Q7 - How does DPDPA ensure neutrality of Consent Managers so they do not secretly favor large corporations?
The Digital Personal Data Protection Act, 2023 (DPDPA) has built-in legal and technical safeguards to ensure that Consent Managers remain neutral, transparent, and fair in their operations. They are not allowed to discriminate between Data Fiduciaries (organizations) or Data Principals (individuals) and cannot secretly favor large corporations or business partners.
1. Legal Accountability Under Section 6(8)
Under Section 6(8), every Consent Manager must:
- Act on behalf of the Data Principal and in their best interest.
- Be accountable to the Data Principal, not to the Data Fiduciary.
- Operate in a transparent, accessible, and interoperable manner, following technical standards prescribed by the Central Government.
This means a Consent Manager cannot:
- Prioritize or delay requests from certain companies.
- Charge different fees that give preferential access.
- Manipulate or hide consent options to benefit any particular organization.
Any deviation from neutrality constitutes a breach of statutory duty and can lead to penalties or cancellation of registration.
2. Government-Defined Registration and Compliance Standards
Under Section 6(9) read with Section 40(2)(c)–(d):
- The Central Government defines the conditions, eligibility criteria, and technical standards for Consent Managers to operate.
- These conditions may include mandatory audits, code of conduct, and transparency disclosures to prove neutrality.
- Only Consent Managers meeting these standards can be registered with the Data Protection Board of India.
- Their license or registration can be suspended or revoked if they act in a biased or non-transparent manner.
3. Oversight by the Data Protection Board of India
The Data Protection Board acts as the enforcement authority.
Under Section 27(1)(c), the Board may:
- Inquire into complaints or breaches by a Consent Manager.
- Examine consent logs and communication records to detect bias or manipulation.
- Impose penalties or direct suspension of the Consent Manager under Section 33(1).
This ensures operational neutrality through regulatory oversight and auditability.
4. Interoperability and Transparency Requirements
All Consent Managers are required to use common technical and data-sharing standards.
Because of interoperability:
- Each Consent Manager must use the same API structure, consent format, and communication protocol.
- This prevents any single Consent Manager from building exclusive integrations with large corporations or offering faster access to them.
- Transparency logs and audit trails allow both the Board and Data Principals to verify that all consents are processed equally.
5. Penalties for Breach of Neutrality
If a Consent Manager is found to have:
- Favored certain Data Fiduciaries,
- Manipulated consent options, or
- Obstructed withdrawals for commercial gain,
the Data Protection Board may impose monetary penalties under Section 33(1), and the Central Government may revoke its registration under the rules made using Section 40(2).
A Consent Manager integrates faster API updates for large e-commerce platforms but delays consent withdrawals for smaller startups.
Upon receiving complaints, the Data Protection Board audits its systems, finds evidence of bias, and suspends its registration for breaching neutrality and transparency obligations under Section 6(8).
Referenced Provisions:
- Section 6(8) – Accountability and neutrality of Consent Managers.
- Section 6(9) – Registration and operational requirements.
- Section 27(1)(c) – Inquiry into breaches by Consent Managers.
- Section 33(1) – Monetary penalties for violations.
- Section 40(2)(c)–(d) – Rule-making powers of the Central Government regarding standards and conditions.