Managing Consent Across Channels: Web, Mobile Apps, and IoT

Introduction 

Consent now exists across a diverse range of digital and physical touchpoints. The Digital Personal Data Protection Act, 2023, with its 2025 Rules, requires that consent be free, specific, informed, unconditional, and unambiguous. As data moves through web portals, mobile applications, Internet of Things (IoT) devices, and paper forms, upholding these standards becomes increasingly complex. Each channel utilises distinct mechanisms for providing notice and obtaining user action, which complicates the management and expression of individual choices. Despite these complexities, the Data Fiduciary is obligated to ensure that revocation of consent in one context is promptly reflected across all other platforms. 

This fragmentation creates a conflict of interest. Although Section 5 and Rule 3 require comprehensive notice and verifiable consent records, modern data ecosystems are marked by fragmented identity graphs, disparate consent repositories, and asynchronous batch processing of physical forms that delay digitisation. Without such synchronisation, organisations risk developing compliance silos, where a preference indicated in a smartphone application does not prevent processing in a connected appliance or centralised data warehouse. This disconnect undermines the autonomy that the statute seeks to protect. 

The real challenge is not just getting valid consent once but making sure that consent is managed properly across all the places where data is collected and used. For example, if someone turns off analytics in a mobile app, they should not still be tracked on the website. If a customer opts out of marketing at a retail counter, the central CRM system should respect that choice.  

A Single Consent Backbone, Many Front ends 

Before analysing individual channels, the unifying design principle must be clarified. Section 6(10) assigns the burden of proof to the Data Fiduciary, requiring demonstration that a compliant notice was provided and that the data principal consented. This becomes challenging when each channel maintains isolated consent records. 

GoTrust approaches this by treating consent as a central, system-agnostic object rather than a field buried deep inside each application. Its Consent and Preference Management module defines purposes, data categories and consent states once, then exposes them through software development kits (SDKs), application programming interfaces (APIs) and user interfaces that can be embedded into different environments. Each front-end may look different to suit the context, but all of them speak to the same consent backbone. 

This architecture matters for DPDP compliance because it solves two difficult problems at once. First, it ensures that consent is recorded in a standard, audit-ready format with metadata such as timestamp, context, language, and purpose. Second, it allows updates made in one place to be propagated everywhere, preventing divergent records and accidental non-compliance. 

Establishing Verifiable Records as the New Web Standard  

Online, consent usually takes the shape of privacy notice links, cookie banners, and form checkboxes. The DPDP act raises the bar for all of these. Rule 3 insists that notices stand alone, written in language anyone can understand, and spell out exactly what personal data will be used and why. And vague statements are no longer considered sufficient. 

Now we need clear proof of when and how someone agreed to share their data, and for what purpose. It helps create a reliable record of user consent, one that can be verified, audited, and respected across every channel. This isn’t only about legal compliance; it’s about earning people’s trust by being open about how their data is handled. 

Mobile Apps: Respecting UX Without Weakening Consent 

Mobile applications present distinct challenges, including limited screen space and users’ aversion to cluttered interfaces. Interrupting users with consent prompts can negatively impact the user experience. Nevertheless, the requirements outlined in Sections 5 and 6 remain applicable. Consent must be informed, specific, and straightforward to provide or withdraw. 

The solution is not to reduce information, but to design consent interactions that appear at the right time and in the right context. GoTrust’s consent SDKs for mobile applications, let organisations embed concise, contextual prompts directly into the app experience instead of redirecting users to web views. 

IoT Devices: Making the Invisible Visible 

Connected devices routinely collect data in the background, often without notifying users. Whether it is a smart meter, fitness tracker, car telematics unit, or in-store sensor, these devices gather information continuously.  One major challenge in IoT is that users often interact with their devices somewhere else entirely. Setting up an IoT device usually happens through a mobile app or a web portal, not on the device itself. These companion platforms become the stage for delivering notices and collecting consent. GoTrust’s consent manager steps in here, providing a single, streamlined place for users to review and manage their consents for all their connected devices, even when those devices cannot show detailed information themselves. 

Design-Centric Compliance: Leveraging ISO/IEC 27030 and 27400 

As IoT devices become deeply integrated into the lives of consumers, managing consent shifts to a hardware-and-infrastructure challenge. Two important international standards provide the blueprint for this change: ISO/IEC 27400 (2022) and the emerging ISO/IEC 27030. 

ISO/IEC 27400 is the primary guideline for cybersecurity and privacy in IoT systems. It focuses on "secure-by-design" approach, moving beyond simple encryption to address the entire ecosystem. It includes gateways, cloud interfaces, and endpoints. For consent management, this means ensuring that privacy controls are not just functional but interoperable across a fragmented network of devices. 

Complementing this, ISO/IEC 27030 focuses on the design and labelling of consumer IoT. It addresses transparency by providing clear guidelines for privacy-preserving IoT design and standardised consumer labelling. For an "always-audit-ready" program, adopting these standards ensures that your IoT consent mechanisms are not just legally compliant under the DPDP Act, but globally recognised for their technical and ethical integrity. 

Consent Managers and Interoperability 

The DPDP Act recognizes that, given the proliferation of services and providers, individuals should not be required to manage consents separately for each service. Sections 6(7) and 6(9) establish the concept of Consent Managers, which are registered entities serving as a single interface through which data principals can provide, review, and withdraw consent across multiple Data Fiduciaries. 

In practice, this means that consent management systems used by organisations will have to speak not only to their own applications, but also to external Consent Managers. GoTrust’s guidance on Consent Managers under the DPDPA sets out how its platform is designed to integrate with such intermediaries. When a data principal uses a registered Consent Manager to withdraw consent for a particular purpose, that decision is received as a standardised consent artefact and applied across the relevant data flows inside the organisation. 

The multi-channel consent requires that any update made through a Consent Manager is immediately reflected across all relevant touchpoints. For example, when a data principal withdraws marketing consent via a dashboard, this change must propagate to web trackers, application notifications, smart device offers, and offline call lists. In the absence of a unified and interoperable consent layer, certain channels are likely to remain unaddressed. 

Bridging Channels for DPDP Success – GoTrust

When these channel-specific patterns are examined collectively, a consistent picture emerges. The primary challenge organisations encounter under DPDP relates less to the mechanics of individual banners or forms and more to the integration of all channels handling personal data into a unified consent framework. 

GoTrust’s platform is designed with this in mind. Its core capabilities combine consent and preference management, privacy automation, data discovery and governance into a single environment. Web implementations use the same purpose models and consent artefacts as mobile implementations. IoT consent is anchored in the same system, even if the device has no screen of its own. Offline data collection flows take advantage of the same APIs as online forms. Integrations with registered Consent Managers ensure that decisions made outside the organisation’s own interfaces are still honoured. 

From a DPDP perspective, when regulators, auditors, or data principals ask, on what basis are you processing this data? The answer is independent of the collection channel. There is a single canonical record of consent, a unified process for withdrawals, and one set of logs tracking consent changes over time. 

Conclusion 

The management of consent across various platforms has become a legal requirement under the DPDP Act and Rules. The legislation stipulates that consent must be informed, purpose-specific, reversible, and supported by verifiable records. The Data Fiduciary bears the responsibility of demonstrating compliance with these requirements.