#FactCheck - Viral Video of Argentina Football Team Dancing to Bhojpuri Song is Misleading

The Digital Personal Data Protection (DPDP) Act, 2023, operationalises data privacy largely through a consent management framework. It aims to give data principles, ie, individuals, control over their personal data by giving them the power to track, change, and withdraw their consent from its processing. However, in practice, consent management is often not straightforward. For example, people may be frequently bombarded with requests, which can lead to fatigue and eventual overlooking of consent requests. This article discusses the way consent management is handled by the DPDP Act, and looks at how India can design the system to genuinely empower users while holding organisations accountable.

‍

Consent Management in the DPDP Act

‍

According to the DPDP Act, consent must be unambiguous, free, specific, and informed. It must also be easy for people to revoke their consent (DPO India, 2023). To this end, the Act creates Consent Managers- registered middlemen- who serve as a link between users and data custodians. 

The purpose of consent managers is to streamline and centralise the consent procedure. Users can view, grant, update, or revoke consent across various platforms using the dashboards they offer. They hope to improve transparency and lessen the strain on people to keep track of permissions across different services by standardising the way consent is presented (IAPP, 2024).

The Act draws inspiration from international frameworks such as the GDPR (General Data Protection Regulation), mandating that Indian users be provided with a single platform to manage permissions rather than having to deal with dispersed consent prompts from every service.

‍

The Challenges 

‍

Despite the mandate for an interoperable platform for consent management, several key challenges emerge. There is a lack of clarity on how consent management will be operationalised. This creates challenges of accountability and implementation.  Thus, : 

1. If the interface is poorly designed,  users could be bombarded with content permissions from apps/platforms/ services that are not fully compliant with the platform. 
2. If consent notices are vague, frequent, lengthy, or complex, users may continue to grant permissions without meaningful engagement. 
3. It leaves scope for data fiduciaries to use dark patterns to coerce customers into granting consent through poor UI/UX design.
4. The lack of clear, standardised interoperability protocols across sectors could lead to a fragmented system, undermining the goal of a single, easy-to-use platform.
5. Consent fatigue could easily appear in India's digital ecosystem, where apps, e-commerce websites, and government services all ask for permissions from over 950 million internet subscribers. Experiences from GDPR countries show that users who are repeatedly prompted eventually become banner blind, which causes them to ignore notices entirely.
6. Low levels of literacy (including digital literacy) and unequal access to digital devices among women and marginalised communities create complexities in the substantive coverage of privacy rights.  
7. Placing the burden of verification of legal guardianship for children and persons with disabilities (PwDs) on data fiduciaries might be ineffective, as SMEs may lack the resources to undertake this activity. This could create new forms of vulnerability for the two groups. 

Legal experts claim that this results in what they refer to as a legal fiction, wherein consent is treated as valid by the law despite the fact that it does not represent true understanding or choice (Lawvs, 2023). Additionally, research indicates that users hardly ever read privacy policies in their entirety. People are very likely to tick boxes without fully understanding what they are agreeing to. By drastically limiting user control, this has a bearing on the privacy rights of Indian citizens and residents.  (IJLLR, 2023).

‍

Impacts of Weak Consent Management:

‍

According to the Indian Journal of Law and Technology, in an era of asymmetry and information overload, privacy cannot be sufficiently protected by relying only on consent (IJLT, 2023). Almost every individual will be impacted by inadequate consent management.

1. For Users: True autonomy is replaced by the appearance of control. Individuals may unintentionally disclose private information, which undermines confidence in digital services.
2. For Businesses: Compliance could become a mere formality. Further, if acquired consent is found to be manipulated or invalid, it creates space for legal risks and reputational damage. 
3. For Regulators: It becomes difficult to oversee a system where consent is frequently disregarded or misinterpreted. When consent is merely formal, the law's promise to protect personal information is undermined.

‍

Way Forward

‍

1. Layered and Simplified Notices: Simple language and layers of visual cues should be used in consent requests. Important details like the type of data being gathered, its intended use, and its duration should be made clear up front. Additional explanations are available for users who would like more information. This method enhances comprehension and lessens cognitive overload (Lawvs, 2023).
2. Effective Dashboards: Dashboards from consent managers should be user-friendly, cross-platform, and multilingual. Management is made simple by features like alerts, one-click withdrawal or modification, and summaries of active permissions. The system is more predictable and dependable when all services use the same format, which also reduces confusion (IAPP, 2024). 
3. Dynamic and Contextual Consent: Instead of appearing as generic pop-ups, consent requests should show up when they are pertinent to a user's actions. Users can make well-informed decisions without feeling overburdened by subtle cues, such as emphasising risks when sensitive data is requested (IJLLR, 2023). 
4. Accountability of Consent Managers: Organisations that offer consent management services must be accountable and independent, through clear certification, auditing, and specific legal accountability frameworks. Even when formal consent is given, strong trustee accountability guarantees that data is not misused (IJLT, 2023).
5. Complementary Protections Beyond Consent: Consent continues to be crucial, but some high-risk data processing might call for extra protections. These may consist of increased responsibilities for fiduciaries or proportionality checks. These steps improve people's general protection and lessen the need for frequent consent requests (IJLLR, 2023).

‍

Conclusion

‍

The core of the DPDP Act is to empower users to have control over their data through measures such as consent management. But requesting consent is insufficient; the system must make it simple for people to manage, monitor, and change it. Effectively designed, managed, and executed consent management has the potential to revolutionise user experience and trust in India's digital ecosystem if it is implemented carefully.To make consent management genuinely meaningful, it is imperative to standardise procedures, hold fiduciaries accountable, simplify interfaces, and investigate supplementary protections.

‍

References

‍

Building Trust with Technology: Consent Management Under India’s DPDP Act, 2023

Consent Fatigue and Data Protection Laws: Is ‘Informed Consent’ a Legal Fiction

Beyond Consent: Enhancing India's Digital Personal Data Protection Framework

Constitutional Implications Of Consent Fatigue In Data Protection: Rethinking Meaningful Consent In The Indian Context 

Top 10 operational impacts of India’s DPDPA – Consent management

‍

Introduction

‍

Raksha Bandhan is a cherished festival which is celebrated every year on the full moon day of the Hindu month of Shravan. It is a festival that represents the love, care, and protection that siblings share. This year, Raksha Bandhan falls on 09th August 2025. On this day, sisters tie a sacred thread known as Rakhi on their brothers' wrists as a symbol of love and protection, and in return, brothers promise to safeguard them in all walks of life. The origin of this festival traces back to the Mahabharata, when lord Krishna injured his finger. To bandage the wound, Draupadi, also known as Panchali, tore a piece of her saree and tied it on Krishna's finger. Krishna was touched by her selfless gesture and promised to always protect her, a promise he fulfilled during Drapadi’s time of greatest need. 

Today, in the evolving world driven by technology in all aspects of life, the nature of threats has evolved. In this digital age, physical safety alone is no longer enough. Alongside the traditional vow, there is now a growing need for another promise, the promise of Cyber Raksha (Cyber Safety). As we celebrate the spirit of Raksha Bandhan, this year also take the pledge of offering and taking care of the Cyber Suraksha of your sibling. 

‍

Ek Vaada Cyber Raksha ka 

‍

All the brothers and sisters share the bond of mutual care and responsibility. In the evolving threats of cybercrimes, they must understand the vulnerabilities they might face and the cyber safety tips they should be aware of to protect themselves. You must promise to guide, protect each other from online dangers, and help understand the importance of digital safety.  Hence, this Raksha Bandhan, let’s also tie a knot of cyber awareness, responsibility, and digital protection,  because true raksha in today’s age is not only about protection in the offline world, it is about protection in both the offline and online world. 

CyberPeace has curated the following best practices for you to consider in your life and also to share with your sisters and brothers.

‍

Password Security

‍

‍It is most important to realise that cybercrooks mostly have their eyes on your passwords to target and gain access to your accounts or information. Scammers try multiple ways to get access to your passwords by way of various methods such as OTP frauds, Fake login pages (spoofing), Social engineering, Credential stuffing, Brute-force attacks, phishing, etc. 

‍

Quick Tips 

‍

• Use strong passwords.
• Regularly update passwords.
• Use separate passwords for different accounts.
• Use secure & trusted password managers.
• Use two-factor authentication for an extra layer of security.
• Make sure not to save passwords on random devices.

‍

Social Media Security

‍

‍There are endless cyber scams that take place through social media, such as identity theft, cyberbullying, cyber stalking, online harassment, data leaks, suspicious links leading to phishing and malware, exposure to inappropriate content, etc. It becomes important for netizens to protect their accounts, data, and online presence on social media platforms from the growing cyber threats.

‍

Quick Tips

‍

• Review app permissions and do not give any unnecessary app permissions.
• Keep your account private or customise your privacy settings as per your needs.
• Be cautious while interacting with strangers.
• Do not click on any suspicious or unknown links.
• Make sure to log out in case you have to log in to your social media on an unfamiliar device, and update your password to prevent unauthorised access.
• Always use Two-Factor authentication for your social media accounts.
• Avoid sharing too much of your personal information on the public story or public posts. This can be used by cybercriminals for social engineering.
• Use the report & block function to protect yourself from spam accounts and unwanted interactions.
• If you encounter any issue, report it to the ‘Platform’s reporting mechanism at the ‘Help Centre’.
• One can also reach out to the platform’s grievance officer.

‍

Device Security

‍

In today’s world, the interconnectedness is unavoidable, your devices, be it smartphones, tablets, laptops are not just tools, they are digital extensions of yourself. They contain your discussions, recollections, private information, and frequently your financial and professional information. Safeguarding your devices in the digital world can be equated with safeguarding your physical possessions against undesirable encroachments. Just like a sibling would never let anyone invade your privacy, you too must promise to keep your devices secured against malicious threats like malware, spyware, ransomware, and unauthorized access.

‍

Quick Tips

‍

• Update your apps, browsers, and operating systems frequently; these updates frequently contain security vulnerabilities.
• Install reliable anti-virus and anti-malware software, then perform routine device scans.
• Do not download files or apps from unidentified sources.
• Avoid using open or unprotected public Wi-Fi for private activities like email or banking. 
• Employ screen locks (passwords, biometrics, or PINs) to stop unwanted physical access.
• Enable remote wipe or ‘find my Device’ functions in case your device is lost or stolen.

‍

Digital Payments Security

‍

‍Rakshabandhan is all about giving, but let’s not make it easy for cyber fraudsters to take! Convenience can come at a great cost. It often comes with a danger of fraud, phishing, and money-stealing schemes, as evidenced by the rise in digital payments and UPI transactions. But by being cautious, one can avoid being defrauded.  Whether you’re gifting a sibling online or shopping for festive deals, promise yourself and your loved ones that you’ll transact wisely and safely.

‍

Quick Tips

‍

• Never give out your bank credentials, CVV, OTP, or UPI PIN to anyone, even if they seem trustworthy before extensively verifying their credentials.
• Before completing a transaction, confirm the account information or UPI ID.
• Refund or payment links sent by WhatsApp accounts or unknown numbers should not be clicked. 
• Use only trusted apps (like BHIM, PhonePe, Google Pay, etc.) downloaded from official app stores.

‍

Email Security

‍

Your email serves as a key to your digital kingdom and serves as more than just a tool for communication. Your email frequently connects everything, from banking to social networking. Scammers use phishing assaults, malware attachments, and impersonation frauds to target it first.  Just like a sibling watches your back, watch your inbox. Make a vow not to fall for the digital bait.

‍

Quick tips

‍

• Never open attachments or links in emails that seem strange or suspicious.
• Subject lines that evoke fear, such as “Account Suspended,” “Urgent Action Required” should be avoided. 
• Verify the sender’s email address at all times because scammers frequently use little misspellings to deceive you.
• Set up two-factor authentication and create a secure, one of a kind password for your email accounts.
• Avoid using unprotected Wi-Fi networks or public computers to check your email.
• Avoid responding to spam emails or unsubscribing through dubious links as this could give the attacker your address. 

‍

Common scams to watch out for

‍

Festive deals scams

‍

As the festive season sales surge in India, so does the risk of cyber scams. Cyber crooks exploit the victims and urge them to share OTPs under the guise of preventing fraudulent activity, sharing malicious links to get sensitive information. 

‍

Mis-disinformation 

‍

The spread of mis-disinformation has surged on social media platforms. It spreads like wildfire across the digital landscape, and the need for effective strategies to counteract these challenges has grown exponentially in a very short period. ‘Prebunking’ and ‘Debunking’ are two approaches for countering the growing spread of misinformation online.

‍

Deepfake and Voice cloning scams

‍

By using the Deepfake technology, cybercriminals manipulate audio and video content which looks very realistic but, in actuality, is fake. Voice cloning is also a part of deepfake. To create a voice clone of anyone's, audio can be deepfaked too, which closely resembles a real one but, in actuality, is a fake voice created through deepfake technology. 

‍

Juice Jacking

‍

Cybercriminals can hack your phone using or exploiting some public charging stations, such as at airports, Malls, hotel rooms, etc. When you plug your cell phone into a USB  power charger, you may be plugging into a hacker. Juice jacking poses a security threat commonly at places that provide free charging stations for mobile devices. 

‍

Suspicious links & downloads

‍

Suspicious links & downloads can lead you to a phishing site or install malware into your system, which can even lead to compromise your device, expose sensitive data, and cause financial losses.

‍

Conclusion

‍

This Rakhi, ensure your and your sibling’s online safety and security by being cybersafe and smart. You can seek assistance from the CyberPeace Helpline at helpline@cyberpeace.net

‍

‍

Introduction

Data Breaches have taken over cyberspace as one of the rising issues, these data breaches result in personal data making its way toward cybercriminals who use this data for no good. As netizens, it's our digital responsibility to be cognizant of our data and the data of one's organization. The increase in internet and technology penetration has made people move to cyberspace at a rapid pace, however, awareness regarding the same needs to be inculcated to maximise the data safety of netizens. The recent AIIMS cyber breach has got many organisations worried about their cyber safety and security. According to the HIPPA Journal, 66% of healthcare organizations reported ransomware attacks on them. Data management and security is the prime aspect of clients all across the industry and is now growing into a concern for many. The data is primarily classified into three broad terms-

• Personal Identified Information (PII) - Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
• Non-Public Information (NPI) - The personal information of an individual that is not and should not be available to the public. This includes Social Security Numbers, bank information, other personal identifiable financial information, and certain transactions with financial institutions.
• Material Non-Public Information (MNPI) - Data relating to a company that has not been made public but could have an impact on its share price. It is against the law for holders of nonpublic material information to use the information to their advantage in trading stocks.

This classification of data allows the industry to manage and secure data effectively and efficiently and at the same time, this allows the user to understand the uses of their data and its intensity in case of breach of data. Organisations process data that is a combination of the above-mentioned classifications and hence in instances of data breach this becomes a critical aspect. Coming back to the AIIMS data breach, it is a known fact that AIIMS is also an educational and research institution. So, one might assume that the reason for any attack on AIIMS could be either to exfiltrate patient data or could be to obtain hands-on the R & D data including research-related intellectual properties. If we postulate the latter, we could also imagine that other educational institutes of higher learning such as IITs, IISc, ISI, IISERs, IIITs, NITs, and some of the significant state universities could also be targeted. In 2021, the Ministry of Home Affairs through the Ministry of Education sent a directive to IITs and many other institutes to take certain steps related to cyber security measures and to create SoPs to establish efficient data management practices. The following sectors are critical in terms of data protection-

• Health sector
• Financial sector
• Education sector
• Automobile sector

These sectors are generally targeted by bad actors and often data breach from these sectors result in cyber crimes as the data is soon made available on Darkweb. These institutions need to practice compliance like any other corporate house as the end user here is the netizen and his/her data is of utmost importance in terms of protection.Organisations in today's time need to be in coherence to the advancement in cyberspace to find out keen shortcomings and vulnerabilities they may face and subsequently create safeguards for the same. The AIIMS breach is an example to learn from so that we can protect other organisations from such cyber attacks. To showcase strong and impenetrable cyber security every organisation should be able to answer these questions-

• Do you have a centralized cyber asset inventory?
• Do you have human resources that are trained to model possible cyber threats and cyber risk assessment?
• Have you ever undertaken a business continuity and resilience study of your institutional digitalized business processes?
• Do you have a formal vulnerability management system that enumerates vulnerabilities in your cyber assets and a patch management system that patches freshly discovered vulnerabilities?
• Do you have a formal configuration assessment and management system that checks the configuration of all your cyber assets and security tools (firewalls, antivirus management, proxy services) regularly to ensure they are most securely configured?
• Do have a segmented network such that your most critical assets (servers, databases, HPC resources, etc.) are in a separate network that is access-controlled and only people with proper permission can access?
• Do you have a cyber security policy that spells out the policies regarding the usage of cyber assets, protection of cyber assets, monitoring of cyber assets, authentication and access control policies, and asset lifecycle management strategies?
• Do you have a business continuity and cyber crisis management plan in place which is regularly exercised like fire drills so that in cases of exigencies such plans can easily be followed, and all stakeholders are properly trained to do their part during such emergencies?
• Do you have multi-factor authentication for all users implemented?
• Do you have a supply chain security policy for applications that are supplied by vendors? Do you have a vendor access policy that disallows providing network access to vendors for configuration, updates, etc?
• Do you have regular penetration testing of the cyberinfrastructure of the organization with proper red-teaming?
• Do you have a bug-bounty program for students who could report vulnerabilities they discover in your cyber infrastructure and get rewarded?
• Do you have an endpoint security monitoring tool mandatory for all critical endpoints such as database servers, application servers, and other important cyber assets?
• Do have a continuous network monitoring and alert generation tool installed?
• Do you have a comprehensive cyber security strategy that is reflected in your cyber security policy document?
• Do you regularly receive cyber security incidents (including small, medium, or high severity incidents, network scanning, etc) updates from your cyber security team in order to ensure that top management is aware of the situation on the ground?
• Do you have regular cyber security skills training for your cyber security team and your IT/OT engineers and employees?
• Do your top management show adequate support, and hold the cyber security team accountable on a regular basis?
• Do you have a proper and vetted backup and restoration policy and practice?

If any organisation has definite answers to these questions, it is safe to say that they have strong cyber security, these questions should not be taken as a comparison but as a checklist by various organisations to be up to date in regard to the technical measures and policies related to cyber security. Having a strong cyber security posture does not drive the cyber security risk to zero but it helps to reduce the risk and improves the fighting chance. Further, if a proper risk assessment is regularly carried out and high-risk cyber assets are properly protected, then the damages resulting from cyber attacks can be contained to a large extent.