Which DPDP Consent Platform Actually Enforces Compliance?

Siddhangana Karmakar
6 min read

Privy, Leegality, and OneTrust excel at DPDP consent governance, but none directly enforce consent across CPaaS vendors. BFSI institutions need consent-enforcing communication orchestration platforms like Fyno to bridge Consent Management Platforms (CMPs) and messaging providers, turning consent policies into real-time enforcement without custom integration per vendor.

Fyno - DPDP Compliance Enforcement Platform

Your bank's compliance team has shortlisted three consent management platforms: Privy by IDfy for India-specific DPDP compliance, Leegality for integrated document infrastructure, or OneTrust for global privacy management. The CTO asks: "Which platform integrates best with our communication infrastructure, sending 50 million monthly messages?"

The question contains a hidden assumption - that selecting the right CMP automatically solves DPDP-compliant communication. Reality reveals a more complex architecture: consent platforms excel at governance (capturing, storing, managing consent) but don't control communication execution (validating consent before each send, routing based on preferences, maintaining delivery audit trails).

Platform Comparison: Capabilities and Gaps

Privy by IDfy: India-Focused DPDP Specialist

Privy offers multilingual consent notices across 22 Indian languages with SHA-256 hashing and tamper-proof artifacts. Inspect AI delivers real-time compliance assessments with BFSI-specific templates.

undefined

Integrations: REST APIs, webhooks, CRM systems (Salesforce, Zoho).
Gaps: No CPaaS vendor connections. No pre-send validation. No channel-level routing.
Best for: Indian enterprises wanting deep DPDP alignment with AI compliance assistance.

Leegality extends its 400+ BFSI client document infrastructure into consent management with multi-channel collection. Data discovery scans systems to map personal data locations. Also available in 22 Indian languages.

undefined

Integrations: API-first architecture, CRM/ERP integration, marketing tool connectors.
Gaps: No real-time consent enforcement in campaigns. No CPaaS vendor management. No delivery audit trails.
Best for: Organizations wanting unified consent plus document execution infrastructure.

OneTrust: Global Privacy Management Leader

OneTrust operates at enterprise scale with 14,000+ global customers across GDPR, CCPA, and DPDP. Privacy workflow automation handles assessments, data subject requests, and breach notification.

undefined

Integrations: 300+ pre-built integrations, consent validation APIs, and comprehensive vendor risk management.
Gaps: No India-specific CPaaS integrations. No TRAI DLT compliance handling. No real-time promotional message blocking.
Best for: Large enterprises operating across jurisdictions with mature privacy teams.

The Enforcement Gap All Three Platforms Share

CMPs manage consent governance brilliantly, but don't manage communication execution. Consider this scenario:

Marketing creates an audience of 10 lakh customers in Netcore. The campaign triggers at 10 AM across SMS (Gupshup), WhatsApp (Kaleyra), and email (SendGrid). Who checked if all 10 lakh customers have valid promotional consent?

Without orchestration: Gupshup sends SMS to 10 lakh customers, including 2 lakh who withdrew consent last week. Kaleyra sends WhatsApp to 3 lakh customers who consented to SMS only, not WhatsApp.

Result: 50,000+ DPDP violations, potential ₹250 crore penalty exposure, zero audit trail linking sends to consent artifacts.

CMPs provide APIs, but CPaaS vendors don't call those APIs. They're message delivery infrastructure, not consent-enforcing middleware.

Who makes the API call before each send? Who blocks non-compliant messages? Who routes to alternate channels based on preferences? Who maintains the audit trail linking delivery to the consent artefact?

That's the communication orchestration layer banks must build or buy.

Why CPaaS Vendors Don't Close the Gap

Banks often assume "Gupshup says they're DPDP-ready, so we're covered." Understanding what "DPDP-ready" actually means reveals the architectural gap.

What DPDP-ready means for CPaaS:

  • Accept consent metadata in the message payload if you provide it

  • Store basic delivery logs

  • Maintain TRAI DLT compliance for sending infrastructure

What DPDP-ready doesn't mean for CPaaS:

  • Integrate with your CMP (Privy, Leegality, OneTrust)

  • Validate consent before accepting messages

  • Block promotional sends when consent is missing

  • Enforce channel-level preferences

  • Link deliveries to CMP consent artifact IDs

The architectural reality: CPaaS platforms send what you tell them to send. CMPs track who consented to what. The orchestration layer validates consent, routes intelligently, and maintains compliance. Gupshup cannot query Privy's API. OneTrust cannot send messages via Kaleyra.

Because for a CPaaS player it means re-engineering their platform, API services, and data handling practices to comply with India's Digital Personal Data Protection (DPDP) Act of 2023 and its subsequent 2025 Rules.

For CPaaS platforms, this implies moving from a "data processor" mindset to a proactive data stewardship model. It involves operationalizing privacy by design, implementing strict data localization, and ensuring a transparent consent management system and audit trail.

Fyno's Vendor-Agnostic Communication Enforcement

Fyno makes any CMP choice operationally effective by providing the missing enforcement layer between consent governance and message delivery.

Single Integration, Universal Enforcement

CMP Integration: Fyno connects to Privy, Leegality, or OneTrust via REST API and webhooks. The platform queries real-time consent status before every promotional send, listens for instant consent withdrawal propagation, and supports consent artifact ID linking in delivery audit trails.

Communication Provider Integration: 100+ pre-built vendor integrations span:

  • SMS: Gupshup, Kaleyra, ValueFirst, Twilio, MSG91, Route Mobile

  • WhatsApp: Kaleyra, Gupshup, Interakt, Twilio, Infobip, 360dialog

  • Email: SendGrid, AWS SES, Postmark, Mailgun

  • Push: FCM, APNs, OneSignal

Intelligent Orchestration: Pre-built routing logic executes compliance automatically with Fyno Preference manager.

How Fyno acts as middleware for DPDP compliance enforcement

Fyno queries CMP API: Does Customer X have valid promotional consent across SMS, WhatsApp, email? If yes, proceed. If no, block and log. If SMS-only consent, route via SMS gateway and block WhatsApp and email. When the primary vendor fails, automatic failover maintains consent enforcement.

Platform-Specific Value Propositions

For Privy users: Fyno becomes the communication execution arm of Privy's consent governance, enforcing decisions across all CPaaS vendors with zero custom integration per vendor.

For Leegality users: Fyno extends consent infrastructure into real-time workflows, translating consent artifacts into actionable routing rules.

For OneTrust users: Fyno provides India-specific communication enforcement for OneTrust's global framework, bridging enterprise governance with India's CPaaS ecosystem.

11:00 AM - Customer withdraws promotional consent in Privy
11:00 AM - Privy webhook triggers Fyno suppression update
11:01 AM - Fyno updates suppression across all vendors
11:30 AM - Campaign launches targeting 5 lakh customers
Result: Withdrawn customer automatically excluded from SMS (Gupshup), WhatsApp (Kaleyra), Email (SendGrid)

Without orchestration: Each vendor requires separate suppression list updates with manual coordination and high error risk.

Capability Comparison

Capability

CMP Only

CMP + CPaaS

CMP + Fyno + CPaaS

Consent Collection

Consent Storage

Legal Audit Trail

Pre-Send Validation

❌ Custom dev

✅ Automatic

Consent Enforcement

❌ Custom dev

✅ Built-in

Real-Time Withdrawal

⚠️ No vendor sync

⚠️ Manual updates

✅ Webhook-triggered

Multi-Vendor Management

❌ Per-vendor dev

✅ Unified API

Delivery Audit Trail

⚠️ Consent only

⚠️ Delivery only

✅ Linked trail

Message Classification

❌ Manual

✅ Automatic

Vendor Failover

❌ Custom dev

✅ Intelligent routing

TRAI DLT Compliance

⚠️ Manual per vendor

✅ Unified

Integration Timeline

3-4 months

6-9 months

Less than 12 weeks

Reframing the Integration Question

The question should never be just "Which CMP integrates best?"

All three platforms - Privy, Leegality, OneTrust provide robust consent governance with strong API capabilities. The integration challenge isn't the CMP. It's the communication infrastructure layer.

The right question: "How do we enforce consent decisions across our communication stack?"

Rather than building custom middleware connecting your CMP to 8-12 CPaaS vendors, use Fyno’s pre-built communication orchestration architecture.

It provides:

  • Pre-built CMP integrations,

  • Pre-built CPaaS integrations (100+ vendors),

  • Pre-built enforcement logic (validation, routing, audit trails), and

  • Zero custom development per vendor or channel.

Choose Your CMP Based on Governance Needs

Want AI-powered compliance with vernacular support? → Privy
Want document infrastructure integration with data discovery? → Leegality
Want global multi-jurisdiction support? → OneTrust

Then Add Fyno for Communication Enforcement

Regardless of CMP choice, Fyno ensures your consent decisions control your 50M monthly messages across SMS, WhatsApp, email, and push, without rebuilding integration when you switch vendors or add channels.

The DPDP Act mandates consent governance. TRAI requires DLT compliance. RBI expects real-time consent validation. Communication orchestration platforms translate consent policy into executable routing rules that CMPs cannot provide.

Consent Enforcement scenarios:

  • Consent exists for SMS but not WhatsApp → Route via SMS, block WhatsApp

  • Consent withdrawn 30 minutes ago → Suppress in real-time across all vendors

  • Message is transactional OTP → Allow regardless of promotional consent per DPDP "lawful use"

Summary

Consent management platforms solve governance - capturing, storing, and managing user consent according to DPDP requirements. However, consent governance isn't consent enforcement. The gap between "customer consented to SMS promotions" and "this campaign only reached customers with active SMS consent" requires communication orchestration.

Privy excels at India-specific DPDP compliance with AI assistance. Leegality brings document infrastructure strength to consent management. OneTrust provides enterprise-scale privacy management across jurisdictions.

None connect your consent decisions to CPaaS vendors in real-time to validate consent before each send, enforce channel-specific preferences, or maintain delivery audit trails linked to consent artifacts.

That enforcement layer - the bridge between consent governance and message delivery, is what Fyno provides through vendor-agnostic orchestration. Banks choose the best CMP for governance needs, then add Fyno to make those consent decisions operationally effective across their entire communication infrastructure.

The result: DPDP-compliant communication without rebuilding integrations when vendors change, channels expand, or regulatory requirements evolve.

Frequently Asked Questions

Can't our CMP vendor integrate directly with Gupshup/Kaleyra/Twilio?
CMPs provide REST APIs for consent validation, but CPaaS vendors don't call those APIs. The orchestration layer sits between CMP and CPaaS, making API calls before each send and enforcing consent decisions in real-time.
Our CPaaS vendor says they're "DPDP-ready" - doesn't that solve the problem?
"DPDP-ready" means they can accept consent metadata if you provide it and maintain basic delivery logs. It doesn't mean they integrate with your CMP, validate consent before sending, or enforce channel-level preferences.
What if we want to switch CMPs later - do we rebuild Fyno integration?
No. Switching from Privy to Leegality requires updating a single API endpoint configuration, not rebuilding the enforcement layer. Communication workflows remain unchanged.
How does Fyno handle consent withdrawal that happens mid-campaign?
When a customer withdraws consent, your CMP triggers a webhook to Fyno. Fyno immediately updates suppression lists across all integrated CPaaS vendors, ensuring exclusion from in-flight or future campaigns within seconds.
We're planning to add WhatsApp to our SMS infrastructure - does this require new consent validation logic?
With Fyno, adding WhatsApp requires no code changes. Configure the WhatsApp BSP vendor in Fyno dashboard, map consent preferences, and Fyno automatically enforces channel-specific consent rules.
What regulatory requirements do CMPs handle versus orchestration?
CMPs handle DPDP consent capture: SHA-256 hashed artifacts, 7-year retention, 24-hour withdrawal processing, multilingual notices. Orchestration handles operational enforcement: pre-send validation, channel routing, message classification, delivery audit trails, TRAI DLT compliance, and real-time suppression propagation.
How does TRAI's DLT compliance relate to DPDP consent management?
TRAI DLT requires SMS template registration for spam prevention. DPDP requires explicit consent before promotional messaging. Banks need both: DLT approval for what you can send, DPDP consent for who you can send to.
Can Fyno work with our custom-built consent management system?
Yes. Fyno integrates via standard REST APIs and webhooks with any consent system - commercial or custom-built. As long as your system provides consent status APIs and webhook support, Fyno can enforce those decisions.

Join our 2K+ readers

Get one actionable email a week on managing your notification infrastructure – no spam.

Fyno

Fyno is a modern infrastructure for product and engineering teams to build and manage their notification or communications service with minimum effort.

Visit Site

Previous Post

How Leading Banks Achieve ~95% WhatsApp Delivery Through Orchestration

Like what you're reading?

Join 2K+ subscribers for one actionable weekly email on managing notifications – no spam.