India’s Ministry of Electronics and Information Technology (MeitY) released in June 2025 a Business Requirement Document for Consent Management Under the DPDP Act, 2023 (BRD).
The BRD, while not legally binding, provides technical and functional guidance on implementing a consent management system (CMS) under India’s Digital Personal Data Protection (DPDP) Act.
The BRD offers a detailed breakdown of core components of a CMS, including consent lifecycle management, a user dashboard, notifications, and grievance redress mechanisms. It also outlines administrative capabilities, including user role management and data retention policy configuration to ensure operational efficiency and compliance.
While the DPDP Act has not yet come into force, the BRD provides a clear preview of the technical and procedural expectations that data fiduciaries and consent managers (as those terms are defined in the DPDP Act) have to meet once the law takes effect, making it a critical resource for early compliance planning and system design.
Background
The release of the BRD comes at a time of legal transition as India moves towards operationalizing its new data protection regime, the DPDP Act, amidst ongoing rulemaking and uncertainty around enforcement timelines.
The DPDP Act establishes a comprehensive data protection regime in India governing the collection, use, and disclosure of personal data. Although the Act received presidential assent and was enacted on August 11, 2023, its provisions will take effect on the date appointed by the Central Government through a notification in the Official Gazette. As of today, the Central Government has not issued any such notification, and the DPDP Act remains unenforceable in practice.
To enable implementation of the DPDP Act, the Central Government is currently developing regulations. On January 3, 2025, the MeitY released the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) for public consultation. The Draft Rules are intended to supplement the DPDP Act by specifying procedures and technical standards necessary for compliance, such as data security obligations, notice requirements, and breach notification protocols. The comment period on the Draft Rules closed on March 5, 2025, and the final rules are expected to be published in due course.
Against this backdrop, the BRD is a supplementary non-binding technical document that is not part of the Act or proposed regulations. It was issued by MeitY through its Startup Hub platform as part of the “Code for Consent” Innovation Challenge. The BRD is intended to guide startups and developers in building Consent Management Systems that align with the DPDP Act’s requirements and anticipated obligations under the Draft Rules.
Key Features of a CMS
Consent sits at the core of the DPDP Act and is specifically governed by Section 6, which requires consent to be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action.
The BRD provides a proposed technical and functional framework for building a CMS aligned with DPDP Act principles, particularly those under Section 6. Key components of a CMS under the BRD include:
- System Architecture: The BRD recommends a modular, standards-based design for CMS platforms that allows for scalability, interoperability, and integration with all systems that rely on consent data.
- User Interface and Experience: The BRD emphasizes simple, multilingual, mobile-accessible dashboards that allow data principals to view, manage, and control consent preferences easily. Interfaces should be intuitive and support WCAG-compliant designs for users with disabilities.
- Consent Lifecycle Management: CMS platforms must track the entire lifecycle of consent – collection, validation, modification, renewal, and withdrawal – and log all activity to ensure auditability and compliance.
- Technical Standards: The BRD proposes secure APIs for interoperable communication between data fiduciaries, consent managers, and data principals. It highlights encryption, time-stamped consent artifacts, and adherence to privacy-by-design principles, such as role-based access control for administrative accounts.
- Grievances and Data Requests: The BRD calls for the CMS to provide data principals with a simple, transparent mechanism to raise complaints regarding consent violations, misuse of personal data, or to request access, correction, or erasure of their data as per the DPDP Act.<
Next Steps
Entities subject to the DPDP Act should begin evaluating existing consent management practices in light of the BRD’s recommendations. This may include reviewing data processing activities to identify those requiring consent and evaluating current processes.
Entities should also closely monitor developments regarding the official notification of the DPDP Act’s enforcement date and the finalization of related regulations.
[View source.]
