Consent Management puts Users at the Core

As online transactions proliferate, platforms increasingly ask users for a variety of consents. Transparency and information are often missing, leading to consent fatigue and permission by default. However, users may want to have a comprehensive view of the sites that have access to their personal data. The new Digital Personal Data Protection Act, 2023 (DPDPA), has introduced the consent manager as a single point of contact for data principals, enabling the latter to have greater control over such data.

The concept of consent managers was introduced in India by Niti Aayog, the government-backed policy think tank, as part of the Data Empowerment and Protection Architecture (DEPA). Practical implementation came with the account aggregator framework (AA framework), regulated by the Reserve Bank of India. An account aggregator under the AA framework enables a user to share the financial information held by regulated entities, that is financial information providers or FIP, with entities who use the data to provide financial-based services, they being financial information users or FIU. Account aggregators are data-blind and cannot access the data shared between these entities.

Under the DPDPA, a consent manager is a platform enabling an individual to give, manage, review and withdraw consent. The consent manager is a privacy- centric entity, as opposed to the AA framework account aggregator that focuses on relaying financial information from an FIP to an FIU on a standardised consent mechanism basis. These differences in objectives lead to different commercial models. Those under the DPDPA will attract users by efficiency and convenience in managing their consent. An account aggregator’s operations serve the commercial needs of FIUs.