Amidst the ongoing digital transformation and discussions regarding the transition period for compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), a recent study of 100 companies across various sectors in India has revealed a lack of readiness among digital platforms to meet the new privacy mandates. Experts emphasise the critical role of consent managers in ensuring personal data protection in this evolving landscape.
PwC India conducted a study that analysed the websites of nearly 100 companies spanning 20 different sectors, focusing on their adherence to the privacy features outlined in the DPDP Act. The research found that only nine out of the 100 companies actively sought specific, informed, and freely given consent, which is a fundamental requirement of the new privacy law, before collecting personal data from users. Additionally, 43% of these organisations failed to provide clear reasons for sharing data with third-party entities.
While the government and industry stakeholders have not yet established a timeline for complying with the DPDP Act, which was passed by parliament over two months ago, experts suggest that individuals concerned about their digital data should consider the consent manager provision as a straightforward solution. A consent manager is viewed as an innovative concept, offering a central platform for users to manage their data sharing across various platforms, thereby empowering individuals to have greater control over their data.
Further, the PwC report revealed that only 4% of organisations had mechanisms in place to notify users of data breaches, which could be considered a violation of existing sectoral regulations. Sixteen percent of these companies had a cookie consent feature, while 48% offered an option to retract consent. Only 2% provided consent forms in multiple languages.
The under-preparedness observed in many Indian organisations can be attributed to the country”s unique approach to data protection. Companies with a substantial user base are faced with the challenge of modifying their workflows and exploring technical solutions to meet the DPDP Act”s requirements, such as notifications in various Indian languages and obtaining parental consent.
The DPDP Act introduces the concept of a consent manager, which acts as an intermediary between the data principal and the data fiduciary. Registered with the Data Protection Board, the consent manager serves as a central touchpoint for individuals to provide, oversee, and withdraw their consent through an accessible and transparent platform.
Notably, the DPDP Act omits the “privacy by design” provisions present in previous drafts of the bill. While some experts considered this provision crucial for ensuring data privacy from the inception of a company, opinions on its inclusion vary.
Since the DPDP Act”s approval in parliament, industry voices have called for extended deadlines to meet the law”s mandates. Experts argue that the government should prioritise raising awareness about the act”s provisions and requirements before focusing on immediate enforcement and imposing penalties. This approach aims to ensure a smoother transition and better compliance with the new legislation.