Explained: Govt's new 'code for consent' initiative under the DPDP Act
The Ministry of Electronics and Information Technology (MeitY) has unveiled a framework to implement the DPDP Act, 2023, shortlisting six companies to develop consent management systems
The ‘Code for Consent’ challenge is MeitY’s initiative to solidify how consent should be captured, stored, and used in the digital world. Image: Shutterstock
The Ministry of Electronics and Information Technology (MeitY) recently initiated a new framework built around the idea of ‘consent as a live signal’ to operationalise the Digital Personal Data Protection Act (DPDP) 2023. The DPDP Act is India’s first comprehensive data privacy law.
Six companies have been shortlisted in the first round of its ‘Code for Consent’ challenge to develop real-world Consent Management Systems (CMS). Run by the National e-Governance Division and the MeitY Startup Hub, the challenge aims to surface practical tech that can handle user consent under the new law. The selected teams are Jio, IDfy, Redacto, Zoop, Concur, and Aurelion. The shortlisted teams now move into a three-month build phase to make working prototypes, where their solutions will be tested through sprints focussed on real-world performance like usability, compliance, scalability.
Each team is working off a clear playbook: A Business Requirements Document (BRD) from the ministry that lays out what the system needs to do. This includes secure APIs for real-time consent checks, and tools to let users modify or revoke consent easily. With this initiative, the government’s not just looking for demos, but are testing ideas that could shape national data policy and future infrastructure for digital consent.
What is the ‘Code for Consent’ challenge?
The ‘Code for Consent’ challenge is MeitY’s initiative to solidify how consent should be captured, stored, and used in the digital world. According to Ashok Hariharan, CEO and co-founder, IDfy, it’s about control: Giving individuals the power to decide who gets access to their data, for what purpose, and for how long. Some critical areas in which consent is most relevant include financial services, healthcare, education, and ecommerce, where digital personal data is frequently shared and processed.
Hariharan adds the consent experience across most Indian digital services today is fragmented, compliance-led, and often reduced to a checkbox, far removed from the spirit of the DPDP Act. “Users rarely have clarity on what they’ve consented to, across which services, and how to revoke it. What we need is not just consent capture, but consent governance—a structured, user-centric approach that makes consent granular, auditable, purpose-bound, and revocable.” Implementing the act effectively requires strong data governance, from discovering and classifying personal data, to managing third-party processors and responding to user rights requests. “Consent governance is the front door, but the rest of the house needs to be in order too. That’s the kind of end-to-end thinking we need to operationalise privacy in India.”
How can it be inclusive?
To prove beneficial for use cases in a diverse country like India, the framework will also build in support for multilingual access and inclusivity.
Hariharan believes this initiative marks a turning point, moving us from checkbox compliance to infrastructure-grade solutions. “At Privy (IDfy's data privacy platform), we’ve been fortunate to aid early adopters in rethinking this space, helping them balance seamless user experience with the letter and spirit of the law. In many ways, we’re co-creating the consent governance playbook with forward-looking institutions who want to get it right, not just for regulators, but for their users.”
What are the global practices?
While India has recently started work on a framework for consent, consent management practices exist and vary significantly across different countries. While some regions, like the European Union, mandate explicit, informed consent for data collection and processing, others, such as parts of the United States, much like in India currently, may operate under ‘opt-in’ and ‘opt-out’ models or have more localised regulations. “While global frameworks like General Data Protection Regulation (GDPR) laid the foundation, the Indian approach is purpose-built for scale, multilingual diversity. Consent here isn’t just a checkbox. It’s being embedded into the very plumbing of how data moves across platforms,” says Hariharan.
What could be the potential challenges?
Consent governance isn’t just a technical problem, it’s a design and ethics problem. Infrastructure must scale, but it must also uphold the dignity of the user. “The real challenge is striking the right balance between simplicity and substance. If consent is too complex, users drop off. If it’s too shallow, it becomes meaningless,” he adds.
One challenge that came to light when the initiative was launched was put forth by payment platforms operating in India. These platforms requested the IT Ministry to delay enforcing strict consent rules under the DPDP Act, 2023—they felt the mandate that requires users to approve every data transfer, even for routine transactions like bill payments would frustrate users, raise operational costs, and hit smaller players the hardest. The platforms are understood to have asked for a temporary exemption to build compliant systems that preserve ease of use, and some flexibility to avoid overwhelming users with repetitive approvals. With steep penalties for non-compliance, companies worry that rushing to meet these standards could lead to higher costs for consumers.
Forbes India reached out to PhonePe and Amazon Pay, but the platforms declined to comment.
According to Malcolm Gomes, COO at IDfy, from an operational standpoint, the DPDP Act does not impose any additional burden on payment system operators. A one-time consent for processing personal data, similar to that obtained at the time of registration and upon renewal of the mandate where applicable, is sufficient. However, if the personal or derived data is to be used for any other purpose, separate consent must be obtained. “The notion that the DPDPA requires multiple consents simply for processing auto-pay mandates reflects a narrow and misplaced interpretation of the law,” says Gomes.
He adds that organisations can further simplify compliance by adopting privacy-enabling technologies like Privy by IDfy, which acts as a compliance co-pilot, automating consent lifecycle management, enabling self-service portals for personal data access and rights requests, streamlining deletion requests across data processors, and creating automated data flows for privacy impact assessments and audits. “Its DPO (data privacy officer) dashboard tracks compliance metrics and generates immutable evidence for reporting and audits—turning what could be a manual compliance exercise into a seamless, integrated process.”
Another challenge could be that of consent fatigue, which refers to the psychological exhaustion and indifference users experience when repeatedly asked to provide consent for data collection, often leading to them accepting terms without fully understanding the implications. “It sets in when there is lack of clarity or obfuscation or jargonisation of notice,” says Gomes.
Most of the purposes of processing personal data are fairly standard and easy to comprehend. The problem arises when they are presented with these purposes in a bundled manner without clear mapping of what personal data is required for which purpose and for what period of time. “Organisations, at times, owing to their own process pitfalls are unable to document this simple mapping. They must look at this as an opportunity to identify, classify and map their existing data stores,” adds Gomes.
What’s the future of the consent space in India?
Data is here to stay and the rising need for privacy and consent is proving to be a significant focus area for most sectors. Hariharan believes that consent is where trust begins, and when implemented meaningfully, it unlocks a whole new era of responsible innovation. As India builds standardised, interoperable consent tech, the country is not just solving for compliance, it’s laying the groundwork for secure, user-centric ecosystems across finance, health, education, and beyond. All this with the hope that there will be reduced data misuse, greater user participation, more ethical AI, and fundamentally better products. “India is waking up to a privacy-first future, and the world is watching. This is our moment to lead,” says Hariharan.