Frequently asked questions

Consent management is both a data governance and application-level responsibility. Traditionally, businesses maintained a single pipeline where customer data flowed seamlessly across multiple applications. However, under consent-driven regulations, data must now be segmented based on user consent. This means you cannot automatically share all customer data with all applications. Instead, you need to map each application's data usage purpose and ensure that customer data is only shared if they have explicitly consented to that purpose. While the application team handles implementation, the data governance team ensures compliance, tracking, and enforcement of these new controls.

You can implement this by using the Consent Check API at the time of user login. The API response will indicate whether consent has already been captured or if it is still pending.

• If consent has not been captured, the system should trigger the Run Register API to display the appropriate notice.
• New users will be shown the Consent Notice.
• Existing users will be shown the One-Time Notice as required under the DPDP Act.

By default, the Consent Capture/Request URL remains valid for 10 minutes. When calling the Register API, you can configure the expiry duration in the request. However, this configuration is not available at the consent profile level. If needed, this feature can be developed upon request.

Webhooks are planned, and we can provide a timeline once confirmed. Currently, you can use the success response from the Register API to determine if a user has accepted the consent. This data can then be mapped to your internal database or tracking system for reference.

Yes, consents can be collected via SMS, email, and WhatsApp by sharing a consent request link. Users can review and provide their consent digitally, ensuring a seamless and legally valid process.

Yes, you can use the Consent Check API to verify whether a valid consent exists before processing any personal data. If consent has not been captured, you can prompt the user to provide it before proceeding.

Consent can be collected using OTP-based authentication, biometric authentication, or through assisted consent collection at physical touchpoints. For areas with low digital adoption, consent can be captured at the time of onboarding through assisted digital flows. The Consent Notice can be made available in local languages.

Users can update their consent preferences via a dedicated consent management portal integrated into your application or website. Your users should be able to view granted consents, modify preferences, or withdraw consent as per their choice.

Users can exercise their rights through a self-service portal where they can request access, correction, deletion, or portability of their personal data. Businesses must also provide a grievance redressal mechanism to handle such requests within the prescribed timelines.

The integration of the one-time notice on web and applications follows a process similar to other consent notices. As per the DPDP Act, the one-time notice is a mandatory disclosure that must be presented to the user but does not require explicit acceptance. Compliance is considered achieved once the notice has been displayed to the user, ensuring that they are informed of the data processing terms without the need for repeated confirmation.