Business Requirement Document for Consent Management under the DPDP Act

In brief

To enhance the robustness of the Consent Management System (CMS) in alignment with the requirements of the Digital Personal Data Protection Act, 2023 (DPDP Act), the Ministry of Electronics and Information Technology (MeitY) invited startups and Micro, Small, and Medium Enterprises to contribute to the development of a modular CMS. This system is intended to integrate seamlessly with existing platforms and applications used by Data Fiduciaries, thereby ensuring compliance with the DPDP Act. The invitation for participation was announced on 15 April 2025 and was open until 27 April 2025¹. Subsequently, MeitY, in collaboration with its National e-Governance Division, released a Business Requirement Document (BRD)² for consent management under the DPDP Act. The BRD outlines the key functional specifications and regulatory guidelines necessary for the system’s development. The BRD presents a strategic roadmap for the design, development and deployment of the CMS. It envisions a comprehensive solution capable of managing the entire lifecycle of user consent, encompassing its collection, verification, modification, renewal and withdrawal. The primary objective of the CMS is to empower individuals (Data Principals) by giving them greater control over their personal data. It also ensures that organisations (Data Fiduciaries and Data Processors) remain fully compliant with the provisions of the DPDP Act. By implementing this system, organisations can maintain transparency and security in consent handling, while enabling users to easily exercise their data privacy rights in a seamless and trustworthy environment.