#FactCheck: A viral claim suggests that India Post will remove all red letter boxes across the country beginning 1 September 2025.

Introduction

‍
The Digital Personal Data Protection (DPDP) Act 2023 of India is a significant transition for privacy legislation in this age of digital data. A key element of this new law is a requirement for organisations to have appropriate, user-friendly consent mechanisms in place for their customers so that collection, use or removal of an individual's personal data occurs in a clear and compliant manner. As a means of putting this requirement into practice, the Ministry of Electronics and Information Technology (MeitY) issued a comprehensive Business Requirements Document (BRD) in June 2025 to guide organizations, as well as Consent Managers, on how to create a Consent Management System (CMS). This document establishes the technical and functional framework by which organizations and individuals (Data Principals) will exercise control over the way their data is gathered, used and removed.

‍

Understanding the BRD and Its Purpose

‍

BRD represents an optional guide created as part of the "Code for Consent" programme run by MeitY in India. The purpose of the BRD is to provide guidance to startups, digital platforms and other enterprises on how to create a technology system that supports management of user consent per the requirements of the DPDP Act. Although the contents of the BRD do not carry any legal weight, it lays out a clear path for organisations to create their own consent mechanisms using best practices that align with the principles of transparency, accountability and purpose limitation in the DPDP Act.

‍

The goal is threefold:

‍

1. Enable complete consent lifecycle management from collection to withdrawal.
2. Empower individuals to manage their consents actively and transparently.
3. Support data fiduciaries and processors with an interoperable system that ensures compliance.

‍

Key Components of the Consent Management System

‍

The BRD proposes the development of a modular Consent Management System (CMS) that provides users with secure APIs and user-friendly interfaces. This system will allow for a variety of features and modules, including:

‍

1. Consent Lifecycle Management – consent should be specific, informed and tied to an explicit purpose. The CMS will manage the collection, validation, renewal, updates and withdrawal of consent. Each transaction of consent will create a tamper-proof “consent artifact,” which will include the timestamp of creation as well as an ID identifying the purpose for which it was given.
2. User Dashboard – A user will be able to view and modify the status of their active, expired or withdrawn consent and revoke access at any time via the multilingual user-friendly interface. This would make the system accessible to people from different regions and cultures.
3. Notification Engine – The CMS will automatically notify users, fiduciaries and processors of any action taken with respect to consent, in order to ensure real-time updates and accountability.
4. Grievance Redress Mechanism – The CMS will include a complaints mechanism that allows users to submit complaints related to the misuse of consent or the denial of their rights. This will enable tracking of the complaint resolution status, and will allow for escalation if necessary.
5. Audit and Logging – As part of the CMS's internal controls for compliance and regulatory purposes, the CMS must maintain an immutable record of every instance of consent for auditing and regulatory review. The records must be encrypted, time-stamped, and linked permanently to a user and purpose ID.
6. Cookie Consent Management – A separate module will enable users to manage cookie consent for websites separately from any other consents.

‍

Roles and Responsibilities

‍

The BRD identifies the various stakeholders involved and their associated responsibilities.

‍

1. Data Principals (Users): The user has full authority to give, withhold, amend, or revoke their consent for the use of their personal data, at any time.
2. Data Fiduciaries (Companies): Companies (the fiduciaries) must collect the data principals' consents for each particular reason and must only begin processing a data subject's personal data after validating that consent through the CMS. Companies must also provide the data principals with any information or notifications needed, as well as how to resolve their complaints.
3. Data Processors: Data Processors must strictly adhere to the consent stated in the CMS, and Data Processors may only process personal data on behalf of the Data Fiduciary.
4. Consent Managers: The Consent Managers are independent entities that are registered with the Data Protection Board. They are responsible for administering the CMS, allowing users to manage their consent across different platforms.

‍

This layered structure ensures transparency and shared responsibility for the consent ecosystem.

‍

Technical Specifications and Security

‍

The following principles of the DPDP Act must be followed to remain compliant with the DPDP Act.

‍

• End-to-End Encryption: All exchanges of data with users must be encrypted using a minimum of TSL 1.3 and also encrypting within that standard.
• API-First Approach: API’s will be utilized to validate, withdraw and update consent in a secured manner using external sources.
• Interoperability/Accessibility: The CMS needs to allow for users to utilize several different languages (e.g. Hindi, Tamil, etc.) and be appropriate for use with various types of mobile devices and different abilities.
• Data Retention Policy: The CMS should also include automatic deletion of consent data (when the consent has expired or has been withdrawn) in order to maintain compliance with data retention limits.

‍

Legal Relevance and Timelines

‍

While the BRD itself is not enforceable, it is directly aligned with the upcoming enforcement of the DPDP Act, 2023. The Act was passed in August 2023 but is expected to come into effect in stages, once officially notified by the central government. Draft implementation rules, including those defining the role of Consent Managers, were released for public consultation in early 2025.

For businesses, the BRD serves as an early compliance tool—offering both a conceptual roadmap and technical framework to prepare before the law is enforced. Legal experts have described it as a critical resource for aligning data governance systems with emerging regulatory expectations.

‍

Implications for Businesses

‍

Organizations that collect and process user data will be required to overhaul their consent workflows:

1. No blanket consents: Every data processing activity must have explicit, separate consent.
2. Granular audit logs: Companies must maintain tamper-proof logs for every consent action.
3. Integration readiness: Enterprises need to integrate their platforms with third-party or in-house CMS platforms via the specified APIs.
4. Grievance redress and user support: Systems must be in place to handle complaints and withdrawal requests in a timely, verifiable manner.

Failing to comply once the DPDP Act is in force may expose companies to penalties, reputational damage, and potential regulatory action.

‍

Conclusion

‍
The BRD on Consent Management of India is a forward-looking initiative laying a technological framework that is an essential component of the DPDP Act concerning user consent; Although not yet a legal document, it provides an extent of going into all the necessary discipline for companies to prepare. As data protection grows in importance, developing consent mechanisms based on security, transparency, and the needs of the user is no longer just a regulatory requirement, but rather a requirement for the development of trust. This is the time for businesses to establish or implement CMS solutions that support this objective to be better equipped for the future of data governance in India.

‍

References

1. https://d38ibwa0xdgwxx.cloudfront.net/whatsnew-docs/8d5409f5-d26c-4697-b10e-5f6fb2d583ef.pdf
2. https://ssrana.in/articles/ministry-releases-business-requirement-document-for-consent-management-under-the-dpdp-act-2023/ 
3. https://dpo-india.com/Blogs/consent-dpdpa/ 
4. https://corporate.cyrilamarchandblogs.com/2025/06/the-ghost-in-the-machine-the-recent-business-requirement-document-on-consent/ 
5. https://www.mondaq.com/india/privacy-protection/1660964/analysis-of-the-business-requirement-document-for-consent-management-system 

‍

Introduction

MSMEs, being the cornerstone of the Indian economy, are one of the most vulnerable targets in cyberspace and no enterprise is too small to be a target for malicious actors. MSMEs hardly ever perform a cyber-risk assessment, but when they do, they may run into a number of internal problems, such as cyberattacks brought on by inadequate networking security, online fraud, ransomware assaults, etc.  Tackling cyber threats in MSMEs is critical mainly because of their high level of dependance on digital technologies and the growing sophistication of cyber attacks. Protecting them from cyber threats is essential, as a security breach can have devastating consequences, including financial loss, reputational damage, and operational disruptions.

Key Cyber Threats that MSMEs are facing

MSMEs are most vulnerable to are phishing attacks, ransomware, malware and viruses, insider threats, social engineering attacks, supply chain attacks, credential stuffing and brute force attacks and Distributed Denial of Service (DDoS) Attacks. Some of these attacks are described as under-

• Insider threats arise from employees or contractors who intentionally or unintentionally compromise security. It involves data theft, misuse of access privileges, or accidental data exposure. 
• Social engineering attacks involve manipulating individuals into divulging confidential information or performing actions that compromise security by pretexting, baiting, and impersonation. 
• Supply chain attacks exploit the trust in relationships between businesses and their suppliers and introduce malware, compromise data integrity, and disrupt operations.
• Credential stuffing and brute force attacks give unauthorized access to accounts and systems, leading to data breaches and financial losses.

Challenges Faced by MSMEs in Cybersecurity

The challenges faced  by MSMEs in cyber security are mainly due to limited resources and budget constraints which leads to other issues such as a lack of specialized expertise as MSMEs often lack the IT support of cyber security experts. Awareness and training are needed to mitigate poor understanding of cyber threats and their complexity in nature. Vulnerabilities in the supply chain are present as they rely on third-party vendors and partners often, introducing potential supply chain vulnerabilities. Regulatory compliance is often complex and is taken seriously only when an issue crops up but it needs special attention especially with the DPDP Act coming in. The lack of an incident response plan leads to delayed and inadequate responses to cyber incidents, increasing the impact of breaches.

Best Practices for Tackling Cyber Threats for MSMEs

To effectively tackle cyber threats, MSMEs should adopt a comprehensive approach such as:

• Implementing and enforcing strong access controls by using MFA or 2FA and password policies. Limiting employee access as role based and updating the same as and when needed.
• Regularly apply security patches and use automated patch management solutions to prevent exploitation of known vulnerabilities.
• Conduct employee training and awareness programs and promote a security-first approach for the employees and assessing employee readiness to identify improvement areas.
• Implement network security measures by using firewalls and intrusion detection systems. Using secure Wi-Fi networks via strong encryptions and changing default credentials for the router are recommended, as is segmenting networks to limit lateral movement within the network in case of a breach.
• Regular data backup ensures that in case of an attack, data loss can be recovered and made available in secure offsite locations to protect it from unauthorized access. 
• Developing an incident response plan that outlines the roles, responsibilities and procedure for responding to cyber incidents with regular drills to ensure readiness and clear communication protocols for incident reporting to regulators, stakeholders and customers.
• Implement endpoint security solutions using antivirus and anti-malware softwares. Devices should be against unauthorized access and implement mobile device management solutions enforcing security policies on employee-owned devices used for work purposes.
• Cyber insurance coverage will help in transferring financial risks in case of cyber incidents. It should have comprehensive coverage including business interruptions, data restoration, legal liabilities and incident response costs.

Recommended Cybersecurity Solutions Tailored for MSMEs

1. A Managed Security Service Provider offers outsourced cybersecurity services, including threat monitoring, incident response, and vulnerability management that may be lacking in-house.
2. Cloud-Based Security Solutions such as firewall as a service and Security Information and Event Management , provide scalable and cost-effective protection for MSMEs.
3. Endpoint Detection and Response (EDR) Tools detect and respond to threats on endpoints, providing real-time visibility into potential threats and automating incident response actions.
4. Security Awareness Training Platforms deliver interactive training sessions and simulations to educate employees about cybersecurity threats and best practices.

Conclusion

Addressing cyber threats in MSMEs requires a proactive and multi-layered approach that encompasses technical solutions, employee training, and strategic planning. By implementing best practices and leveraging cybersecurity solutions tailored to their specific needs, MSMEs can significantly enhance their resilience against cyber threats. As cyber threats continue to evolve, staying informed about the latest trends and adopting a culture of security awareness will be essential for MSMEs to protect their assets, reputation, and bottom line.

References:

• https://economictimes.indiatimes.com/small-biz/security-tech/security/cyber-security-pitfalls-and-how-negligence-can-be-expensive-for-msmes/articleshow/99508822.cms?from=mdr
• https://www.investopedia.com/financial-edge/0112/3-ways-cyber-crime-impacts-business.aspx 
• https://www.financialexpress.com/business/sme-msme-tech-cisco-launches-new-tool-for-smbs-to-assess-their-cybersecurity-readiness-2538348/ 
• https://www.cloverinfotech.com/blog/small-businesses-big-problems-are-cyber-attacks-crushing-indias-msmes/ 

‍

Introduction

Google.org is committed to stepping ahead to enhance Internet safety and responsible online behaviour. ‘Google for INDIA 2023’, an innovative conclave, took place on 19th October 2023. Google.org has embarked on its vision for a safer Internet and combating misinformation, financial frauds and other threats that come from bad actors. Alphabet Big Tech is committed to leading this charter and engaging with all stakeholders, including government agencies. Google.org has partnered with CyberPeace Foundation to foster a safer online environment and empower users on informed decisions on the Internet. CyberPeace will run a nationwide awareness and capacity-building Initiative equipping more than 40 Million Indian netizens with fact-checking techniques, tools, SoPs, and guidance for responsible and safe online behaviour. The campaign will be deployed in 15 Indian regional languages as a comprehensive learning outcome for the whole nation. Together, Google.org and CyberPeace Foundation aim to make the Internet safer for everyone and work in a direction to ensure that progress for everyone is built on a strong foundation of trusted information available on the Internet and pursuing the true spirit of “Technology for Good”.

Google.org and CyberPeace together for enhanced online safety

A new $4 million grant to CyberPeace Foundation will support a nationwide awareness-building program and comprehensive multilingual digital resource hub with content available in up to 15 Indian languages to empower nearly 40 million underserved people across the country in building resilience against misinformation and practice responsible online behaviour.  Together, Google.org and CyberPeace are on their way to creating a strong pathway of trusted Internet and a safer digital environment. The said campaign will be undertaken for a duration of 3 years, and the following key components will run at the core of the same: 

• CyberPeace Corps Volunteers: This will be a pan India volunteer engagement initiative to create a community of 9 million CyberPeace Ambassadors/First Responders/Volunteers to fight misinformation and promote responsible online behaviour going far into the rural, marginalised and most vulnerable strata of society. 
• Digital Resource Hub: In pursuance of the campaign, CyberPeace is developing a cutting-edge platform offering a wealth of resources on media literacy, responsible content creation, and cyber hygiene translated into 15 Indian regional languages for a widespread impact on the ground. 
• Public Sensitisation: CyberPeace will be conducting an organic series of online and offline events focusing on empowering netizens to discern fact from fiction. These sensitisation drives will be taken on by start master trainers from different regions of India to ensure all states and UTs are impacted. 
• CyberPeace Quick Reaction Team: A specialised team of tech enthusiasts that will work closely with platforms to rapidly address new-age cyber threats and misinformation campaigns in real-time and establish best practices and SoPs for the diverse elements in the industries. 
• Engaging Multimedia Content: With CyberPeace’s immense expertise in E-Course and digital content, the campaign will produce a range of multilingual multimedia resources, including informative videos, posters, games, contests, infographics, and more.
• Fact-check unit: Fact-check units will play a crucial role in monitoring, identifying, and doing fact analysis of the suspected information and overall busting the growing incidents of misinformation. Fake news or misinformation has negative consequences on society at large. The fact-check units play a significant role in controlling the widespread of misinformation. 

‍

Fight Against Misinformation 

Misinformation is rampant all across the world and requires attention. With the increasing penetration of social media and the internet, this remains a global issue. Google.org has taken up the initiative to address this issue in India and, in collaboration with CyberPeace Foundation taken a proactive step to multiple avenues for mass-scale awareness and upskilling campaigns have been piloted to make an impact on the ground with the vision of upskilling over 40 Million people in the country and building resilience against misinformation and practicing responsible online behavior. 

‍

Maj Vineet Kumar, Founder of CyberPeace, said,

"In an era in which digital is deeply intertwined with our lives, knowing how to discern, act on, and share the credible from the wealth of information available online is critical to our well-being, and of our families and communities. Through this initiative, we’re committing to help Internet users across India become informed, empowered and responsible netizens leading through conversations and actions. Whether it’s in fact-checking information before sharing it, or refraining from sharing unverified news, we all play an important role in building a web that is a safe and inclusive space for everyone, and we are extremely grateful to Google.org for propelling us forward in this mission with their grant support.”

‍

Annie Lewin, Senior Director of Global Advocacy and Head of Asia Pacific, Google.org said:

“We have a longstanding commitment to supporting changemakers using technology to solve humanity's biggest challenges. And, the innovation and zeal of Indian nonprofit organisations has inspired us to deepen our commitment in India. With the new grant to CyberPeace Foundation, we are proud to support solutions that speak directly to Google’s DNA, helping first-time internet users chart their path in a digital world with confidence. Such solutions give us pride and hope that each step, built on a strong foundation of trusted information, will translate into progress for all.”

‍

Conclusion

Google.org has partnered with government agencies and other Indian organisations with the vision of future-proof India for digital public infrastructure and staying a step ahead for Internet safety, keeping the citizens safe online. Google.org is taking its largest step yet towards online safety in India. There is widespread misinformative content and information in the digital media space or on the internet. This proactive initiative of Google.org in collaboration with CyberPeace is a commendable step to prevent the spread of misinformation and empower users to act responsibly while sharing any information and making informed decisions while using the Internet, hence creating a safe digital environment for everyone.

‍References:

• https://www.youtube.com/live/-b4lTVjOsXY?feature=shared
• https://blog.google/intl/en-in/products/google-for-india-2023-product-announcements/
• https://blog.google/intl/en-in/partnering-indias-success-in-a-new-digital-paradigm/
• https://telecom.economictimes.indiatimes.com/news/internet/google-to-debut-credit-in-india-announces-a-slew-of-ai-powered-launches/104547623
• https://theprint.in/economy/google-for-india-2023-tech-giant-says-it-removed-2-million-violative-videos-in-q2-2023/1810201/

‍