As India moves closer to enforcing the Digital Personal Data Protection Act, 2023 (DPDP Act), the Ministry of Electronics and Information Technology (MeitY) has taken a key step by releasing a Business Requirement Document (BRD) outlining a proposed Consent Management System (CMS). Issued through the National e-Governance Division and MeitY’s Startup Hub, the BRD serves as a non-binding technical guide aimed at fostering innovation and readiness.

Though not part of the DPDP Act, the BRD provides an early glimpse into how the government envisions user consent architecture in the digital age.

Regulatory Context
The DPDP Act is yet to be enforced. To operationalize it, the government issued Draft Digital Personal Data Protection Rules, 2025, covering technical and procedural compliance elements—like data security, breach notifications, and consent mechanisms. Public consultation closed in March 2025, and final rules are pending.

Highlights of the BRD
The BRD outlines a privacy-by-design, modular CMS that covers the entire consent lifecycle—from collection to withdrawal and auditing.

1. Consent Collection

• Triggered when users initiate services involving personal data.
• Consent must be granular, unbundled, and purpose-specific.
• Collected through explicit UI controls (e.g., toggles, checkboxes), with no default selections.
• Once validated, a secure consent artefact is generated and stored, containing metadata like user ID, purpose ID, and timestamp.

2. Consent Validation

• Before any data processing, the CMS checks for active and valid consent.
• Consent must not be withdrawn, expired, or used beyond its original scope (e.g., authentication data reused for marketing).
• All validation steps are logged for auditability.

3. Cookie Consent Management

• A clear cookie banner must be shown on first visit.
• Only essential cookies are enabled by default.
• Users can provide granular consent across cookie types (analytics, marketing, etc.).
• Preferences can be modified at any time via a dedicated interface, with real-time updates.

Conclusion
While non-binding, the BRD offers valuable insight into India’s direction on consent governance under the upcoming data protection regime. It allows businesses and developers to begin building compliant systems, positioning them ahead of formal enforcement. By focusing on user empowerment, transparency, and real-time control, the BRD lays the groundwork for a future-ready digital privacy infrastructure.