.svg)
In the Privacy Soapbox, we give privacy professionals, guest writers, and opinionated industry members the stage to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.
Do you have something to share and want to take over the Privacy Soapbox? Get in touch at blog@didomi.io
While India has been in the spotlight because of its GDPR-esque data privacy law, in a stark departure from its habit of borrowing legislative blueprints, the legislature has introduced the concept of a "consent manager."
A consent manager is intended to act as an intermediary, mapping data sets with end-uses, and acting as a conduit for consent management between data subjects and controllers. This is likely to involve an arduous consent mapping exercise to integrate with unstructured data repositories, which is a costly affair. It would be fair to assume, therefore, that some cost of integration would be borne by data controllers. After all, data controllers own the data, and data subjects are given merely an interface via the intermediary.
While this regulatory framework is ostensibly aimed at eliminating conflicts of interest and easing end-user access to their data, consent managers would likely be remunerated either directly or indirectly, by data controllers, while simultaneously mandated to act in a fiduciary capacity to uphold the interests of the data subject.
The Digital Personal Data Protection Act, 2023 envisages that a consent manager is intended to manage and handle personal data and how it is shared, such that the contents thereof are not readable by it. This implicitly means that consent management must be tokenised, and access and alteration logs brought onto an immutable ledger. Without tokenisation of consents, there would be no way to demonstrate that a data subject's withdrawal of consent is logged immutably, given contradictory incentives to resist such a withdrawal request.
By legislation inserting a "data blind" intermediary between controllers and data subjects, consent management would finally become a meaningfully exercisable right. Layering consent managers between data controllers and subjects allows for the withdrawal of consents without having to interface directly with a data controller.
A data controller would need an economic incentive to outsource this data management role. As India's new privacy law begins to be implemented, consent managers will emerge as legislatively promulgated guardians of data autonomy. By bringing consents on-chain, they are also likely to streamline the collection of parental consent by mapping parental consents to children's access rights, thereby creating interoperable, purpose-bound permissions embedded by law into the data controller-processor relationship.
However, absent any legislative prescription mandating use of data processors in India, there would have to be an economic incentive to use consent managers. An intermediary acting to enforce the digital right of the data subject adds layers to an ecosystem intended to decouple the traditional single-entity “judge-jury-and-executioner” approach to consent management. At its core, this is a unique legislative structure for an ecosystem that is data subject rights-centric; while also democratising the way Indians allow the use of their own data. Consent managers, while a legislatively prescribed concept, cater to a business need inherent in the Indian outsourced consent management ecosystem.
The fine print, however, is that this creates reliance on private individuals to build digital public infrastructure as a foundation for a data brokerage-based economy intended to reduce the cost of doing business in India by surfacing the most relevant data. The race to act as a tolling agent for Indian demographic data is marred by legislative uncertainty, and several lobbyists are laundering interpretive framings as established legislative design while we await interpretive guidance. The license-based regime does, at least, indicate the Government's keenness to ensure regulatory supervision, hopefully exercised in a non-discriminatory manner to ensure ethical data governance practices by consent managers. The Data Protection Board of India has outlined thematic safeguards intended to ensure independence, prevent conflicts of interest with controllers, and mandate that consent managers act in the best interests of data subjects.
India has approximately 1.5 billion individuals, which is the largest retail customer base of any country in the world. The common grouse of any business entering the Indian market, however, is that its population lacks depth in spending capacity. Try selling shirts or sneakers, and you're up against stiff local competition in a value-driven market. Sell supercars or watches, and the Indian market is smaller than cities like London, Singapore, or Dubai.
This begs the question of why the world's consumer brands have been rushing to India. The answer perhaps lies in India's buoyant middle class, arguably driving the fastest-growing consumer economy in the world, though India's demography makes market demand unpredictable. This has caused Indian legislators to be atypically bold and bet on a hypothesis. By regulatory prescription, the Government has artificially inserted consent managers between customers and companies, creating a data-brokerage layer. Indians have been vexed by unsolicited calls and telemarketers for decades.
The consent manager ecosystem, if operationalised rationally, may prevent brands from wasting marketing budgets shooting in the dark and improve targeted outreach for businesses. At the same time, it would also enable the consent managers to monetise access to India's demographic, eventually improving their independence by preventing long -term economic dependence on data subjects or controllers.
Neutral, prescriptive policy, beyond mere guideline-based legislative is likely help define the role of consent managers as guardians of granular end-user consents in India's digital economy.
.avif)
