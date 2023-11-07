India’s Digital Personal Data Protection (DPDP) Act, which requires companies to obtain the consent of users before processing their personal data, includes a provision for Consent Manager to facilitate this. These platforms allow users to give, manage, review or withdraw their consent and are registered with the Data Protection Board of India. More detailed guidelines for how Consent Managers will function are expected to come out in subsequent rules.

At MediaNama’s PrivacyNama 2023 conference, MediaNama’s Editor and Founder Nikhil Pahwa asked the Chief Privacy Officers of various companies if they would be open to the idea of mandatory integrations with Consent Managers.

Jagannath PV, Chief Privacy Officer at LTIMindtree, opined that it should not be made mandatory because it is not needed. “I don’t think there is a need because the simple reason is large organizations have their own consent management platforms,” he said.

However, if companies were mandated to use Consent Managers, then the question is what level of integration would be required. “If it’s just an API that says, I’m transmitting consent versus revoking consent, I’m absolutely fine. Because at the end of the day, you need to abide by the withdrawal of consent. But if it goes beyond that, I would be a little more worried,” Jagannath remarked. “Depends on how much information I have to pass back to the consent manager. How is that information going to be used elsewhere,” he added.

Agreeing with Jagannath, Bharat Saraf, Director of Privacy at PhonePe, also said that mandating Consent Managers is acceptable as long as there is no data sharing with the Consent Managers. “Even if you look at PhonePe as an account aggregator, there is total data blindness. So neither do we as an account aggregator get to see data. And that is how the entire ecosystem is built,” Saraf opined.

Vasudha Gupta, Chief Privacy Officer, Unlimit, differed from the above views. If Consent Managers are made mandatory, “what is the role of a fiduciary then? Why is a fiduciary responsible for consent,” she asked. “If I have to manage consent through a consent manager, then consent shouldn’t be my obligation. Then it should be the obligation of that consent manager. And that entity should be the one managing consent,” she elaborated.

“Another aspect is that when you are dealing with regulators and auditors, you are supposed to show consent artefacts and send evidence that you have taken when it’s recorded. How do you manage the flow of that from the Consent Manager when the obligation on me as a fiduciary is there to take consent? So will the Consent Manager pass on the data back to me and say this consent has been taken, it was taken at this time,” Gupta added.

“And I think it’s a bad idea. I mean with one entity, if there’s a breach, you are gone. So I think the fact that each entity is handling its own consent, and there’s a reason that fiduciaries have these obligations, I think the sanctity of it should stay for the time being,” Gupta concluded.

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!

Also Read