Skip to main content

Q3 - What happens if a Consent Manager itself suffers a data breach - who is liable, the Consent Manager or the Fiduciary relying on it?

Both may be liable, depending on the circumstances:

  • The Consent Manager is directly responsible for securing the consent records it maintains. If those records are breached, it is liable under DPDPA and may face penalties.
  • The Data Fiduciary is still responsible for ensuring it only works with registered, compliant Consent Managers. If it knowingly used a weak or non-compliant Consent Manager, it could also share liability.
Example

If ABC Consent Hub is hacked and records of users’ consent histories are leaked, the Consent Manager will be directly liable. But if XYZ Bank had outsourced all consent handling to ABC despite repeated warnings of weak security, the Board may also hold XYZ partially responsible.