New consent API under DPDP Act set to redefine data use rules for digital platforms

India is gearing up for a major shift in digital privacy regulation with the Ministry of Electronics and Information Technology (MeitY) reportedly proposing a consent verification mechanism under the Digital Personal Data Protection (DPDP) Act, 2023. A newly released Business Requirements Document outlines the framework for a Consent Management System (CMS) that mandates real-time Application Programming Interface (API) calls to verify user consent before any personal data can be processed for marketing, analytics, or even basic account services.

The upcoming framework, expected to be formalized within the next quarter, also mandates a separation of consent for optional and mandatory services. In other words, “bundled” consent- a common practice where users agree to all data processing purposes in a single click- will soon become non-compliant. This aligns India’s privacy regulations more closely with global norms that emphasize purpose limitation, granularity, and user autonomy.

Industry reacts: Positive intent, complex execution

Aryan Anurag, Co-founder of BingeLabs, calls the unbundling of consent a “pivotal shift” toward transparent and user-centric data practices. “A large volume of user data is being extracted today, often without clear or informed consent. Unbundling permissions could help address that imbalance,” he said, while acknowledging that smaller businesses may face immediate challenges adapting to the new requirements.

Sonam Chandwani, Managing Partner at KS Legal, emphasized the legal implications of this move. “This fundamentally alters how platforms collect and process data. The introduction of live consent validation and a ban on bundled consent means platforms must overhaul their consent architecture. Any failure could trigger fines under Section 33 of the DPDP Act.”

Read more: Businesses gear up for DPDP Rules with privacy policy updates, appoint Data Officers

Aparajita Bharti, Founding Partner at The Quantum Hub, cautioned against an overly prescriptive approach. “Too much granularity could result in ‘consent fatigue’ for users. If the CMS requires users to approve each and every micro-purpose, it could degrade the user experience and result in drop-offs,” she said, urging a balance between transparency and usability.

Supratim Chakraborty, Partner at Khaitan & Co, pointed out that while operational burdens are real, companies that act early could turn compliance into a business differentiator. “Top-down commitment from leadership and collaboration between legal, tech, and product teams can help mitigate friction,” he said.

The rules are also likely to impact cookie policies and behavioral tracking, especially for users below the age of 18, with more stringent guardrails expected in these areas.

API-based consent: A real-time revolution

At the heart of the new CMS proposal is a live Application Programming Interface (API) call to validate consent before any data can be processed. If consent is missing, outdated, or invalid, the system must automatically deny the request. This "consent ping" mechanism ensures that companies cannot use stored or assumed consent to process personal data.

Read more: IAMAI urges MeitY for 24-month implementation period of DPDPA Rules

A privacy expert explained, “Today, when someone installs an app, they’re asked for blanket permissions which often stay active indefinitely. The new system introduces recurring, affirmative consent checks, enhancing user control and transparency.”

Today, when someone installs an app, such as a shopping platform, they’re asked for multiple permissions all at once. Once granted, those permissions often remain active indefinitely unless the user manually revokes them, which most people forget to do. The proposed system under the DPDP framework will prompt users at regular intervals to reconfirm whether they still wish to allow access to their data. This recurring consent mechanism is a highly useful move that gives individuals greater control and awareness over their digital footprint, added Anurag.

MSMEs brace for impact

While large digital platforms and tech firms are relatively better positioned to absorb the compliance demands, micro, small, and medium enterprises (MSMEs) are expected to face significant hurdles, say experts. Storyboard18 earlier reported that many MSMEs, which rely on affordable digital tools and third-party marketing software, may now find themselves at a disadvantage. The CMS requirements could limit their ability to use programmatic advertising, retargeting tools, and analytics software- tools that are often critical to their digital growth strategies.

Read more: DPDPA Rules may hinder MSMEs from leveraging digital tools for marketing and growth

Chandwani added that revamping systems to comply with API-based consent validation and cookie oversight would be a “time-consuming and cost-intensive” exercise for MSMEs. The law's impact will extend beyond tech upgrades, requiring retraining teams, redesigning data flows, and vetting third-party tools for compliance.

According to Chakraborty, the risks for non-compliance are high. “MSMEs that cannot meet these obligations may be excluded from partnerships with larger players looking only for ‘trusted partners’ under the new regime.”