Swiggy wants your order. WhatsApp wants your contacts. But under the DPDP Act, you now get to decide with clarity.
The way everyday apps handle your personal data in India is undergoing a seismic shift. With the Digital Personal Data Protection (DPDP) Act, 2023 now inching towards implementation and the Business Requirements Document (BRD) for Consent Management Systems (CMS) released in June 2025, platforms like Swiggy, WhatsApp, and your neighborhood fintech app are being forced to rethink their data playbooks. This isn’t just another compliance update. It’s a fundamental reset of how trust, transparency, and technology will co-exist in India’s digital economy.
The Law That’s Been in Waiting
Although the DPDP Act was passed in August 2023, its operational rules have remained in suspended animation. That’s about to change. The Ministry of Electronics and Information Technology (MeitY) has confirmed that draft rules will soon be released for public consultation, providing long-awaited clarity on critical aspects like:
- How users can request data access or deletion
- Timelines for grievance redressal and breach notifications
- Consent protocols for minors
- Functioning and appeals process of the Data Protection Board (DPB)
But it’s the recent BRD for Consent Management Systems that’s turning heads, especially for India’s startups, app developers, and digital-first platforms.
Why the BRD Changes the Game
Released on June 6, 2025, the BRD offers detailed technical and functional guidance for building compliant, user-centric systems to manage consent. In short, it’s the operational how-to for implementing the DPDP Act’s most powerful user right: informed, revocable consent.
The BRD outlines the full consent lifecycle collection, validation, update, renewal, withdrawal and clarifies who’s responsible for what:
- Data Principals (users): can control, view, and revoke consent anytime
- Data Fiduciaries (apps/companies): must ensure consent is lawful, valid, and logged
- Consent Managers: registered intermediaries to facilitate and verify consent
- Data Protection Officers: required for larger firms to oversee compliance
- Data Processors: bound by the purpose and scope of consent granted
This structure flips the power dynamic: from platforms assuming consent to users explicitly granting and managing it.
What This Means for Everyday Apps
Imagine this: You open a food delivery app and are asked if your location can be used just for delivery tracking and not for future ads or “personalized offers.” Or you’re given the option to revoke WhatsApp’s access to your contact list while still using it for messages. Under the CMS model, this is not a bonus feature; it’s the default expectation.
Here’s how it reshapes user experience on popular platforms:
- Delivery Apps: Must offer granular controls over location, dietary preferences, and spending history
- Messengers: Will need to provide clear opt-ins for data sharing with Meta or third parties
- Fintech apps: Consent for credit score pulls, income profiling, or spending analysis must be purpose-specific, revocable, and time-bound
And platforms cannot hide consent behind confusing UI. Pre-checked boxes? Banned. Consent prompts? Must be in English or any Eighth Schedule Indian language. Every action must be traceable with an audit log and metadata trail.
But the Real Question: Persuasion vs. Protection
As platforms chase retention and engagement, where is the line between persuasive design and manipulative consent? This is especially important in light of dark patterns of subtle UX tricks that nudge users into saying “yes” to data sharing.
The DPDP + CMS framework draws a sharp boundary. It encourages data minimalism and punishes excessive, misleading, or bundled data requests. For example, forcing users to accept marketing emails to access customer support would be flagged.
A Startup Challenge and Opportunity
Let’s be real: For many Indian startups, building a CMS that complies with the BRD is no easy lift. It requires:
- Legal-tech integration
- Secure APIs to third-party processors
- Real-time dashboards for user rights management
- Language localization for all prompts
- Immutable audit trails
But here’s the flip side — those who get it right will earn a trust moat.
Take Niyo, a neobanking platform that now offers users a consent centre to control how their salary and spending data is used. Or Ekincare, a digital health platform that’s piloting a full consent dashboard, down to blood report access. As investors and users become more privacy-conscious, compliance could become a brand advantage.
What Investors and Global Partners Are Watching
The DPDP Act isn’t just a domestic play. The BRD is strategically aligned with global data laws, including the EU’s GDPR. That means Indian startups that align with CMS specifications will be better positioned for:
- Global expansions or partnerships
- Foreign Direct Investment (FDI) in sensitive sectors (health, finance)
- Regulatory clearance during M&A
Non-compliance is no small matter. Penalties under the DPDP Act can go up to INR 250 crore ($30 million). But more importantly, the loss of consumer trust is far costlier, especially for D2C brands, fintechs, and social platforms.
Why the BRD Is a Wake-Up Call for Tech Founders
Let’s cut to the chase: This is not about lawyers and checkboxes. It’s about product design.
CMS compliance will now require:
- Design teams to rethink user flows
- Backend engineers to build real-time sync with consent records
- Founders to treat trust as UX, not just a legal appendix
Those who treat this as a last-mile task risk being left behind.
India’s Consent Moment Is Here
For years, Indian users clicked “I Agree” without really knowing what they were agreeing to. That era is ending.
With the DPDPA, 2023 gaining operational teeth and the BRD for Consent Management Systems offering a compliance blueprint, India is entering a new chapter of digital trust.
Whether you’re a billion-dollar app or a bootstrap-stage SaaS startup, how you handle consent will now define not just your risk profile, but your relationship with users. In the battle for data, clarity will win over cunning.
