligations or court orders.
4. Health Emergencies: Personal data can be processed during health crises or emergencies to protect life and public health.
5. Disasters and Public Order Breakdown: Processing is allowed for safety, rescue, and disaster management during emergencies.
6. Research and Statistics: Data can be used for research or statistical purposes, provided it doesn’t impact individual rights or make decisions about specific individuals.
7. Enforcing Legal Rights and Investigations: Data can be processed for preventing, detecting, or prosecuting violations of the law.

While consent is the cornerstone of the DPDP Act, these exceptions aim to balance compliance with practical necessities. However, businesses must still adhere to obligations like data security, breach notification, and grievance redressal. There are broader exemptions to DPDP obligations as well.

Q7. Are there any situations where the DPDP Act will not apply? OR What are the exemptions to the DPDP Act?

Yes, the DPDP Act provides exemptions in certain cases where compliance obligations may be waived. These include:

• Business Process Outsourcing (BPO): Indian companies processing foreign customer data under contract with an overseas business.
• Corporate Mergers & Restructuring: Data processing during mergers, acquisitions, or approved corporate restructuring.
• Financial Assessments: Banks and financial institutions can process personal data to assess loan defaulters.
• Legal & Judicial Proceedings: Processing personal data for disputes, legal claims, or regulatory investigations.
• Law Enforcement & Investigations: Data can be processed for preventing, detecting, or prosecuting legal violations.
• Research & Statistics: Personal data may be used for research or analysis if it does not impact individuals.

Additionally, government bodies are exempt when processing data for public services, national security, or law enforcement. Children’s data can also be processed by schools, hospitals, and public welfare programs under certain conditions.

While these exemptions remove consent obligations, businesses must still follow data security and breach notification requirements.

Q8. How can I take consent of children and people with disabilities?

To take consent for processing the personal data of children and persons with disabilities under the DPDP Act, follow these steps:

1. Verify User Age: Confirm if the user is a child (under 18 years) or a person with a disability. Use reliable age verification mechanisms such as DigiLocker or AI-based age estimation.
2. Verify Guardian Identity: Validate the identity and age of the parent or lawful guardian to ensure they are adults and authorized to provide consent.
3. Collect Verifiable Consent: Obtain explicit, verifiable consent from the parent or lawful guardian using secure methods like DigiLocker’s Age Token or Aadhaar-based verification.
4. Prohibit Harmful Activities: Avoid processing that could harm the child’s or the individual’s well-being, including targeted advertising or behavioral monitoring.

By adhering to these steps, you ensure compliance with the DPDP Act while protecting the rights of children and persons with disabilities.

Q9. What is the penalty for processing personal data without Consent?

Under the DPDP Act, processing personal data without obtaining valid consent can result in a penalty of up to ₹50 crores per instance. Violations that may attract this penalty include:

1. Not obtaining free, specific, and explicit user consent.
2. Failure to display compliant consent notices.
3. Sharing user data with third parties without consent.
4. Not maintaining verifiable consent records.
5. Indefinite storage of data after consent withdrawal.

The penalty amount is determined by the Data Protection Board based on factors such as the nature, duration, severity, recurrence of the violation, and any mitigation efforts by the business.

Q10. How can I take consent for personal data collected prior to the DPDP Act’s enactment?

For personal data collected before the DPDP Act’s enactment, you must issue a one-time notice to the data principal. This notice should:

1. Inform the individual about the data collected and its purpose.
2. Provide details on how they can exercise their rights, such as withdrawing consent or requesting data erasure.
3. Offer clear instructions for filing grievances with your organization or the Data Protection Board.

If the individual withdraws consent after receiving the notice, you must stop processing their data and delete it promptly. This step ensures compliance with the DPDP Act while respecting user rights.

Q12. Can the one-time notice be sent in bulk to multiple users?

Yes, the one-time notice can be sent in bulk using the Bulk Upload feature via Excel sheets. By uploading a list of users, the system can automatically trigger the one-time notice for each user, ensuring compliance and efficient delivery without requiring individual manual intervention.

Q13. How can I keep track of collected and pending consents?

You can track collected and pending consents using the Consent Register API, which logs user responses in real-time. Additionally, businesses can maintain a consent dashboard to monitor status updates and ensure compliance. Webhooks for consent status updates are also planned.

Q14. Do I need to take consent of offline users? 

Yes, if personal data is being collected from offline users and later digitized for processing, their consent must still be obtained in compliance with the DPDP Act. Businesses must ensure that consent is recorded in a manner that meets regulatory requirements.

Q15. How can I collect valid consent for personal data collected physically or in offline mode?

For offline data collection, consent can be captured through paper-based consent forms with a digital acknowledgment, OTP-based authentication, or biometric verification at the time of onboarding. Businesses can also send a digital consent request link via SMS or WhatsApp once the data is entered into the system.

Q16. Do I need to take consents for cookies on my website?

The requirement to take consent for cookies under the DPDP Act is currently uncertain. However, if cookies are interpreted as “personal data” under the Act (as they can identify and profile users), the following steps may be necessary for compliance:

1. Display a Cookie Notice: Clearly explain the use, types, and purposes of cookies, ensuring the notice is available in local languages.
2. Obtain Explicit Consent: Use unambiguous actions, such as an “Accept Cookies” button, to collect clear, explicit, and informed consent.
3. Provide an Opt-Out Option: Allow users to easily reject or withdraw their consent for cookies at any time.
4. Use a Consent Manager: Integrate a Consent Manager to streamline cookie consent collection and ensure compliance with DPDP Act standards.

Until further clarification or enforcement under the DPDP Act, aligning cookie practices with global standards like GDPR can help mitigate compliance risks.

Q17. What is a consent artefact?

A consent artefact is a digital record that serves as proof of user consent under the DPDP Act. It typically contains details such as the data principal’s identity, the purpose of data processing, the scope of consent given, timestamps, and any conditions for revocation. This artefact ensures transparency and accountability in consent-based data processing and can be used for audits or regulatory compliance.

Q18. How can I maintain oversight over user data shared with third parties?

You can maintain oversight over user data shared with third parties by integrating Leegality’s consent UI across platforms, including third-party applications. If onboarding happens through physical forms, a consent link can be sent as soon as the data is registered in your Core Systems. For users without smartphones, alternative methods like OTP-based flows or biometric authentication can be implemented, ensuring consent is captured effectively, even in rural areas.

Q19. Can I build a Consent Manager myself?

Building a Consent Manager in-house is challenging due to the complexities of ensuring compliance, managing consent records, and integrating with various systems. Additionally, we may become a registered Consent Manager under the law, which would provide greater authenticity and regulatory certainty to your consent management process.
‍

DPDP Act FAQs

‍

Q1. What is the DPDP Act?

The Digital Personal Data Protection (DPDP) Act is India’s first comprehensive data protection law, enacted in 2023. It aims to regulate the processing of personal data, empower individuals (Data Principals) with rights over their data, and impose accountability on organizations (Data Fiduciaries) handling this data.

Key highlights include:

1. Consent-Based Processing: Personal data can only be processed based on free, informed, and specific consent, with a few exceptions.
2. Data Principal Rights: Individuals are granted rights such as data access, correction, erasure, and grievance redressal.
3. Data Security Obligations: Fiduciaries must ensure robust data protection and report breaches promptly.
4. Penalties: Non-compliance can attract penalties of up to ₹250 crores per instance.
5. Applicability: The law applies to Indian entities and foreign entities processing data of individuals in India.

The DPDP Act is a step toward strengthening data privacy in India, aligning with global standards like the GDPR.

Q2. Is the DPDP Act in force?

The DPDP Act, 2023, has been enacted but is not fully in force yet. The government is expected to notify its provisions in phases, and has released the Draft DPDP Rules to guide implementation. The Draft Rules are out for public consultation but the final version of these rules are yet to be notified.

Additionally, the Act establishes the Data Protection Board (DPB), which will oversee enforcement, handle grievances, and impose penalties for non-compliance. Organizations are advised to proactively prepare by understanding the Act, updating data protection practices, and monitoring notifications for the DPDP Rules and operationalization of the DPB.

Q3. How is the DPDP Act different from GDPR?

The DPDP Act and GDPR are both robust data protection frameworks, but they differ in key areas:

1. Scope: GDPR applies to both online and offline personal data, while the DPDP Act focuses only on digital personal data.
2. Legal Basis: GDPR allows multiple grounds for data processing, such as legitimate interests and contractual necessity. The DPDP Act primarily relies on consent, with limited exceptions for specific legitimate uses.
3. Children’s Data: DPDP sets 18 years as the age for requiring parental consent, while GDPR allows member states to lower the age to 13-16 years.
4. Data Processor Obligations: GDPR imposes direct compliance obligations on data processors, but under DPDP, the responsibility lies solely with data fiduciaries (controllers).
5. Consent Management: DPDP introduces "Consent Managers," a unique concept for centralized and verifiable consent management, which is not present in GDPR.
6. Breach Notifications: DPDP mandates reporting all breaches to the Data Protection Board and affected individuals, whereas GDPR requires notification only for breaches posing significant risks.
7. Cross-Border Transfers: GDPR restricts transfers to countries with adequate protection or specific agreements, while DPDP leaves this to government discretion.

While both laws aim to protect personal data, the DPDP Act is tailored to India's digital landscape, emphasizing consent and accessibility, particularly in local languages.

Q4. When do I need to take user consent?

Under the DPDP Act, you must take user consent when processing personal data in digital form unless the processing falls under specific exemptions provided by the Act. Key scenarios requiring user consent include:

1. Collecting Personal Data: When collecting personal data for any purpose.
2. Sharing Data with Third Parties: Before sharing user data with external entities.
3. Using Data for New Purposes: If the purpose of processing changes from what was initially communicated.
4. Retention Beyond Purpose: If data needs to be retained for reasons other than the original purpose of collection.

Exceptions to consent include processing for state functions, legal obligations, health emergencies, or employment-related purposes. However, even in these cases, compliance with other provisions of the Act, such as data security and grievance redressal, remains mandatory.

Q5. Do I need consent for processing employee personal data?

Under the DPDP Act, consent is not required for processing employee personal data if the processing is necessary for employment-related purposes. Examples include:

1. Background Verification: Conducting pre-employment checks.
2. Payroll and Benefits Administration: Managing salaries, insurance, and other employee benefits.
3. Compliance with Legal Obligations: Maintaining records as required by labor or tax laws.
4. Workplace Security: Monitoring access to sensitive areas or systems.

However, businesses must ensure compliance with data protection obligations such as providing secure data storage, notifying employees of their rights, and processing data only to the extent necessary for legitimate employment purposes.

Q6. Are blanket consent notices, broad privacy policies or terms and conditions sufficient for legally using personal data?

No, blanket consent notices, broad privacy policies, or generalized terms and conditions are not sufficient under the DPDP Act. The Act requires that user consent must be:

1. Specific: Consent must be for a clearly defined purpose and cannot be vague or open-ended.
2. Informed: Users must be fully aware of the type of data collected, the purpose of processing, and any third-party sharing.
3. Explicit: Consent must be given through a clear affirmative action, such as clicking a button or ticking a checkbox.
4. Unconditional: Users cannot be forced to provide consent as a condition for accessing a service unless the data is essential for providing that service.

Broad terms and conditions or privacy policies often fail to meet these criteria, risking non-compliance and penalties under the Act. It’s essential to design consent notices that are clear, purpose-specific, and in compliance with the DPDP Act.

Q7. Am I a data fiduciary or processor?

The distinction between a Data Fiduciary and a Data Processor lies in who decides the purpose and means of processing personal data:

• Data Fiduciary:
  You determine why and how personal data is processed.
  
  • Example: An e-commerce platform collecting customer data for targeted marketing or order processing.
  • Obligations: Full compliance with DPDP Act, including managing user consents, providing data rights, ensuring security, and addressing grievances.
• Data Processor:
  You process personal data on behalf of a Data Fiduciary without deciding the purpose or method.
  
  • Example: A payment gateway facilitating transactions for an online retailer.
  • Obligations: Follow contractual terms from the fiduciary, implement security measures, and delete data promptly when instructed.

Aggregators and Dual Roles
Aggregator businesses often act as both fiduciaries and processors in different contexts:

As a Fiduciary:

• Collecting customer data for user accounts, marketing, or analytics.
• Example: A food delivery platform using customer preferences to suggest restaurants.

As a Processor:

• Facilitating services based on a partner’s instructions.
• Example: A logistics platform managing deliveries for retailers without deciding how data is used.

How to Assess Your Role:

1. Map Data Processing Activities: Identify who controls the purpose of data use at each stage.
2. Clarify Contractual Terms: Ensure your role is explicitly defined in agreements.
3. Monitor Data Usage: Avoid overstepping into fiduciary responsibilities if you’re a processor.
4. Implement Best Practices:
   
   • Collect and manage consents where required.
   • Automate data deletion processes upon withdrawal of consent or fulfillment of purpose.
   • Regularly audit and verify compliance across data flows.

By understanding your role and obligations under the DPDP Act, you can streamline compliance, minimize risks, and build trust with customers and partners.

Q8. Which sectors are affected by the DPDP law?

The Digital Personal Data Protection (DPDP) Act affects all sectors handling digital personal data. Some of the key sectors impacted include:

1. Banking, Financial Services, and Insurance (BFSI)Handles large volumes of sensitive customer data, requiring strict compliance with consent management, secure data storage, and breach notifications.

2. E-commerce
Relies heavily on personal data for account creation, order management, and personalized marketing, necessitating robust consent mechanisms and secure payment processing.

3. Healthcare
Processes sensitive health data such as patient records and diagnostics, requiring heightened security measures and minimal data usage.

4. Technology and IT Services
Processes vast amounts of data for analytics, software services, and cloud storage, with obligations for managing consents and third-party vendor compliance.

5. Telecom and Internet Service ProvidersCollects data for connectivity and billing, with a focus on obtaining clear user consent and implementing strict data retention policies.

6. Education
Manages sensitive data about students and parents, with requirements for parental consent when processing children’s data and securing academic records.

7. Retail and Consumer Goods
Uses personal data for loyalty programs and marketing, emphasizing the need for clear consent and data security.

8. Media and Advertising
Relies on user data for targeted ads and content personalization, requiring explicit consent for tracking and cookie usage.

9. Public Sector and Government Agencies
Collects large-scale citizen data for public services and schemes, with exemptions for specific state functions but a need for robust security measures.

10. Startups and Aggregators
Operate as both data processors and fiduciaries, requiring clear agreements, consent management, and adherence to compliance obligations across data flows.

The DPDP Act’s broad scope makes it relevant across industries, with the degree of compliance tailored to the nature and volume of data processed.

Q9. What are the penalties for non compliance with the DPDP Act?

The Digital Personal Data Protection (DPDP) Act imposes significant penalties for non-compliance, emphasizing the importance of adhering to its provisions. Key penalties include:

1. Processing Personal Data Without Consent
   
   • Up to ₹50 crore per instance for failing to obtain valid user consent or not maintaining records of consent.
2. Failure to Prevent Data Breaches
   
   • Up to ₹250 crore per instance for not implementing adequate security measures to protect personal data or failing to notify breaches promptly.
3. Non-Compliance with Children’s Data Provisions
   
   • Penalties up to ₹200 crore for mishandling children’s personal data, such as not obtaining verifiable parental consent or processing data that could harm children.
4. Violation of User Rights
   
   • Fines for not fulfilling user rights such as access, correction, or erasure of data, ranging up to ₹50 crore per violation.
5. Cross-Border Data Transfer Breaches
   
   • Substantial penalties for transferring data to restricted jurisdictions without government approval.
6. Failure to Respond to Grievances
   
   • Heavy fines for not providing grievance redressal mechanisms or addressing user complaints in a timely manner.

The penalties are adjudicated by the Data Protection Board (DPB), which considers factors such as the severity of the violation, duration, recurrence, and mitigation efforts when determining fines. Non-compliance can lead to severe financial and reputational damage, making adherence to the DPDP Act critical for all businesses.

Q10. How can I comply with the DPDP Act?

Complying with the Digital Personal Data Protection Act (DPDP) involves a structured approach to ensure personal data is handled securely and lawfully. Here’s a concise guide:

1. Understand and Assess
   
   • Determine how the DPDP Act applies to your business.
   • Appoint a Data Protection Officer (DPO) to oversee compliance.
2. Audit and Map Data
   
   • Identify all personal data you collect, its source, storage, access, purpose, and retention period.
   • Develop a data inventory to track data flows and ensure compliance.
3. Implement Consent Management
   
   • Collect explicit, informed, and unconditional consent with detailed notices in local languages.
   • Enable users to view, manage, and withdraw consent easily.
   • Send a one-time notice for previously collected data.
4. Enable User Rights
   
   • Provide mechanisms for users to access, correct, or erase their data.
   • Establish grievance redressal and allow users to nominate someone to manage their data in case of incapacity.
5. Manage Third Parties
   
   • Conduct due diligence on vendors’ data practices and include data protection clauses in contracts.
   • Ensure third parties comply with withdrawal of consent or erasure requests.
6. Enhance Data Security
   
   • Implement encryption, firewalls, and access controls.
   • Regularly audit and update security measures.
   • Prepare an incident response plan for data breaches.
7. Monitor Regulatory Updates
   
   • Stay informed about the establishment of the Data Protection Board and DPDP Rules for evolving compliance requirements.

Taking these steps ensures legal compliance, builds user trust, and safeguards your business from penalties of up to ₹250 crores.

Q11. What is the law on preventing and addressing breaches of personal data under the DPDP Act?

The Digital Personal Data Protection (DPDP) Act mandates robust measures to prevent, manage, and respond to personal data breaches. Here’s a concise overview:

Breach Prevention Obligations

1. Reasonable Security Safeguards:
   
   • Encryption, access control, and secure backups are mandatory to protect personal data.
   • Logs must be retained for at least one year to enable breach detection and investigation.
   • Data processors must comply with the same security standards as data fiduciaries through contractual obligations.
2. Additional Safeguards for Significant Data Fiduciaries:
   
   • Conduct regular risk assessments and audits to identify vulnerabilities.
   • Implement technical and organizational measures such as regular training, penetration testing, and updated security protocols.

Breach Notification Obligations

1. Immediate Notification:
   
   • Notify the DPB and affected individuals without delay.
   • Include breach details, consequences, mitigation measures, and steps individuals can take to protect themselves.
2. Content and Timing:
   
   • Notifications must be clear, concise, and follow the DPDP Rules' format.
   • Timely reporting (within 72 hours) is critical to avoid penalties.

Penalties for Non-Compliance

• Failure to implement adequate safeguards: ₹250 Crores per breach.
• Failure to notify the DPB or users: ₹200 Crores per instance.

Compliance with the DPDP Act ensures data security, user trust, and protection from severe penalties. Implementing robust preventive measures and having a clear breach response plan are key to managing personal data responsibly.

‍

Q12. How long can I retain personal data with me? When do I need to delete personal data?

Under the Digital Personal Data Protection (DPDP) Act, personal data must only be retained for as long as necessary to fulfill the purpose for which it was collected. Here's how retention and deletion are governed:

Retention Period

1. Purpose Limitation:
   
   • Retain personal data only for the time necessary to achieve the specific purpose for which it was collected.
   • Data must not be retained indefinitely without a valid reason.
2. Legal Requirements:
   
   • Retention may be extended if required by other laws or regulations (e.g., tax records, compliance obligations).

Deletion Obligations

1. Upon Purpose Fulfillment:
   
   • Delete data when the original purpose for processing is fulfilled.
2. Upon Consent Withdrawal:
   
   • If the user withdraws consent, the data must be erased unless another legal ground justifies retention.
3. Retention Policy:
   
   • Fiduciaries are responsible for establishing clear policies to periodically review and delete unnecessary data.

Best Practices

• Automated Deletion: Implement automated systems for data lifecycle management to ensure timely deletion.
• Data Minimization: Collect only the necessary data to reduce the burden of retention and compliance risks.
• Audits and Compliance Checks: Conduct regular audits to ensure that no data is retained longer than required.

By adhering to these retention and deletion rules, businesses can comply with the DPDP Act, minimize risks, and build trust with users. Check out for Guide to Data Retention for more details.

Q13. What is the Data Protection Board?

The Data Protection Board (DPB), established under the DPDP Act, is India’s central authority for enforcing data protection laws. It investigates breaches, adjudicates complaints, and imposes penalties of up to ₹250 Crore for non-compliance. The DPB requires businesses to report data breaches within 72 hours, resolve grievances, and maintain transparency in handling personal data. It also facilitates online complaint filing, hearings, and mediation, operating as a digital-first office.

To comply, businesses must align with DPDP obligations, such as securing personal data, managing consents, and preparing for DPB scrutiny. Establishing grievance mechanisms, conducting regular audits, and ensuring robust documentation are key steps to stay compliant and mitigate risks. With its enforcement set to begin soon, the DPB represents a significant shift in India’s data protection framework.

Q14. What are the exemptions to the compliance requirements under the DPDP Act?

The Digital Personal Data Protection (DPDP) Act provides certain exemptions from compliance requirements to ensure flexibility in specific scenarios:

1. Government Agencies: Public authorities processing data for national security, public order, sovereignty, or maintaining friendly relations with foreign states are exempt. This includes intelligence and law enforcement operations.
2. Legal and Regulatory Compliance: Data processing for court orders, regulatory obligations, or to comply with laws is exempt from consent and other compliance requirements.
3. Employment-Related Data: Employers are exempt from obtaining consent for processing employee data necessary for hiring, employment contracts, or workplace administration.
4. Personal or Domestic Use: Individuals processing data for personal or household purposes are exempt from the Act's requirements.
5. Research and Archival Purposes: Data processing for research, statistical analysis, or archiving in the public interest, such as historical documentation or scientific research, may be exempt under specified conditions.

These exemptions aim to balance privacy rights with operational, legal, and societal needs while ensuring that misuse is minimized.

Q15. When, where and to whom is the DPDP Act applicable?

The Digital Personal Data Protection (DPDP) Act applies to digital personal data that can identify an individual. This includes data collected digitally or later digitized, such as names, contact information, financial details, and Aadhaar numbers. The Act defines two primary stakeholders: Data Principals (individuals whose data is processed) and Data Fiduciaries (entities determining the purpose and means of processing). It applies to personal data processed within India and to processing activities outside India if they pertain to business activities involving Indian individuals.

The DPDP Act was notified on August 12, 2023, but its enforcement depends on the release of DPDP Rules and the establishment of the Data Protection Board. Specific exemptions include personal/domestic use, publicly available data, state functions, and employment-related processing. Businesses are advised to start their compliance efforts now, as penalties for non-compliance can reach up to ₹250 crores.

Q16. How are Indian businesses affected by the DPDP Act?

The Digital Personal Data Protection (DPDP) Act is a transformative regulation for Indian businesses, requiring explicit consent for all personal data use and empowering users with rights to manage their data. Companies must now implement seamless consent mechanisms, enable easy withdrawal of consent, and ensure data deletion across their systems and third-party vendors. This mandates businesses to overhaul their data management processes to align with the principles of data minimization and accountability.

The Act also introduces enforceable user rights, such as access, correction, and erasure of personal data, compelling businesses to establish robust systems for compliance. With the formation of the Data Protection Board (DPB), enforcement mechanisms are now stronger, and violations can attract penalties of up to ₹250 crores. Indian businesses must act swiftly to adapt their practices and avoid stringent penalties while building trust in a more privacy-focused digital ecosystem.

Product FAQs

Q1. Is Consent Management a data governance question? Which are the relevant teams for internally handling the solution? 

Consent management is both a data governance and application-level responsibility. Traditionally, businesses maintained a single pipeline where customer data flowed seamlessly across multiple applications. However, under consent-driven regulations, data must now be segmented based on user consent. This means you cannot automatically share all customer data with all applications. Instead, you need to map each application's data usage purpose and ensure that customer data is only shared if they have explicitly consented to that purpose. While the application team handles implementation, the data governance team ensures compliance, tracking, and enforcement of these new controls.

Q2. How can I ensure that the one-time notice is displayed every time an existing user logs in?

You can implement this by using the Consent Check API at the time of user login. The API response will indicate whether consent has already been captured or if it is still pending.

• If consent has not been captured, the system should trigger the Run Register API to display the appropriate notice.
• New users will be shown the Consent Notice.
• Existing users will be shown the One-Time Notice as required under the DPDP Act.

Q3. How long is the Consent Capture/Request URL valid, and can the expiry be configured?

By default, the Consent Capture/Request URL remains valid for 10 minutes. When calling the Register API, you can configure the expiry duration in the request. However, this configuration is not available at the consent profile level. If needed, this feature can be developed upon request.

Q4. How can we track which users have accepted consent and which are still pending? Are webhooks available?

Webhooks are planned, and we can provide a timeline once confirmed. Currently, you can use the success response from the Register API to determine if a user has accepted the consent. This data can then be mapped to your internal database or tracking system for reference.

Q5. Can I take consents via SMS, email and Whatsapp?

Yes, consents can be collected via SMS, email, and WhatsApp by sharing a consent request link. Users can review and provide their consent digitally, ensuring a seamless and legally valid process.

Q6. Can I run a consent check before processing personal data?

Yes, you can use the Consent Check API to verify whether a valid consent exists before processing any personal data. If consent has not been captured, you can prompt the user to provide it before proceeding.

Q7. How can I collect user consent in rural areas?

Consent can be collected using OTP-based authentication, biometric authentication, or through assisted consent collection at physical touchpoints. For areas with low digital adoption, consent can be captured at the time of onboarding through assisted digital flows. The Consent Notice can be made available in local languages.

Q8. How can my users update their consent preferences?

Users can update their consent preferences via a dedicated consent management portal integrated into your application or website. Your users should be able to view granted consents, modify preferences, or withdraw consent as per their choice.

‍
Q9. How can my users exercise their rights under the DPDP Act?

Users can exercise their rights through a self-service portal where they can request access, correction, deletion, or portability of their personal data. Businesses must also provide a grievance redressal mechanism to handle such requests within the prescribed timelines.

Q10. Can the one time notice be integrated on the web via SDK?

The integration of the one-time notice on web and applications follows a process similar to other consent notices. As per the DPDP Act, the one-time notice is a mandatory disclosure that must be presented to the user but does not require explicit acceptance. Compliance is considered achieved once the notice has been displayed to the user, ensuring that they are informed of the data processing terms without the need for repeated confirmation.

‍
What's Next?

With the Draft DPDP Rules out for consultation, India's data protection regime is quickly gaining traction. Businesses must act fast to ensure compliance before the full force of enforcement hits. Consent Managers are the critical tool for staying ahead, enabling organizations to seamlessly collect, manage, and store consent in line with the new regulations. As penalties loom for non-compliance, integrating a Consent Manager is no longer a choice—it’s a necessity. Start now to build trust and avoid costly mistakes as the DPDP Act reshapes data privacy in India.