Click-Based Consent Under Indian Law: Evaluating MeitY's latest "CMS-Business Requirements Document" (CMS-BRD)

Introduction: The Purpose of the CMS BRD Document

In anticipation of the Digital Personal Data Protection Act, 2023 (DPDP Act) coming into force, Indian organizations are gearing up to build and deploy robust Consent Management Systems (CMS). One such effort is documented in a publicly released Business Requirements Document (BRD) titled “Business Requirement Document For Consent Management Under the DPDP Act, 2023”, published as part of a proposed architectural framework by MeitY-affiliated stakeholders.

The primary objective of the BRD is to provide a blueprint for developing a CMS that enables individuals (Data Principals) to grant, manage, and withdraw consent in a way that aligns with DPDP requirements. The document outlines user flows, consent artefact structures, APIs, and ecosystem roles involving Data Fiduciaries, Consent Managers, and the Data Protection Board.

While this framework sets a commendable foundation, the legal enforceability of the consent mechanisms described, especially click-based consent requires deeper scrutiny through the lens of Indian contract and data protection law.

The Legal Status of Click-Based Consent in India

Click-wrap or click-based consent (e.g., ticking a checkbox or pressing "I Agree") has long been recognized under Section 10A of the Information Technology Act, 2000, which validates electronic contracts formed through digital communications. Indian courts, including in Trimex International FZE v. Vedanta Aluminium Ltd., have accepted digital assent as enforceable.

However, the DPDP Act, 2023 imposes stricter requirements beyond general contract law. Under Section 6, consent must be:

• Free

• Specific

• Informed

• Unambiguous

• Given through a clear affirmative action

Moreover, consent must be purpose-linked, revocable, and traceable, raising the bar well above generic click-acceptance.

Where the CMS-BRD Falls Short

An analysis of the BRD for the Consent Management System reveals several shortcomings that weaken the enforceability of click-based consent under DPDP standards:

What a Legally Compliant Click-Consent System Must Do

To ensure legal enforceability under both DPDP and IT Act, a consent system should:

1. Use explicit UI/UX prompts that unambiguously capture user intent

2. Require granular choices, one checkbox per purpose

3. Show a concise, layered privacy notice before the user acts

4. Maintain a verifiable audit trail: timestamp, user ID, policy version, device/IP

5. Provide a simple, mirrored interface for withdrawal

6. Enable consent capture in regional languages, accessible and understood

7. Link each consent event to vendor or third-party disclosures

Final Thoughts

Click-based consent is not dead but it must evolve. It is no longer enough to rely on checkboxes or buried terms. The BRD for Consent Management Systems, while technically robust in places, lacks the legal and operational clarity required to meet India's new data protection regime.

Businesses should treat consent as a compliance artefact, not just a UI feature. Consent frameworks need to be co-designed by legal, technical, and product teams to stand up to the scrutiny of users, courts, and regulators.