Rule 4: Registration and Obligations of Consent Manager
Rule 4 establishes the framework for the registration and functioning of Consent Managers, which are specialized entities designed to help individuals manage their consents effectively.
Registration Requirement
A Consent Manager must first be registered with the Data Protection Board of India. Registration is granted only if the entity demonstrates adequate technical, financial, and organizational capacity to perform its role in a reliable and secure manner.
Once registered, a Consent Manager has the following obligations:
- It must provide a platform through which Data Principals can give, manage, review, and withdraw consent for the processing of their personal data.
- It must ensure that the process of managing consent is transparent, accessible, and simple, without creating unnecessary hurdles for the Data Principal.
- It must maintain accurate records of consents given and withdrawn, and provide proof of such records when required by the Data Principal or the Board.
- It must implement robust security safeguards such as encryption, access controls, and audit logs to protect against unauthorized access or misuse.
- It must remain a neutral and independent entity, acting only in the best interest of the Data Principal, and not show preference to any specific Data Fiduciary.
- It must cooperate fully with the Board in audits, inspections, or inquiries relating to its operations.
Consent Managers must remain neutral and independent. They cannot favor any Data Fiduciary, and must always act only in the best interest of the Data Principal.
The role of Consent Managers is central to the DPDPA framework because they empower individuals to exercise genuine control over their data. By separating the management of consent from the Data Fiduciary, the law ensures that Data Principals are not forced into one-sided arrangements where their choices are limited.