The National e-Governance Division under the Ministry of Electronics and Information Technology, on 6 June 2025, released a Business Requirement Document for Consent Management under the Digital Personal Data Protection Act, 2023. The BRD provides detailed technical and functional guidance on the architecture and operation of consent management systems that data fiduciaries and consent managers will be expected to implement.
Background
The Digital Personal Data Protection Act, 2023 establishes consent as the primary lawful basis for processing personal data under Section 6. The Act envisages a framework where data principals can grant, manage, and withdraw consent through a structured mechanism. While the substantive rules under the Act were still being finalised at the time of the BRD's release, MeitY chose to issue this technical guidance proactively to give the technology ecosystem time to prepare.
The BRD was released through MeitY's Startup Hub platform as part of the "Code for Consent" Innovation Challenge, inviting technology providers to build consent management solutions aligned with the document's specifications. Though not legally binding, the BRD serves as a strong indicator of the government's expectations regarding technical implementation.
Key Provisions
The Business Requirement Document outlines the following core components of a consent management system:
Consent lifecycle management: The system must support the full lifecycle of consent — collection, storage, modification, renewal, and withdrawal. Each consent action must be logged with a timestamp and be auditable.
User dashboard: Data principals must have access to a dashboard providing visibility into all consents granted, the purposes for which data is being processed, and the ability to withdraw consent granularly.
Notification framework: The system must generate notifications to data principals at key stages, including consent collection, approaching expiry, and processing changes. Data fiduciaries must also receive alerts on consent withdrawals.
Grievance redress integration: The CMS must incorporate a grievance mechanism allowing data principals to raise complaints about consent handling, with defined escalation paths and resolution timelines.
Administrative controls: Role-based access management, data retention policy configuration, and audit trail functionality are mandated for operational governance.
Implications for Practitioners
The BRD, while non-binding, is the clearest signal yet of how India's consent management infrastructure will function in practice. Technology companies and data fiduciaries should treat this document as a de facto compliance blueprint, particularly given that it was issued by the same ministry responsible for the DPDP Act's implementation.
For legal advisors guiding clients on DPDP Act readiness, the BRD's detailed specifications around consent granularity and withdrawal mechanisms suggest that broad, blanket consent models will not survive regulatory scrutiny. Clients should begin auditing their existing consent collection practices against the BRD's requirements now, rather than waiting for the formal rules to be notified.
The innovation challenge format also signals that MeitY anticipates a market of third-party consent management providers, similar to the consent manager ecosystem under the Account Aggregator framework.