The Digital Personal Data Protection Act (DPDPA), 2023 is India’s data protection law, aiming to safeguard personal data and ensure responsible data processing. DPDPA regulates the collection, storage, and processing of personal data by organizations, including financial institutions. Given that the financial institutions regularly handle personal data & has a regular requirement to process large volumes of sensitive personal data such as Aadhaar, PAN, bank account details, income information and others, it is imperative to have robust processes & systems in place to track, manage, and monitor data provided by the data principal.
With this foundation, DPDPA goes on to influence several core operational areas within financial institutions, compelling a relook at how data is handled, shared, processed, protected, and accessed.
Defining Consent from Principles to Practice
Consent is the foundational principle that governs how personal data is collected, processed, and utilized. Under the DPDPA, consent ensures that individuals have control over their personal information, empowering them to make informed decisions about who accesses their data and for what purposes. Data collected can only be used for the specific purpose disclosed to the user at the time of consent. Under DPDPA, purpose isn’t a suggestion but should be considered as a legal boundary. Most financial institutions currently use either “one consent for all purposes” or “pre-ticked boxes,” which are non-compliant and void under DPDPA.
DPDPA Consent Management Framework
Consent management lies at the heart of DPDPA compliance. It ensures that data principals (customers) are in control of how their personal data is collected and used, making consent the gateway to lawful data processing. For financial institutions, this translates into building clear, retrievable, and trackable consent mechanisms across their digital and physical touch points.
In order to ensure proper management, we have a consent manager who acts as an intermediary between individuals (data principals) and organizations (data fiduciaries) to simplify and regulate consent management under the Act. Consent Managers are intermediaries which don’t process data but help manage who gets access to what, when, and for how long, but they play a key role in ensuring proper consent management.
Real-World Example of Consent Manager from the Indian Ecosystem:
Sahamati – Industry Body for AAs
Methods of Obtaining, Tracking, and Managing Consent
Obtaining Consent
Consent collection must be transparent, specific, and freely given—not buried in legalese or pre-selected by default. Ways of obtaining consents are:
Explicit Opt-In (No Pre-Ticked Boxes)
Users must actively check a box or toggle to consent (no pre-selected options)
Eg: A digital bank prompts users to tick a checkbox before allowing access to their transaction history for budgeting insights. The checkbox is not pre-selected, ensuring users give active, informed consent before proceeding.
Granular Consent (Separate Toggles for Each Purpose)
Users choose exactly what they consent to (not “all or nothing”).
Eg: During onboarding, a fintech app displays individual toggles to allow users to consent separately to: (1) marketing emails, (2) credit bureau data sharing, and (3) third-party analytics. Users can approve only the ones they’re comfortable with.
Just-in-Time Notices (Contextual Pop-Ups)
Request consent at the moment data is needed (not upfront in a wall of text).
Eg: When a user searches for nearby branches in a bank’s mobile app, a pop-up appears asking for location access, explaining: “We use your location to show nearby ATMs and offers.” Consent is requested at the moment of need.
Layered Notices (Short Summary + Detailed Policy)
First layer will be a plain-language summary (1-2 sentences) and second layer will show the full policy accessible
Eg: A loan app displays a brief note: “We use your data to provide better loan offers.” Below it is a link labeled “Learn More,” which opens a detailed policy outlining data sharing with partners, legal basis, and user rights.
Tracking Consents
Under DPDPA, banks (as Data Fiduciaries) must prove that valid consent was obtained, a notice was shown, the consent was limited to specific purposes, and that it was revocable and acted upon. Without proper consent tracking, institutions risk non-compliance, legal penalties, and loss of customer trust.
How to Implement Consent Tracking – Examples
Frontend (App/Web)
Capture consent at user touchpoints and log it to the backend CMS.
Core Systems (CBS, LOS)
Sync consent data through APIs or webhooks.
Fintechs
Share only consent references or tokens not raw personal data.
Audit Layer
Use SIEM tools to ensure traceability and audit readiness.
Managing Consents - Notices
A meaningful user experience starts with transparency — under the DPDPA, a clear, accessible notice is the first step toward informed and empowered data consent. Notices must explain the purpose, user rights, and how those rights can be exercised.
- Clear and Accessible Notices: In plain, intelligible language, users must be informed of the data being gathered, its purpose, and their control over it.
- Needs for Consent Appropriate notices: In the absence of appropriate notices, consent is void and data processing is prohibited by law.
- New Notice, New Purpose: Users must be given a new notice prior to processing if data is utilized for a different purpose.
- Old Data, fresh Compliance: Prior to DPDPA, data could only be utilized if consent was still valid and a fresh notice was distributed.
Actionable Steps for Financial Institutions
With DPDPA rules still evolving, it is imperative for financial institutions to act early by laying strong operational and technological foundations. Based on practical engagements, here are immediate steps institutions can take:
- Set up a cross-functional consent task force
- Map consent touch points across journeys
- Develop layered and just-in-time notices
- Establish centralized APIs and real-time consent logging
- Ensure core system integration and audit trails
- Engage with sandbox Consent Managers for pilots
- Train staff across functions on consent handling
- Conduct gap assessments and DPIAs
- Plan for scalable, modular compliance frameworks
Conclusion
Numerous financial institutions are re-evaluating their consent management and data governance strategies to help set themselves on the compliance path for DPDPA. DPDPA should not only be treated as a compliance requirement but also a strategic opportunity. Institutions that prioritize transparent, user-first consent systems will differentiate themselves and stay resilient. Let’s not wait for the final rulebook. Now is the time to set the base requirements in motion.
