Govt proposes real-time API checks for user consent under DPDP Act

India's DPDP Act was passed in the Parliament in 2023 but still awaits implementation

The government plans to overhaul how companies collect personal data, with a proposed real-time consent verification system that could reshape privacy compliance in the country.

A new framework to operationalise the Digital Personal Data Protection (DPDP) Act, 2023, requires firms to confirm user consent through live API calls before processing any personal information.

Outlined in a recently released Business Requirements Document by the Ministry of Electronics and Information Technology (MeitY), the proposed Consent Management System (CMS) requires companies to verify the validity of consent, whether for marketing, analytics, or account setup, before utilising any data. If consent is missing or expired, the system must automatically block the request.

This approach marks a shift away from static or one-time checkboxes that often go unchecked after the initial user interaction.

Instead, the proposed system will rely on live API calls to confirm whether consent is still valid at the moment data is accessed or used.

What the system entails

The framework defines a full consent lifecycle, including collection, validation, updates, renewal, and withdrawal.

It also outlines technical requirements for interoperability, multilingual support, accessibility, and real-time logging of all consent-related actions.

Companies will be required to log each consent event in an immutable audit trail, ensuring traceability for both regulators and users.

To give users better visibility and control, the Consent Management System (CMS) will include a dashboard where individuals, referred to as Data Principals under the DPDP Act, can view, modify, or revoke their consent for specific data uses.

They will also be able to raise grievances or request data access, correction, or deletion through the same portal.

The document emphasises that bundled or implied consent will not be permitted. Each data processing purpose must have its dedicated consent, and users must take affirmative action (such as ticking a box or clicking “I agree”) to validate their agreement.

If implemented as described, this architecture will bring Indian privacy compliance a step closer to global benchmarks like the EU’s General Data Protection Regulation (GDPR).

It introduces accountability into every stage of data handling and aims to give users control over their personal data, not just at the point of sign-up, but throughout the entire data lifecycle.