Comprehensive DPDP Compliance with Leegality’s Consent Infrastructure

Under the DPDP Act, a Consent Manager is a person registered with the Data Protection Board who acts as a single point of contact to enable a user to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.

In simpler terms, a Consent Manager ensures that individuals have full control over their personal data and how it is processed.

Under the DPDP Act, you must take user consent when processing personal data in digital form unless the processing falls under specific exemptions provided by the Act. Key scenarios requiring user consent include:

- Collecting Personal Data: When collecting personal data for any purpose.Sharing Data with Third Parties: Before
‍
- Sharing user data with external entities or Using Data for New Purposes: If the purpose of processing changes from what was initially communicated.

- Retention Beyond Purpose: If data needs to be retained for reasons other than the original purpose of collection.

The DPDP Act, 2023, has been enacted but is not fully in force yet. The government is expected to notify its provisions in phases, and has released the Draft DPDP Rules to guide implementation.

The Draft Rules are out for public consultation but the final version of these rules are yet to be notified. Additionally, the Act establishes the Data Protection Board (DPB), which will oversee enforcement, handle grievances, and impose penalties for non-compliance.

Organizations are advised to proactively prepare by understanding the Act, updating data protection practices, and monitoring notifications for the DPDP Rules and operationalization of the DPB.

Under the DPDP Act, processing personal data without obtaining valid consent can result in a penalty of up to ₹50 crores per instance.

The requirement to take consent for cookies under the DPDP Act is currently uncertain. However, if cookies are interpreted as “personal data” under the Act (as they can identify and profile users), the following steps may be necessary for compliance:
‍
- Display a Cookie Notice: Clearly explain the use, types, and purposes of cookies, ensuring the notice is available in local languages.

- Obtain Explicit Consent: Use unambiguous actions, such as an “Accept Cookies” button, to collect clear, explicit, and informed consent.

- Provide an Opt-Out Option: Allow users to easily reject or withdraw their consent for cookies at any time.

- Use a Consent Manager: Integrate a Consent Manager to streamline cookie consent collection and ensure compliance with DPDP Act standards.

Until further clarification or enforcement under the DPDP Act, aligning cookie practices with global standards like GDPR can help mitigate compliance risks.