The Digital Handshake Reimagined: Can MeitY’s Consent Management System Bridge the DPDPA-Clickwrap Divide?

[Ishtmeet is a student at Rajiv Gandhi National University of Law.]

In an age where our digital lives are interwind with countless platforms, how often do we read and scrutinize the terms and conditions before reflexively clicking the “I Agree” button despite the fact that the same has to potential to dictate how our personal data is processed? In this digital world, where obtaining user’s consent has become just a matter of clicks and checkboxes, it is high time to reassess whether such consent is really meaningful or does it simply reflect procedural formality.

With consent being redefined under the new Digital Personal Data Protection Act 2023 (DPDP Act), such online agreements, popularly referred to as clickwrap agreements, have once again come under scrutiny. In order to bridge the gap between consent requirements under DPDP Act and the form of consent obtained through clickwrap agreements, the Ministry of Electronics and Information technology (MeitY) released a Business Requirement Document for Consent Management in June 2025. Despite being non-binding, this document goes a long way in establishing a standardized system for obtaining informed and explicit consent of the users for the processing of their data.

This article examines the disconnect between statutory consent standards under DPDP Act and the consent obtained through clickwrap mechanisms. It then goes on to explore how Meity’s proposed Consent Management System (CMS) can bridge this divide and help in obtaining informed consent of the users for sharing their data. At last, the author concludes the article by highlighting certain limitations which the system may suffer during its implementation, undermining the goal of obtaining truly informed consent.

The Consent Gap between Clickwrap Agreements and DPDPA

Clickwrap agreements obtain user’s consent to website’s terms and conditions through an active confirmation, i.e., where users click on checkboxes titled “I consent” or “I agree”. Since they require an affirmative action from the users unlike the passive browse wrap agreements, their validity has usually been upheld by the Indian courts. In various cases like DDIT , Mumbai v. Gujarat Pipavav Port Limited and Hotmail Corporation v. Van Money Pie, the courts laid down two essential conditions for validity of clickwrap agreements: (a) clear and conspicuous presentation of terms and (b) user’s affirmative consent. However, these conditions were not designed keeping in mind the nuanced data protection principles that have emerged in the recent times making DPDP Act’s standards more pertinent for obtaining consent today.

The DPDP Act defines consent under Section 6 to be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” The Act prescribes that individuals should be fully informed as to how their data is going to be used before giving their consent. At the same time, consent should be obtained for specific purposes, instead of a blanket approval. However, the practical realities of consent obtainment clearly do not align with the statutory consent standards laid down in the Act. 

Users rarely read the meticulous and lengthy terms and conditions which often span 7-8 pages long and even if presented clearly can lead to consent fatigue. What constitutes a reasonably conspicuous notice remains subjective allowing the websites to employ tactics that obscure vital clauses. Many times, critical provisions like data sharing with third parties and dispute resolution are buried in long terms, thus escaping user attention. Therefore, the users essentially remain unaware about the consequences of their choices and also do not have any constructive knowledge of the terms, thereby leading to uninformed consent. 

Meity’s Consent Management System: A Panacea for Uninformed Consent

The Ministry of Electronics and Information Technology has proposed CMS as a tool which can be used by the data fiduciaries to achieve compliance with DPDP Act. CMS is envisioned as a comprehensive platform that will manage consent throughout its lifecycle, from acquisition to withdrawal, ensuring transparency and regulatory compliance. Our analysis herein will primarily focus on the procedure of granting valid consent by data principal and how this framework will provide greater validity to consents obtained through traditional clickwrap agreements. It is anticipated that the new strategies provided in the document will directly tackle the issue of uniformed consent.

Proposing a user-friendly interface: Dispelling the fog of hidden terms

One of the major issues underlying clickwrap agreements is their design and disregard for user comprehension. Lengthy texts, small font size, buried terms, complex language, etc. have become typical features of most online user agreements like privacy policy, terms and conditions, etc. As a result, users find it better to skip the terms instead of reading them. Similarly, many times “I Accept” and “I do not accept” buttons are given at the top of the page thus discouraging users from reading the entire document. The 2023 Guidelines for the Prevention and Regulation of Dark Patterns also recognize that websites use misleading user interface to manipulate user decisions.

A user-friendly interface with easy navigation will ensure that all terms are easily accessible to the users. Moreover, it will place an obligation on the system to ensure that users are presented with concise, plain-language summaries upfront allowing them to read critical terms affecting their rights with respect to their data. This will increase the chances of users giving their informed consent to data sharing terms. 

Implementing granular and purpose-specific consent: Ending “take it or leave it” dilemma

Clickwrap agreements generally present the users with a  “take it or leave it” option where the users have to either accept all the terms and give blanket permission to the data fiduciary for all processing activities or simply stop using the website. This clearly violates an essential feature of consent under DPDP Act, according to which user consent should be specific. This may also lead to users accepting unconscionable terms of agreement due to their low bargaining power. 

Implementing granular consent would mean consent for each of the purposes like core delivery service, marketing , analytics and third-party sharing has to be obtained separately. This will allow the data principal to withhold consent for each data processing purpose individually. Obtaining separate consent for each purpose may make the users more cautious while granting consent for purposes where they believe their data may be compromised. This system will prevent bundled consent by separating the optional purposes from the mandatory ones. 

In order to further enhance informed consent, the CMS includes various other features like consent artifacts and immutable audit trails. Traditional clickwrap agreements maintain no verifiable record of the user’s consent, particularly regarding which specific version of the terms and conditions the user agreed to. In contrast, CMS will maintain a record for every instance of consent in a detailed manner including the date and time of consent, the purpose for which the consent was granted, the exact version of privacy policy which prevailed at that moment, etc. thus making sure that data processing remains aligned with the scope of consent as it existed during any given period.

Illusion of Consent: Risk of Consent Fatigue in CMS Implementation

While it is true that MeitY’s CMS is designed to ensure free, specific and informed consent of the users for data processing, however, one has to tread with caution since its implementation may undermine these very goals. It is possible that a multitude of granular choices can overwhelm users leading to greater consent fatigue rather than informed decisions. This may lead to users clicking through options randomly with frustration without any independent application of mind. Moreover, it may be unrealistic to expect that Data Principals would invest their time and mental energy to manage these intricacies for every digital service they are using.

This can lead to “illusion of consent” where users may believe that they are making informed choices because they have options, but in reality, they may not understand the implications of the choices they are selecting. Therefore, what is important is that the CMS prioritizes clarity and ease for users over sheer number of options. The same will depend on how the system is adopted in practice, through the implementation efforts of the data fiduciaries and consent managers.

Conclusion

MeitY’s CMS serves as an accelerator in India’s journey towards informed consent in clickwrap agreements. By introducing features like purpose-specific consent, user friendly interface,  consent artifacts, immutable audit trails, the CMS seeks to ensure that users are able to make the right choice while granting their consent to data processing. Although the system will face a lot of challenges, however its success will depend upon the adoption of a balanced approach between user empowerment and practical usability, which will require concerted efforts from all the stakeholders. This will ensure that consent functions not just as a legal formality but as a safeguard for protecting user’s data.