Managing Consent Across Channels: Web, Mobile Apps, and IoT

Introduction 

Consent now exists across a diverse range of digital and physical touchpoints. The Digital Personal Data Protection Act, 2023, with its 2025 Rules, requires that consent be free, specific, informed, unconditional, and unambiguous. As data moves through web portals, mobile applications, Internet of Things (IoT) devices, and paper forms, upholding these standards becomes increasingly complex. Each channel utilises distinct mechanisms for providing notice and obtaining user action, which complicates the management and expression of individual choices. Despite these complexities, the Data Fiduciary is obligated to ensure that revocation of consent in one context is promptly reflected across all other platforms. 

This fragmentation creates a conflict of interest. Although Section 5 and Rule 3 require comprehensive notice and verifiable consent records, modern data ecosystems are marked by fragmented identity graphs, disparate consent repositories, and asynchronous batch processing of physical forms that delay digitisation. Without such synchronisation, organisations risk developing compliance silos, where a preference indicated in a smartphone application does not prevent processing in a connected appliance or centralised data warehouse. This disconnect undermines the autonomy that the statute seeks to protect. 

The real challenge is not just getting valid consent once but making sure that consent is managed properly across all the places where data is collected and used. For example, if someone turns off analytics in a mobile app, they should not still be tracked on the website. If a customer opts out of marketing at a retail counter, the central CRM system should respect that choice.  

A Single Consent Backbone, Many Front ends 

Before analysing individual channels, the unifying design principle must be clarified. Section 6(10) assigns the burden of proof to the Data Fiduciary, requiring demonstration that a compliant notice was provided and that the data principal consented. This becomes challenging when each channel maintains isolated consent records. 

GoTrust approaches this by treating consent as a central, system-agnostic object rather than a field buried deep inside each application. Its Consent and Preference Management module defines purposes, data categories and consent states once, then exposes them through software development kits (SDKs), application programming interfaces (APIs) and user interfaces that can be embedded into different environments. Each front-end may look different to suit the context, but all of them speak to the same consent backbone. 

This architecture matters for DPDP compliance because it solves two difficult problems at once. First, it ensures that consent is recorded in a standard, audit-ready format with metadata such as timestamp, context, language, and purpose. Second, it allows updates made in one place to be propagated everywhere, preventing divergent records and accidental non-compliance. 

Establishing Verifiable Records as the New Web Standard  

Online, consent usually takes the shape of privacy notice links, cookie banners, and form checkboxes. The DPDP act raises the bar for all of these. Rule 3 insists that notices stand alone, written in language anyone can understand, and spell out exactly what personal data will be used and why. And vague statements are no longer considered sufficient. 

Now we need clear proof of when and how someone agreed to share their data, and for what purpose. It helps create a reliable record of user consent, one that can be verified, audited, and respected across every channel. This isn’t only about legal compliance; it’s about earning people’s trust by being open about how their data is handled. 

Mobile Apps: Respecting UX Without Weakening Consent 

Mobile applications present distinct challenges, including limited screen space and users’ aversion to cluttered interfaces. Interrupting users with consent prompts can negatively impact the user experience. Nevertheless, the requirements outlined in Sections 5 and 6 remain applicable. Consent must be informed, specific, and straightforward to provide or withdraw. 

The solution is not to reduce information, but to design consent interactions that appear at the right time and in the right context. GoTrust’s consent SDKs for mobile applications, let organisations embed concise, contextual prompts directly into the app experience instead of redirecting users to web views.