Skip to main content

Q6 - Can a Data Principal sue a Consent Manager directly if it mishandles their consents?

Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), a Data Principal cannot directly "sue" a Consent Manager in court in the first instance.

Instead, the Data Principal must seek redress through the Data Protection Board of India, which is the primary authority empowered to investigate and penalise Consent Managers for any violation of their legal duties.

1. Statutory Redress Mechanism (Section 27–28)

If a Consent Manager mishandles a Data Principal’s consent — for example, by:

  • Failing to record consent correctly,
  • Ignoring a withdrawal request, or
  • Allowing unauthorised access to consent data,

the Data Principal can file a complaint or raise a grievance with the Data Protection Board of India under Section 27(1)(c).
The Board then:

  1. Conducts an inquiry into the alleged breach.
  2. Hears both the Consent Manager and the complainant.
  3. Issues directions or imposes penalties under Section 33(1).

This makes the Board the first and primary enforcement channel — not the civil courts.

2. Escalation to Appellate Tribunal (Section 29)

If the Data Principal (or the Consent Manager) is dissatisfied with the Board’s decision, they may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29(1).
This provides a higher forum for review without approaching a regular civil court.

3. Civil or Judicial Action (Exceptional Circumstances)

While the DPDPA primarily establishes an administrative redressal process, a Data Principal may approach civil courts or consumer forums only in exceptional cases, such as:

  • Contractual disputes outside the DPDPA framework (e.g., if the Consent Manager breached specific terms of service).
  • Situations where damages or compensation are sought under other applicable laws (e.g., Information Technology Act, 2000 or Consumer Protection Act, 2019).

However, for data-protection-related violations, the Data Protection Board remains the central adjudicating body.

Example

A Consent Manager fails to record a Data Principal’s withdrawal of consent, causing continued use of personal data by several companies.
The individual files a complaint with the Data Protection Board, which investigates, verifies consent logs, and imposes a penalty on the Consent Manager for negligence.
If the individual is not satisfied with the outcome, they may appeal to the TDSAT — not directly to a civil court.

Referenced Provisions:

  • Section 6(8)–(9) – Duties and registration of Consent Managers.
  • Section 27(1)(c) – Inquiry by the Board into breaches by Consent Managers.
  • Section 28 – Procedure for inquiry and adjudication by the Board.
  • Section 29(1) – Appeals to the Appellate Tribunal (TDSAT).
  • Section 33(1) – Penalties for non-compliance or breach.