India’s Digital Personal Data Protection Act 2023: A Comprehensive Analysis of the June 2025 Rules on Consent Management

1. Introduction

On June 11, 2025, India’s Ministry of Electronics and Information Technology (MeitY) released pivotal rules under the Digital Personal Data Protection Act (DPDP Act) 2023, marking a watershed moment in India’s data protection landscape. These rules establish a comprehensive framework for consent managers, clarify consent standards, delineate breach notification obligations, address children’s data handling, and regulate cross-border data transfers. This legal analysis examines the implications of these new rules for businesses, individuals, and the broader digital ecosystem in India.

The DPDP Act 2023, which received Presidential assent on August 11, 2023, represents India’s most significant data protection legislation to date. The June 2025 rules provide the necessary operational framework to implement the Act’s provisions, particularly focusing on the innovative concept of consent managers as intermediaries in the data protection ecosystem. This development positions India as a pioneer in institutionalizing consent management through third-party platforms, setting a precedent for global data protection practices.

2. Historical Background and Legal Context

India’s journey toward comprehensive data protection legislation has been marked by several key milestones. The genesis of data protection awareness in India can be traced to the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), which established privacy as a fundamental right under Article 21 of the Constitution. This judgment catalyzed the government’s efforts to create a robust data protection framework.

The Data Protection Committee, chaired by Justice B.N. Srikrishna, submitted its report in 2018, proposing the Personal Data Protection Bill. After multiple iterations, including the 2019 and 2021 versions of the bill, the government eventually withdrew the Personal Data Protection Bill in 2022 and introduced the Digital Personal Data Protection Bill 2022, which was later refined and enacted as the DPDP Act 2023.

The Act’s emphasis on consent management reflects India’s unique approach to data protection, recognizing the need for specialized intermediaries to facilitate meaningful consent in an increasingly complex digital ecosystem. Unlike the European Union’s General Data Protection Regulation (GDPR), which primarily focuses on data controller and processor obligations, India’s framework introduces consent managers as a distinct category of stakeholders.

3. Relevant Laws and Regulations

The DPDP Act 2023 operates within a complex legal framework that includes several existing laws and regulations. The Information Technology Act 2000 and its subsequent amendments, particularly the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, established the foundational principles of data protection in India.

The June 2025 rules derive their authority from various sections of the DPDP Act 2023, including Section 16 (consent managers), Section 6 (consent requirements), Section 8 (breach notification), and Section 17 (cross-border data transfers). These rules are complemented by the Digital Personal Data Protection Rules 2025, which provide detailed operational guidelines for implementation.

The regulatory framework also intersects with other relevant legislation, including the Consumer Protection Act 2019, which addresses consumer rights in digital transactions, and the Reserve Bank of India’s guidelines on digital payments and financial data protection. The Telecommunications Act 2023 also plays a crucial role in regulating data flows in the telecommunications sector.

4. Key Judicial Precedents

The legal foundation for India’s data protection framework has been significantly shaped by judicial precedents. The Supreme Court’s decision in Justice K.S. Puttaswamy (Retd.) v. Union of India established the constitutional basis for data protection, recognizing privacy as encompassing informational privacy and the right to control personal information.

In Unique Identification Authority of India v. Central Bureau of Investigation (2019), the Court addressed the balance between individual privacy and state interests, establishing principles that influence how consent and data processing are regulated under the DPDP Act. The judgment emphasized the importance of purpose limitation and data minimization, principles that are reflected in the consent management framework.

The Karnataka High Court’s decision in WhatsApp Inc. v. Union of India (2021) addressed the extraterritorial application of Indian data protection laws and the obligations of foreign entities, providing guidance on cross-border data transfer regulations that are now codified in the June 2025 rules.

5. Legal Interpretation and Analysis

The June 2025 rules introduce several innovative concepts that require careful legal interpretation. The definition of consent managers as “registered entities that act as intermediaries between data principals and data fiduciaries, allowing data principals to grant, manage and withdraw consent” creates a new category of data protection stakeholders with specific obligations and responsibilities.

The consent framework under the rules emphasizes the principles established in Section 6 of the DPDP Act, requiring consent to be “free, specific, informed, unconditional, and unambiguous, demonstrated through a clear affirmative action by the data principal.” This formulation aligns with international best practices while adapting to India’s unique digital landscape.

The rules establish stringent financial and technical requirements for consent managers, including “incorporation in India and a net worth of at least 2 crore Indian rupees (approximately USD 230,000).” These requirements ensure that only financially stable and technically competent entities can operate as consent managers, protecting the interests of data principals.

The breach notification obligations under the rules create a structured approach to incident reporting, requiring data fiduciaries to notify both the Data Protection Board and affected data principals within specified timeframes. This framework enhances transparency and accountability in data processing activities.

6. Comparative Legal Perspectives

India’s approach to consent management through third-party platforms represents a unique model in global data protection law. Unlike the GDPR’s focus on direct relationships between data controllers and data subjects, India’s framework introduces institutional intermediaries to facilitate consent management.

The European Union’s approach under the GDPR emphasizes the accountability of data controllers and processors, with consent being one of several lawful bases for processing. India’s framework, by contrast, places greater emphasis on consent as the primary lawful basis for processing, necessitating the development of specialized consent management infrastructure.

The United States’ sectoral approach to data protection, exemplified by laws like the California Consumer Privacy Act (CCPA), focuses on consumer rights and business obligations without creating intermediary institutions. India’s consent manager framework fills a gap in the global data protection landscape by institutionalizing consent management.

Singapore’s Personal Data Protection Act (PDPA) shares some similarities with India’s approach in terms of consent requirements, but lacks the institutional framework of consent managers. The comparative analysis reveals that India’s model may serve as a template for other jurisdictions seeking to enhance consent management in digital ecosystems.

7. Practical Implications and Challenges

The implementation of the June 2025 rules presents significant practical challenges for businesses operating in India. Data fiduciaries must adapt their consent collection and management processes to comply with the new requirements, potentially requiring substantial changes to existing systems and procedures.

The establishment of consent managers as intermediaries creates new business opportunities but also introduces complexity in data processing relationships. Organizations must evaluate whether to engage consent managers or develop in-house capabilities, considering factors such as cost, technical expertise, and regulatory compliance.

The rules impose significant compliance obligations on consent managers, including “keeping records of consents, data-sharing activities, and user communications for at least seven years” and ensuring that consent remains “free, specific, informed, and unambiguous” while being “easy to withdraw at any time.”

Cross-border data transfer regulations under the rules require careful navigation of international data flows, particularly for multinational corporations. The rules specify conditions for international transfers, potentially affecting business operations and requiring legal and technical adjustments.

8. Recent Developments and Trends

The release of the June 2025 rules represents part of a broader trend toward comprehensive data protection regulation in India. The government’s commitment to creating a robust data protection framework is evident in the phased implementation approach, allowing businesses time to adapt while ensuring effective protection of personal data.

The emergence of consent managers as a distinct category of service providers is driving innovation in the data protection technology sector. Several companies are developing specialized platforms to serve as consent managers, creating a new market segment in India’s digital economy.

International businesses are increasingly recognizing the importance of India’s data protection framework, with many global companies establishing India-specific compliance programs. This trend is likely to accelerate as the rules are fully implemented and enforcement activities increase.

The Data Protection Board’s establishment and operationalization represent crucial developments in India’s data protection infrastructure. The Board’s role in overseeing consent managers and enforcing compliance will be critical to the success of the regulatory framework.

9. Recommendations and Future Outlook

Organizations operating in India should prioritize compliance with the June 2025 rules by conducting comprehensive data protection impact assessments and developing appropriate consent management strategies. This includes evaluating the potential benefits of engaging consent managers versus developing in-house capabilities.

Legal practitioners should develop expertise in India’s unique data protection framework, particularly the consent manager provisions, to effectively advise clients on compliance strategies. The intersection of data protection law with other regulatory requirements, such as cybersecurity and consumer protection, requires specialized knowledge.

Policymakers should monitor the implementation of the consent manager framework and consider necessary adjustments based on practical experience. The international implications of India’s approach may influence global data protection standards and require coordination with other jurisdictions.

Technology companies should invest in developing robust consent management platforms that comply with the June 2025 rules while providing user-friendly interfaces for data principals. The success of the consent manager framework will depend largely on the quality and accessibility of these platforms.

10. Conclusion and References

The June 2025 rules under India’s DPDP Act 2023 represent a significant milestone in the evolution of data protection law in India. The introduction of consent managers as institutional intermediaries creates a unique model that may influence global data protection practices. The comprehensive framework addresses key challenges in digital consent management while establishing clear obligations for all stakeholders.

The success of this framework will depend on effective implementation, robust enforcement, and continued adaptation to technological developments. As India continues to digitize its economy and society, the DPDP Act 2023 and its implementing rules will play a crucial role in protecting individual privacy while enabling innovation and economic growth.

The legal community, technology industry, and policymakers must collaborate to ensure the effective implementation of these rules. The innovative approach to consent management through third-party platforms positions India as a leader in data protection innovation, potentially setting new standards for global data protection practices.

References:

1. Digital Personal Data Protection Act, 2023, No. 22 of 2023, Government of India
2. Digital Personal Data Protection Rules, 2025, Ministry of Electronics and Information Technology
3. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1
4. Information Technology Act, 2000, No. 21 of 2000, Government of India
5. General Data Protection Regulation, EU 2016/679
6. Business Requirement Document for Consent Management Under the DPDP Act, 2023, MeitY, June 2025
7. Internet Freedom Foundation, “First Read on the Digital Personal Data Protection Rules 2025” (2025)
8. Nishith Desai Associates, “India’s Digital Personal Data Protection Act, 2023: History in the Making” (2024)
9. CookieYes, “India’s DPDP Act Explained: The Latest Guide for Compliance” (2024)
10. Hogan Lovells, “India Publishes Consent Management Rules Under Digital Personal Data Protection Act” (2025)

Also Read: 

Rights of undertrial prisoners in India
How To Send A Legal Notice In India