India set to revolutionize data privacy with real-time consent system under DPDP Act
The Ministry of Electronics and Information Technology (MeitY) has unveiled a new framework to operationalize the Digital Personal Data Protection (DPDP) Act, 2023, with a focus on "consent as a live signal" rather than a one-time checkbox.
ADVERTISEMENT
The Indian government is planning to implement a real-time consent verification system, ensuring citizens retain active control over how their personal data is used at every step, not just when they sign up. The Ministry of Electronics and Information Technology (MeitY) has unveiled a new framework to operationalize the Digital Personal Data Protection (DPDP) Act, 2023, with a focus on "consent as a live signal" rather than a one-time checkbox.
Under this proposed Consent Management System (CMS), companies will be required to verify user consent through real-time API calls before processing any personal data, whether it’s for marketing, analytics, or basic services. This represents a fundamental shift in how consent is treated in India’s digital economy. Static permissions that often linger long after users have forgotten them will no longer be sufficient. Instead, businesses must demonstrate that consent is current, specific and purpose-bound and be able to prove it instantly.
The proposed system sets out an entire consent lifecycle, from collection and renewal to withdrawal and revocation. Each consent action must be logged immutably, forming a digital audit trail accessible to both users (referred to as Data Principals) and regulators.
A user-facing dashboard will give individuals granular control over their data, allowing them to manage permissions in real time, raise grievances, and request data corrections or deletions. Notably, bundled or implied consent will be disallowed. Every purpose for which data is collected must have its own separate and clearly accepted permission, reducing ambiguity and forcing platforms to adopt more transparent practices.
The framework also accounts for interoperability, multilingual access and inclusivity, indicating that the government is thinking beyond policy into the practical realities of implementation in a diverse country like India.
For firms handling large volumes of personal data including banks, e-commerce platforms and digital advertising companies, the shift will demand a serious rethink of backend infrastructure. Static consent repositories will need to be replaced with real-time systems, and any data request that lacks valid consent will be automatically blocked.
Companies will need to invest in robust compliance tech stacks and rethink customer journeys from a privacy-first lens.
