Skip to main content

Q5 - How does a Consent Manager ensure that a withdrawal of consent is reflected immediately across all organizations using that consent?

Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), a Consent Manager functions as a secure, standardised platform that enables Data Principals to give, manage, review, and withdraw consent in real time. To ensure that a withdrawal of consent is immediately reflected across all organizations relying on that consent, the Consent Manager follows a technical and procedural synchronisation process defined under Section 6(7)–(9).

1. Real-Time Interoperability Framework

All registered Consent Managers must operate on a common, interoperable architecture prescribed by the Central Government under Section 40(2)(d).
This ensures that:

  • Each Consent Manager communicates with all registered Data Fiduciaries through standardised APIs or digital protocols.
  • When a Data Principal withdraws consent, the system automatically sends a revocation signal to every Fiduciary that was granted access under that consent.
  • The Fiduciary’s systems are required to acknowledge and enforce the withdrawal instantly.

This design ensures that consent withdrawal is not dependent on manual intervention or email notifications — it occurs electronically and almost instantly.

Every Consent Manager maintains verifiable consent logs with unique transaction IDs, timestamps, and digital signatures.
When a withdrawal occurs:

  • The event is recorded in the Consent Manager’s ledger.
  • A notification is sent to each associated Fiduciary with proof of withdrawal.
  • The Fiduciary’s system updates its records to halt any further processing of the withdrawn data.

These logs serve as proof of compliance and can be reviewed by the Data Protection Board of India during inquiries or audits.

3. Obligations of Data Fiduciaries After Withdrawal

Under Section 6(6), once consent is withdrawn:

  • The Data Fiduciary must cease processing the personal data for the withdrawn purpose immediately.
  • Any continued use of that data beyond the withdrawal point constitutes a breach of the DPDPA.
  • The Fiduciary may retain minimal data only if required by law or for legal obligations (e.g., audit trails, tax, or record-keeping).

4. Continuous Synchronisation and Error Handling

To avoid delays or data mismatches:

  • Consent Managers are required to implement real-time API synchronisation and retry mechanisms if a Fiduciary’s system fails to acknowledge the withdrawal.
  • All transmission is digitally signed and encrypted to ensure authenticity and integrity.
  • Any failed notification attempts must be logged and retried until confirmation is received.
Example

A user withdraws consent through a registered Consent Manager that manages permissions for three companies — a bank, an insurance provider, and a credit bureau. Once the withdrawal is submitted, the Consent Manager’s system instantly sends signed revocation notices to all three Fiduciaries via standard APIs. Each Fiduciary acknowledges receipt, stops further processing, and updates its records within seconds. If any Fiduciary fails to respond, the Consent Manager’s logs provide traceable evidence for regulatory review.

Referenced Provisions:

  • Section 6(6) – Obligation of Data Fiduciary to stop processing after consent withdrawal.
  • Section 6(7)–(9) – Role, interoperability, and registration of Consent Managers.
  • Section 40(2)(d) – Central Government’s power to prescribe interoperability and technical standards.
  • Section 27–28 – Oversight and enforcement by the Data Protection Board of India.