Account Aggregators (AAs): Pioneers of Implementing Consent Managers (CMs) in India

B.G. Mahesh, co-founder and CEO of Sahamati, the industry alliance for the Account Aggregator (AA) ecosystem in India, participated in a panel discussion at PrivacyNama 2023, a privacy conference organized by MediaNama. The panel discussion was focused on understanding the implications of the Digital Personal Data Protection (DPDP) Act 2023 on businesses in India. The panel also delved into what it means to implement consent managers (CMs) at a population scale in India. Read more to know about the themes Mahesh delved into–

DPDP Act and ‘Legacy Data’

Companies that have collected and stored personal data before enacting the Data Protection and Privacy (DPDP) Act 2023 must take specific steps to ensure compliance. First, they must identify this data as personal or non-personal. Once personal data is identified, these companies must provide detailed notices to data principals, informing them about the data collected, stored, and processed, along with the consent previously obtained.

To further empower individuals, the notices should also include a convenient method for consumers to revoke their consent. The DPDP Act has introduced the role of a consent manager to streamline consent-related operations, and additional guidance on compliance timelines will be provided through the DPDP Rules and the Data Protection Board (DPB). These measures aim to ensure that companies handle legacy data in a manner that respects the data privacy rights of individuals.

Imagining Consent Managers at Scale

As consent managers (CMs) scale up and become prevalent across the country, their appearance and functionality will become increasingly diverse. They will play a pivotal role in instilling trust in the data collection and processing processes. CMs that offer customized and personalized consent flows tailored to individual preferences and needs will have a competitive advantage over generic CMs that merely provide standard consent flows to meet compliance requirements.

Given the vast diversity in language, digital literacy, and target audiences, CMs will evolve to cater to the specific requirements of different user groups, be it individuals or businesses like MSMEs. This personalized approach is set to enhance the user experience and further promote the adoption of consent management systems.

Lessons from the Account Aggregator (AA) Ecosystem

Account Aggregators (AAs) are the first functional implementation of CMs in India. AAs have played a crucial role in enabling data sharing with explicit consent within the financial ecosystem. They adhere closely to the principles enshrined in the DPDP Act such as purpose limitation, usage limitation, collection limitation, granularity of data access, notification, and the ability for users to revoke consent.

Interoperability has emerged as a significant challenge within the Account Aggregator (AA) ecosystem, primarily due to the operational burden placed on data fiduciaries. The lack of interoperability has consequences for consumer choice and control over their data. Therefore, prioritizing interoperability becomes essential to empower users and enhance data control.

Furthermore, the success of consent managers (CMs) hinges on their commercial viability. For CMs to effectively scale to serve the entire population, they must operate as sustainable and profitable enterprises. This financial sustainability is crucial for ensuring the widespread adoption of CMs across the country.

Additionally, a key aspect of achieving a nationwide implementation of CMs is their availability in all Indian languages. Language diversity is a prominent feature of India, and providing consent management services in multiple languages is essential for inclusivity.

Incentivizing the development and adoption of CMs in the right manner holds the key to overcoming these challenges. Proper incentives can drive innovation, enhance interoperability, ensure financial sustainability, and promote linguistic diversity in consent managers, ultimately resulting in a more robust and user-friendly data protection ecosystem in India.

Significance of CMs and DPDP

The shift in norms brought about by the Digital Personal Data Protection (DPDP) Act 2023  and Consent Managers (CMs) is particularly significant in the context of the historical treatment of consent. Consent has often resembled a mere checkbox exercise, with individuals grappling with lengthy and convoluted privacy policies. In response to this challenge, the DPDP Act offers a forward-thinking solution by prioritizing real-time, granular, and specific consents precisely when they are required. This transformative approach reflects India’s commitment to enhancing data protection and privacy, paving the way for a more user-centric and comprehensive framework.

Check out this link to listen to panel discussions on Day 1 of the PrivacyNama event, organized by MediaNama