Who is a Consent Manager? Know details as govt tightens digital data protection rules, says children need permission to…

The Centre released draft digital data protection rules on Friday evening — outlining arious legal provisions including ways to process the data of children and the role of a ‘consent manager’. The Ministry of Electronics and Information Technology has invited feedback and public comments on the document till February 18. 

The rules outlined in the draft call for data fiduciaries to ensure the consent of a parent before processing the data of children through government issued IDs or linked digital tokens. Certain data fiduciaries, including healthcare professionals and educational institutions, will be allowed to process the personal data of children with some restrictions. Under the draft rules children below the age of 18 will also require parental consent in order to create a social media account.

MeitY has indicated that there will be a staggered implementation of the rules — with five segments pertaining to the selection and functioning of the Data Protection Board coming immediately into effect.

What is a consent manager?

The DPDP Act defines consent managers as a Board-registered entity that acts as a point of contact “to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform”.

“Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent,” reads an excerpt from the Explanatory note shared by MeitY.

According to the draft notification released by the Ministry, eligible individuals can apply to the Board for registration as a consent manager. The consent manager will enable a ‘data principal’ who is using its platform to greenlight the processing of  personal data. The latter will be done by a data fidiciary onboarded to such a platform. The consent manager will also maintain such personal data with the consent of that data principal.

The Consent Manager will also develop and maintain a website or app (or both) as the primary means through which a Data Principal may access its services.