India’s Digital Personal Data Protection Act, 2023 imposes a consent requirement prior to processing of personal data and also gives a right to the consent giver to withdraw consent and have the data erased. The draft Digital Personal Data Protection Rules, 2025, which have not as yet been notified, aim to operationalize and support these requirements.
With regard to consent management, the National e-Governance Division of the Ministry of Electronics and Information Technology has released a technical and legally non-binding document called the business requirement document (BRD). The BRD outlines the framework for building and implementing a consent management system to support every stage of the consent life cycle, including its collection, validation, updation, renewal, and revocation.
Please find our slide show which explains the key pointers in the BRD which may be implemented once the law becomes effective.