Skip to main content

Consent Validation

The Consent Validation Module (CVM) enables Data Fiduciaries (DFs) and Data Processors (DPs) to validate the existence, scope, and status of consents before processing any personal data. This is critical to comply with the Digital Personal Data Protection Act (DPDPA), 2023 and to ensure auditable, lawful processing across organizational functions.

1. Objectives

  • Prevent unlawful processing by ensuring data is used only under valid consent.
  • Provide APIs, UI, and batch tools to validate consents at scale.
  • Support multi-department use cases (marketing, operations, engineering, product).
  • Enable Data Processors to validate consent on behalf of DFs through secure tokens/keys.
  • Support interoperability frameworks (e.g., SAHAJ) for direct consent status verification.

2. Key Features

FeatureDescription
Real-Time Consent ValidationValidate consent status instantly before processing.
Scope VerificationVerify purpose, data elements, and validity period align with requested processing.
Multi-Department AccessDepartments such as marketing, ops, product, or engineering can use CMP UI for searches or APIs for automation.
Batch Consent VerificationUpload CSV files for large-scale validation tasks.
Data Processor SupportData Fiduciary can issue validation keys or tokens to Data Processors to check consent directly.
Metadata Ledger IntegrationSAHAJ interoperability allows direct consent status checks from a metadata ledger.
Audit LogsRecord every validation attempt, status, and response for compliance.

3. How It Works

3.1 For Data Fiduciaries

  1. Request Consent Validation via CMP UI or API.
  2. Check Scope – The module verifies that requested purpose, data elements, and processing time align with the consent artefact.
  3. Response – The module returns status: VALID, EXPIRED, WITHDRAWN, or NOT FOUND.

3.2 For Data Processors

  1. Obtain Validation Key – DF issues a secure key/token for DP to use.
  2. Use API – DP calls the CMP Consent Validation API with the key and data subject metadata.
  3. Get Response – DP receives consent status and scope validation.
  4. Proceed/Stop – DP processes or halts data operations based on returned status.

3.3 Interoperability with SAHAJ Metadata Ledger

  • Direct validation by querying consent status from the shared metadata ledger.
  • Eliminates need for file exchanges or manual verification.
  • Strengthens trust and reduces latency between DFs and DPs.
MethodSuitable ForDescription
UI SearchSmall scale, ad hoc checksDF/DP staff log into CMP dashboard, enter Data Principal ID or Consent ID, retrieve status.
API ValidationAutomated, large-scale operationsReal-time endpoint to check consent scope and status.
CSV Batch UploadPeriodic or legacy systemsUpload a CSV of Data Principal IDs and purposes; get back a validated file with consent statuses.
Ledger Query (SAHAJ)Interoperable environmentsDirectly query distributed ledger to retrieve consent metadata.

5. Data Model for Validation

  • Consent ID / Artefact Hash – Identifies the consent artefact.
  • Data Principal ID (UUID) – Pseudonymous identifier of the individual.
  • Purpose ID – Purpose for which validation is sought.
  • Data Elements – Elements requested for processing.
  • Validation Key – Secure token issued to DP by DF.
  • Status ReturnedVALID, EXPIRED, WITHDRAWN, or NOT FOUND.
  • Timestamp & Audit Trail – When validation occurred and by whom.