Quick Answer

A Consent Manager under the Digital Personal Data Protection Act, 2023 (DPDP Act) is a registered Indian company that operates a secure, interoperable digital platform allowing individuals to give, review, modify, and withdraw their consent for data processing across multiple organizations, all from a single interface. Legally defined as a "person registered with the Board" under Section 2(g), a Consent Manager is in practice a technology-driven intermediary operating a dashboard or mobile application. It is accountable to the user, not to the business processing the data. Consent Managers must maintain a minimum net worth of Rs. 2 crore, register with the Data Protection Board of India, and keep tamper-proof consent logs for at least seven years. Their use by businesses is voluntary under law, though industry dynamics may make integration practically unavoidable in data-intensive sectors.

Introduction: A New Player in India's Data Privacy Landscape

Something subtle but significant changed when India enacted the Digital Personal Data Protection Act, 2023. Alongside familiar concepts like notice requirements, data fiduciaries, and penalty structures, the legislation quietly introduced a concept that many compliance professionals have still not fully understood: the Consent Manager. The term sounds straightforward enough. But once you start unpacking it, you realise that what the law says about a Consent Manager and what it actually does in practice are two different things, and that gap is exactly where most businesses get confused.

The DPDP Act, read alongside the DPDP Rules 2025 notified by the Ministry of Electronics and Information Technology in November 2025, creates a comprehensive framework for how personal data may be collected, used, and protected in India. At its core, the legislation is built around consent. Section 6 of the Act makes clear that processing personal data requires valid consent, and that consent must be free, specific, informed, unconditional, and unambiguous. The era of pre-ticked boxes, blanket authorisations buried in terms of service, and implied consent through continued use has formally ended.

Managing this consent across an increasingly complex digital economy is no small task. A person in today's India may interact with dozens of digital platforms every week, sharing data with banks, insurance companies, healthcare providers, e-commerce platforms, and government services. Each of those interactions potentially involves a separate consent. Tracking, modifying, or withdrawing those consents one by one is operationally impossible for the average user. The Consent Manager is the legal architecture's answer to that problem.

This guide explains the statutory definition of a Consent Manager, demystifies what the entity actually is and how it functions in practice, walks through the registration requirements and ongoing obligations under the DPDP Rules 2025, and maps out what businesses need to do now. Whether your organisation is considering becoming a Consent Manager, planning to integrate with one, or simply wants to understand how this new regime affects your existing data practices, this is where to start.

What Most People Get Wrong About the Consent Manager

The first and most common misunderstanding begins with the statutory definition. Under Section 2(g) of the DPDP Act, a Consent Manager is defined as "a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform." The word "person" in Indian law typically refers to a legal entity, and in this case, the entity in question must be a company incorporated in India.

So far, so straightforward. But here is where the confusion tends to set in. Because the law calls it a "Consent Manager," many people instinctively picture a human being, perhaps a compliance officer or a designated representative within a company, sitting at a desk and managing consent forms on behalf of users. That is not what this is.

A Consent Manager is not a person in the ordinary sense of the word. It is an entity that operates a technology platform.Think of it as a digital intermediary: a website, a mobile application, a dashboard that sits between users and the various companies that want to process their data. When a bank wants your consent to share your financial data with a lending partner, instead of navigating to the bank's website and finding the privacy settings buried three menus deep, you would open your Consent Manager application, see the request clearly explained, and approve or decline it in seconds. If you later change your mind, you go back to the same app and withdraw that consent. The Consent Manager logs everything, keeps the record for years, and ensures the relevant company is notified of your decision instantly.

This distinction matters enormously from a legal and compliance standpoint. The Consent Manager is not a compliance tool that a business deploys on its own website to manage its cookie banner. It is an independent, registered, regulated third party that answers to you, the user, not to any of the businesses whose data flows it facilitates. The DPDP Rules explicitly prohibit Consent Managers from having financial or operational interests in the data fiduciaries they serve. Their entire legal existence is structured around the principle that they serve the individual, not the enterprise.

How a Consent Manager Actually Works: The Platform Explained

The most helpful way to understand a Consent Manager's practical function is to trace a real transaction from start to finish. Imagine a patient, Priya, who has her diagnostic records stored at a diagnostic clinic. She wants to share those records with a specialist at a hospital across the city. Under the DPDP Act framework, the hospital cannot simply request and receive that data without Priya's explicit, informed consent.

Under the Consent Manager model, this is how the interaction unfolds. The hospital generates a consent request through its system, specifying exactly what data it wants, for what purpose, and for how long. That request is routed to Priya's Consent Manager app. On her phone, Priya sees a clear, plain-language notification: "XYZ Hospital is requesting access to your diagnostic records for the purpose of specialist consultation, valid for 30 days." She reviews it and taps approve. The Consent Manager records that decision, time-stamps it, and generates a cryptographic consent artifact, essentially a digital token that proves Priya gave this specific consent under these specific conditions. That artifact is forwarded to the diagnostic clinic, which then releases the encrypted records to the hospital. Throughout this entire process, the Consent Manager never reads Priya's health data. It only moves the consent and facilitates the transfer. The data itself flows directly between the two healthcare entities.

Now imagine that three weeks later, Priya reconsiders. She opens the Consent Manager app, finds the active consent for XYZ Hospital under her consent ledger, and withdraws it. The app immediately sends a withdrawal signal to the hospital's systems. The hospital is legally required to cease using that data and trigger deletion protocols accordingly. All of this takes Priya approximately ten seconds.

This is the operating model of a Consent Manager. It has four core functional components. The first is the user interface itself, typically a mobile application or web-based dashboard, designed to be intuitive and accessible across multiple languages. The second is the preference management layer, which allows users to see all their active, expired, and withdrawn consents in one consolidated view. The third is the consent grant and withdrawal mechanism, which must be as simple and frictionless as possible. The fourth is the audit trail, a tamper-proof log of every consent action, every notice presented to the user, and every data-sharing event that occurred as a result.

Think of it as the consent equivalent of a UPI app for payments. Just as a UPI application does not hold your money but facilitates the movement of funds between your bank and a merchant's bank, a Consent Manager does not hold your personal data but facilitates the movement of consent between you and any data fiduciary on the platform. The analogy is not perfect, but it captures the essential logic: a regulated intermediary layer that simplifies a complex multi-party transaction for the end user while maintaining a verifiable record of every instruction.

The Statutory Framework: What the Law Actually Says

The DPDP Act and DPDP Rules 2025 together create a two-layer legal foundation for Consent Managers. The Act establishes the concept and the general obligations, while the Rules, particularly Rule 4 and the First Schedule, fill in the operational details.

Section 6(7) of the DPDP Act establishes the right of a Data Principal, that is, the individual whose data is being processed, to use a Consent Manager for any consent-related activity. This is an enabling provision: the law is giving users the option, not mandating it.

Section 6(8) makes the Consent Manager explicitly accountable to the Data Principal. This is the fiduciary provision. The Consent Manager owes its primary legal duty to the user, not to any data fiduciary that happens to use its platform.

Section 6(9) requires every Consent Manager to be registered with the Data Protection Board of India (DPB). Registration is not optional. Any entity operating as a Consent Manager without registration would be operating illegally.

Rule 4 of the DPDP Rules 2025 operationalises the registration process. It sets out how applications are made, how the Board evaluates them, and what happens if a registered Consent Manager fails to maintain compliance. Crucially, Rule 4 also empowers the Board to suspend or cancel a Consent Manager's registration in the interest of data principals.

The First Schedule of the DPDP Rules (Parts A and B) is where the real detail lives. Part A sets out the eligibility criteria an applicant must meet before it can even apply. Part B lists the ongoing obligations that a registered Consent Manager must fulfil throughout its operational life. These schedules are not advisory guidelines; they carry the same legal force as the rules themselves.

The implementation timeline is structured deliberately. The DPDP Rules 2025, notified in November 2025, set Rule 4 (governing Consent Manager registration) to come into force twelve months after notification, which means November 2026. The broader substantive obligations for data fiduciaries, including notice requirements, consent workflows, and breach reporting, are set for full enforcement approximately eighteen months after notification, around May 2027. This phased rollout gives prospective Consent Managers a runway to build their infrastructure, secure their certification, and file their applications before the market formally opens.

Registration Requirements: Who Can Become a Consent Manager

Not every technology company can register as a Consent Manager. The eligibility criteria under Part A of the First Schedule are demanding, and intentionally so. The policy rationale is to ensure that only well-capitalised, technically capable, and ethically governed entities occupy this critical intermediary role. Here is what the law requires.

Indian Incorporation

The applicant must be a company incorporated in India under the Companies Act. There is no workaround here. A foreign entity, a limited liability partnership, an individual, or a trust cannot register as a Consent Manager. The geographic ring-fencing ensures that the Data Protection Board has full jurisdictional authority over the entity and that enforcement, if necessary, is straightforward.

Minimum Net Worth of Rs. 2 Crore

The applicant must demonstrate a minimum net worth of Rs. 2 crore, calculated as total assets minus total liabilities. This threshold is intended to filter out undercapitalised start-ups that might not have the financial resilience to operate a high-availability, heavily audited platform over the long term. For context, building and maintaining a secure consent management infrastructure, with robust APIs, end-to-end encryption, and round-the-clock availability, requires meaningful investment. The Rs. 2 crore floor is a baseline, not a ceiling.

Technical, Operational, and Financial Capacity

Beyond the net worth figure, the applicant must affirmatively demonstrate that it has sufficient capacity across technical, operational, and financial dimensions to fulfil its obligations. This is a holistic assessment. The Board will look at the quality of the applicant's technology architecture, its security certifications, its team, its operational processes, and its financial sustainability. This is not a paper exercise; the Board may mandate technical audits or penetration testing of the proposed platform.

Sound Financial Condition and Management

The applicant's financial condition must be sound, and its management must have a track record of fairness and integrity. The Directors, Key Managerial Personnel, and senior management of the applicant are all subject to character and background scrutiny. The Data Protection Board has broad discretion to determine what "sound" and "fair" mean in this context, which effectively makes this a reputational and governance assessment in addition to a financial one.

Governance Provisions Embedded in Constitutional Documents

Here is a requirement that catches many applicants off guard. The company's Memorandum and Articles of Association must contain specific provisions committing to the conflict-of-interest restrictions and fiduciary obligations required under the Rules. These provisions, once embedded, cannot be amended without the prior approval of the Data Protection Board. This is a structural governance safeguard. It means that even if the Consent Manager changes its leadership or is subject to a corporate restructuring, the user-first obligations are baked into the company's foundational documents and cannot be quietly removed by passing a board resolution.

Independent Technical Certification

Before registration, the applicant must obtain a certification from an independent third party confirming two things. First, that the consent management platform complies with the technical and data protection standards published by the Board. Second, that the applicant has in place the technical and organisational measures necessary to meet its ongoing obligations. In practice, this will likely require compliance with standards such as ISO/IEC 27001 and the generation of SOC 2 Type II audit reports. The certification is not a one-time formality; it signals to the market and the regulator that the platform has been independently validated.

Change of Control Requires Board Approval

Any significant change in corporate control, whether a merger, acquisition, or material shift in shareholding, requires the prior approval of the Data Protection Board. This provision reflects the sensitive nature of the Consent Manager's role. If ownership of a Consent Manager were to change hands without oversight, it could fundamentally alter the entity's independence and its commitment to serving users rather than business interests.

Operating Obligations: What a Consent Manager Must Do Every Day

Registration is the beginning, not the end. Once registered, a Consent Manager assumes a formidable set of ongoing obligations under Part B of the First Schedule. These are not aspirational guidelines; they are legally enforceable conditions. Breaching any of them can trigger action by the Data Protection Board, including penalties of up to Rs. 50 crore.

The Data-Blind Architecture: The Sealed Courier Principle

The most fundamental technical obligation of a Consent Manager is that it must never read the personal data it facilitates. This is what practitioners and the Rules refer to as the "data-blind" or "sealed courier" architecture. When personal data flows from one entity to another via the Consent Manager's infrastructure, the data must remain encrypted and inaccessible to the Consent Manager itself. The platform processes and logs the consent artifact, the cryptographic token that records the parameters of the transaction, but it never touches the underlying information.

Why does this matter? Because a Consent Manager that could read user data would itself become a massive data repository, a target for breaches, a potential data broker, and a source of conflicts of interest. The sealed courier design ensures the platform remains a pure intermediary. It carries the package without knowing what is inside.

Tamper-Proof Consent Logs

Every consent granted, denied, modified, or withdrawn through the platform must be recorded in a tamper-proof log. The log must capture not just the user's decision but also the exact notice or information that was presented to the user at the time. This is the evidentiary backbone of the entire system. If a dispute arises about whether a user actually consented to a specific data use, the Consent Manager's log is the definitive record.

These records must be retained for a minimum of seven years, and longer if required by other applicable laws or by agreement with the user. Seven years is a substantial retention period. It reflects the legislature's intent that consent records should be auditable for the duration of any realistic legal dispute or regulatory inquiry related to data processing.

User Access to Consent Records

The individual user must be able to see their consent history at any time. This means the Consent Manager's interface must provide a clear, chronological ledger of all consents: which organisations have access to which data, when consent was given, for what purpose, and when it expires or was withdrawn. If a user requests it, the Consent Manager must provide this log in machine-readable format, for instance as a downloadable file in CSV or JSON. This is essentially a portability right for consent records.

Easy Withdrawal as a Core Design Principle

The DPDP Act is explicit that withdrawing consent must be as easy as giving it. This is not merely a UX preference; it is a statutory requirement. A Consent Manager cannot design its interface in a way that makes withdrawal difficult, obscure, or burdensome. Dark patterns, which are design choices intended to confuse or discourage users from exercising their rights, are incompatible with this obligation. When a user withdraws consent, the Consent Manager must immediately notify the relevant data fiduciary, which is then legally obligated to stop processing and, where applicable, initiate deletion.

Fiduciary Duty and Conflict of Interest Prohibitions

The Consent Manager owes a fiduciary duty to the Data Principal. In legal terms, this means it must act with loyalty and care toward the user, placing the user's interests above its own commercial interests and certainly above the interests of any data fiduciary. To give this obligation teeth, the Rules impose explicit conflict-of-interest restrictions.

Directors, Key Managerial Personnel, and any individual holding more than 2% shareholding in a Consent Manager cannot hold directorships, employment, or material financial interests in any entity that operates as a data fiduciary and uses the Consent Manager's platform. The company must establish internal policies to detect and prevent such conflicts, and it must publish on its website or application the names and details of all promoters, directors, senior management, and shareholders with more than 2% stakes. Transparency here is not optional; it is mandatory.

No Outsourcing of Core Obligations

A Consent Manager cannot delegate or subcontract its core statutory functions to a third party. It may use cloud infrastructure providers and similar service vendors, but the legal accountability and operational orchestration of the consent management process must remain with the registered entity itself. This rule prevents a scenario where a company registers as a Consent Manager but then quietly hands over the actual operation to an unregulated technology vendor.

Security Safeguards

The Consent Manager must implement robust technical and organisational security measures to protect against unauthorised access, breaches, and manipulation of consent records. This encompasses strong encryption both at rest and in transit, access controls, intrusion detection systems, and documented incident response procedures. Given that the Consent Manager serves as a central hub for sensitive consent data across multiple sectors, the cybersecurity expectations are correspondingly high.

Independent Audits and Reporting to the Board

The Consent Manager must establish effective internal audit mechanisms and conduct regular independent third-party audits covering both technical controls and organisational compliance. The outcomes of these audits must be reported to the Data Protection Board at prescribed intervals. Audit frequency and format will be specified by the Board. This ongoing reporting obligation means the Board has continuous visibility into whether registered Consent Managers are maintaining their standards, rather than only learning of problems when something goes wrong.

Grievance Redressal Within 90 Days

Users must have a clear and accessible channel for registering complaints about the Consent Manager's conduct. Any grievance must be acknowledged, investigated, and resolved within a maximum of 90 days. If a user believes the Consent Manager failed to process their withdrawal correctly, disclosed information improperly, or otherwise breached its obligations, the grievance mechanism is the first point of recourse. If the complaint is not resolved satisfactorily, the user can escalate to the Data Protection Board.

India's Existing Consent Infrastructure: The Account Aggregator Precedent

To understand where Consent Managers under the DPDP Act are headed, it helps enormously to look at where India has already been. The concept of a regulated, data-blind intermediary for consent-based data sharing is not new to this country. It was pioneered in the financial sector through the Account Aggregator framework, developed under the Reserve Bank of India's regulatory purview and inspired by the Data Empowerment and Protection Architecture promoted by NITI Aayog.

Account Aggregators such as Sahamati, the industry alliance representing this ecosystem, and RBI-licensed entities like Finvu have already demonstrated what a regulated, data-blind consent intermediary looks like in practice. An Account Aggregator allows a loan applicant to securely share their bank statements with a lender without ever handing over login credentials. The applicant opens their Account Aggregator application, approves the data request, and the relevant financial information flows directly from their bank to the lender, encrypted throughout, with the Account Aggregator maintaining a verified consent record but never reading the underlying financial data.

The Consent Manager under the DPDP Act is, in essence, a sector-agnostic extension of this model. Where Account Aggregators are licensed by the RBI and operate specifically in the financial data domain, DPDP Consent Managers will be registered with the Data Protection Board and operate across all sectors: healthcare, telecommunications, e-commerce, insurance, and beyond. The technical architecture and the fiduciary principles are almost identical; what changes is the scope.

This precedent is genuinely reassuring. India has already proven that this model can work at scale. The Account Aggregator ecosystem, with millions of users and billions of transactions facilitated, demonstrates that a regulated consent intermediary can reduce friction, improve trust, and create genuine value for both users and the businesses that serve them. The DPDP Consent Manager regime is the next logical step in that trajectory.

Are Consent Managers Mandatory for Businesses?

This is the question that surfaces most often in legal consultations, and the answer requires some careful parsing. The plain legal answer is no. The DPDP Act and Rules do not mandate that data fiduciaries, the businesses collecting and processing personal data, must use or integrate with a Consent Manager. Section 6(7) uses the word "may," not "must," when describing the Data Principal's option to use a Consent Manager. Data fiduciaries are entirely within their legal rights to build and operate their own consent systems, provided those systems independently meet every requirement the Act imposes: clear itemised notices, affirmative consent mechanisms, frictionless withdrawal, and tamper-proof record-keeping for seven years.

However, the practical reality is considerably more nuanced, and this is where business leaders need to think carefully. The operational burden of independently meeting every DPDP Act consent obligation at scale is substantial. For a large fintech with millions of users, processing thousands of real-time withdrawal requests, maintaining immutable compliance logs for seven years, bearing the entire burden of proof during any Data Protection Board inquiry, and building all the necessary API infrastructure for data portability represents a colossal and ongoing investment.

Integrating with a registered Consent Manager, by contrast, effectively outsources much of this operational burden to a regulated specialist. The Consent Manager becomes the custodian of the consent record, the operator of the withdrawal mechanism, and the primary interface between the user and the various organisations seeking their data. For a data fiduciary, this dramatically simplifies its compliance posture.

There is also a market dynamics argument that compliance professionals should take seriously. As Consent Manager platforms mature and gain user adoption, some users will begin to express a preference for exercising their data rights through their chosen Consent Manager rather than through each individual company's interface. A business that cannot accommodate this preference will face a straightforward choice: adapt its systems to integrate with Consent Managers, or risk losing those customers to competitors who have already done so.

The prudent position for any data-intensive business is to begin preparing for Consent Manager integration now, even if you do not expect to be legally required to do so. The architecture, the APIs, and the governance structures will need to be in place eventually. Starting that work early is far less disruptive than scrambling to catch up.

Penalties and Enforcement: The Regulatory Stakes

The DPDP Act adopts a civil penalty framework. There are no criminal sanctions for most violations, but the financial consequences of non-compliance are severe enough to concentrate the mind of any board of directors.

For Consent Managers, the primary penalty provision is Item 7 of the Schedule to the Act, which covers breaches of any provision of the Act or the Rules. This broad catch-all provision allows the Data Protection Board to impose a penalty of up to Rs. 50 crore per instance of violation. To appreciate the significance of this figure, consider what would constitute a violation: failing to maintain the seven-year consent log, allowing a security breach due to inadequate safeguards, failing to resolve grievances within 90 days, maintaining undisclosed financial ties with a data fiduciary, or operating without a valid registration. Each of these could independently trigger the Rs. 50 crore cap.

Beyond financial penalties, the Board has the power to impose binding directions on a Consent Manager to cure specific defects. If non-compliance is serious or systemic, the Board can suspend the Consent Manager's registration entirely, preventing it from operating. In the worst case, it can cancel the registration outright, effectively terminating the business. For a company whose entire commercial model depends on being a registered Consent Manager, suspension or cancellation is an existential threat, not merely a financial inconvenience.

For data fiduciaries operating within the ecosystem, the stakes are similarly high. A failure to implement reasonable security safeguards can attract penalties of up to Rs. 250 crore. Failure to notify the Board and affected individuals of a data breach without delay can result in penalties of up to Rs. 200 crore. Violations related to the processing of children's data carry a penalty ceiling of Rs. 200 crore. These figures are not illustrative; they are the actual caps provided in the Schedule to the Act.

The Data Protection Board functions as an independent regulatory body with wide adjudicatory powers. It can summon witnesses, issue binding directives, accept voluntary compliance undertakings, and impose penalties proportionate to the gravity and nature of the breach. Mitigating factors such as proactive remediation and the sensitivity of the data involved will influence the actual penalty quantum in any given case.

What Businesses Should Do Now: A Practical Compliance Roadmap

Whether your organisation is a prospective Consent Manager, a data fiduciary preparing to interact with Consent Managers, or simply a business trying to understand where this regime fits into its existing compliance structure, the phased implementation timeline gives you a window of opportunity. Use it.

Phase One: Map Your Data and Consent Architecture

Start with a thorough audit of how your organisation currently collects and manages consent. Identify every data touchpoint, every consent checkbox, every privacy notice, and every data-sharing arrangement. Determine whether your existing consent mechanisms meet the DPDP Act's standards for what constitutes valid consent: freely given, specific, informed, unconditional, and unambiguous through clear affirmative action. Most organisations will find areas requiring remediation, particularly if they have relied on implied consent, bundled authorisations, or opt-out mechanisms.

Phase Two: Redesign Your Consent Workflows

Where existing consent mechanisms fall short, redesign them. Privacy notices must be rewritten as standalone, itemised documents in plain language, setting out precisely what data is collected, for what purpose, and through what means. Consent mechanisms must require clear affirmative action. Withdrawal must be as simple as the initial grant. If your organisation does not currently maintain tamper-proof logs of consent decisions with the associated notices, build that infrastructure now.

Phase Three: Assess Your Integration Strategy

As the twelve-month Consent Manager registration window approaches in November 2026, registered Consent Managers will begin entering the market. Your organisation needs to decide its integration strategy before that happens. If you are a data fiduciary, consider whether integrating with a Consent Manager via API would simplify your compliance obligations and whether your technology infrastructure can support real-time consent state synchronisation. If you are exploring becoming a Consent Manager yourself, begin the detailed work of assessing your eligibility, building your platform, and securing the independent certification you will need before registration.

Phase Four: Corporate Governance and Documentation

For organisations pursuing registration as Consent Managers, the governance work is substantial. Your Articles of Association will need to be amended to embed the conflict-of-interest and fiduciary obligations required by the Rules. Your directors and KMP will need to review and disclose any financial relationships with data fiduciaries. Your net worth position will need to be verified and maintained. Internal audit mechanisms will need to be established and documented. These are not tasks that can be left to the last month before application.

For businesses working with reputable compliance technology vendors, it is worth evaluating tools such as 

Leegality, an Indian legal-tech platform that offers digital consent management capabilities relevant to the DPDP Act framework, as part of your interim compliance architecture while the formal Consent Manager ecosystem develops.

Finally, stay closely engaged with the guidance being published by the Data Protection Board. The Board will issue technical standards, registration formats, and procedural guidelines that will fill in many operational details not addressed in the current text of the Rules. The compliance picture will become progressively clearer as these standards emerge, but organisations that have already done the foundational work will be far better positioned to adapt quickly.

How India's Approach Compares to GDPR and Global Frameworks

For legal and compliance professionals who have spent years working within the GDPR framework, one comparison deserves special attention. Under the GDPR, consent management is largely a decentralised, business-managed activity. Each data controller builds its own systems to capture consent, manage preferences, and process withdrawal requests. The result, widely acknowledged across Europe and beyond, has been a fragmented landscape of cookie banners, consent fatigue, and wildly inconsistent compliance practices.

India's approach is architecturally different. By creating a class of regulated intermediaries specifically designed to centralise consent management from the user's perspective, the DPDP Act addresses the systemic problem that the GDPR left largely unsolved: the user is overwhelmed by the number of consent relationships they need to manage, and the decentralised model places all the tracking burden on the individual. The Consent Manager shifts that burden to a specialised, regulated entity that exists solely for this purpose.

It is also worth noting a critical distinction for international technology vendors. Many global companies use what are commonly called Consent Management Platforms, or CMPs, to manage their GDPR compliance. These tools, offered by providers such as TrustArc or OneTrust, are software products deployed by businesses to manage their own cookie consent workflows. They are accountable to the business deploying them, not to the individual user. They can read, analyse, and store user preference data. They have no licensing or registration requirements.

The DPDP Act Consent Manager is categorically different from a GDPR CMP. It is a registered, regulated third party that is legally accountable to the user, operates on a data-blind basis, cannot read the underlying personal data, and faces significant penalties for non-compliance. Deploying a GDPR-style CMP tool on your Indian website will not satisfy the obligations that arise in the context of the DPDP Act Consent Manager framework. These are two entirely different instruments serving related but distinct purposes.

Conclusion: Why This Matters and What Comes Next

The introduction of the Consent Manager into India's data protection framework is not a bureaucratic formality. It represents a deliberate architectural choice about how the digital economy will be governed. Rather than placing the entire burden of consent compliance on either users who cannot realistically track hundreds of consent relationships, or on individual businesses which have obvious commercial incentives to make consent as frictionless and broad as possible, the DPDP Act creates a new class of regulated intermediary whose entire purpose is to serve the user.

For businesses, the message is unambiguous. The era of treating consent as a box to be ticked on a registration page is over. Consent is now a dynamic, user-controlled relationship that must be managed throughout its lifecycle: from the initial grant through to modification and withdrawal. The infrastructure to support that lifecycle must be built, whether in-house or through integration with a registered Consent Manager. The penalties for getting it wrong are significant, and the reputational consequences in a market where users are becoming increasingly sophisticated about their data rights are potentially even greater.

For prospective Consent Managers, the regulatory bar is high but the opportunity is real. India has already demonstrated with the Account Aggregator framework that a data-blind, regulated consent intermediary can create genuine value at scale. The DPDP Consent Manager ecosystem, once it matures, has the potential to become a foundational piece of infrastructure for the entire Indian digital economy, as important in its domain as UPI has been for payments.

You can also refer to the official text of the Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025 Schedule for the precise statutory language.

Frequently Asked Questions

What is a Consent Manager under the DPDP Act 2023?

A Consent Manager is an entity registered with the Data Protection Board of India that operates a digital platform allowing individuals, referred to in the Act as Data Principals, to give, review, modify, and withdraw their consent for data processing by multiple organisations, all from a single interface. Legally defined under Section 2(g) of the DPDP Act as "a person registered with the Board," the Consent Manager must be an Indian incorporated company that meets stringent financial, technical, and governance standards. Critically, the Consent Manager is accountable to the user, not to any business whose data flows it facilitates.

Is a Consent Manager the same as a Consent Management Platform used under GDPR?

No, they are fundamentally different. A GDPR Consent Management Platform is a software tool deployed by a business to manage its own cookie consent and user preference records. It is accountable to the business, can access and analyse user preference data, and requires no licensing or registration. An Indian DPDP Act Consent Manager is a registered, regulated third party accountable to the individual user, legally prohibited from reading the personal data it facilitates, and subject to penalties of up to Rs. 50 crore for non-compliance. Deploying a GDPR-style CMP tool does not satisfy the obligations that arise under the DPDP Act Consent Manager framework.

Who can register as a Consent Manager?

Only companies incorporated in India can apply. The applicant must demonstrate a minimum net worth of Rs. 2 crore, sufficient technical and operational capacity to operate a secure, interoperable consent platform, sound financial condition, and reputable management. Directors and Key Managerial Personnel are subject to character and background scrutiny. The company must also obtain an independent technical certification confirming that its platform meets the standards published by the Data Protection Board, and must embed conflict-of-interest and fiduciary obligations into its Memorandum and Articles of Association. Any subsequent amendments to these foundational documents require prior Board approval.

Are businesses legally required to use a Consent Manager?

No. The DPDP Act and DPDP Rules 2025 do not mandate that data fiduciaries use a Consent Manager. Section 6(7) uses permissive language: a Data Principal "may" use a Consent Manager, indicating an option available to the user rather than an obligation on the business. Businesses may continue to collect and manage consent directly through their own systems, provided those systems independently satisfy every requirement of the Act, including clear notices, affirmative consent mechanisms, frictionless withdrawal, and seven-year record retention. However, for data-intensive organisations, integrating with a Consent Manager may prove considerably more efficient and reduce regulatory risk.

What does "data-blind" mean and why does it matter?

A data-blind architecture means that the Consent Manager facilitates the transfer of personal data without being able to read or access that data itself. When a user consents to sharing medical records from Clinic A with Hospital B, the data flows between those two entities via the Consent Manager's infrastructure in an encrypted form that the Consent Manager cannot decrypt. The Consent Manager only processes and logs the consent artifact, a cryptographic token recording the parameters of the transaction. This design ensures the Consent Manager does not become a secondary data repository, prevents conflicts of interest, and protects user privacy even at the intermediary stage.

What are the penalties for Consent Managers that violate their obligations?

The Data Protection Board can impose financial penalties of up to Rs. 50 crore per violation on Consent Managers that breach their statutory obligations. These obligations include maintaining seven-year consent logs, operating a data-blind platform, resolving grievances within 90 days, maintaining conflict-of-interest safeguards, and conducting regular independent audits. Beyond financial penalties, the Board can issue binding directions to cure specific defects, suspend a Consent Manager's registration, or cancel it entirely, which would terminate the entity's right to operate as a consent intermediary in India.

How does a Consent Manager compare to India's Account Aggregator framework?

The Account Aggregator framework, administered by the Reserve Bank of India, is the closest operational precedent for the DPDP Act Consent Manager model. Account Aggregators are RBI-licensed entities that intermediate consented data flows specifically within the financial sector, allowing users to share bank statements, investment records, and similar data with lenders or financial advisors on a consent-verified, data-blind basis. The DPDP Act Consent Manager extends this logic beyond the financial sector to cover all categories of personal data. The fiduciary principles, the data-blind architecture, and the emphasis on user control are substantively similar; what changes is the regulatory authority (Data Protection Board instead of RBI) and the scope of sectors covered.

When will Consent Managers begin operating in India?

Rule 4 of the DPDP Rules 2025, which governs the registration and obligations of Consent Managers, is scheduled to come into legal force twelve months after the notification of the Rules in November 2025, which means the registration framework should be operational by November 2026. The broader substantive obligations for data fiduciaries, including the full consent, notice, and breach reporting requirements, are expected to come into force by approximately May 2027. Businesses should use this window to build their compliance infrastructure, assess their integration strategy, and follow the Data Protection Board's guidance as it is published.