Consent Management

What Is a Consent Manager Under the DPDP Act?

The DPDP Act 2023 introduces Consent Managers as registered intermediaries that help individuals manage consent across multiple businesses. This is what the role requires and why it matters.

6 min read

A New Category of Regulated Entity

The DPDP Act 2023 creates a new regulated entity: the Consent Manager. Under Section 6(9), a Consent Manager is an entity registered with the Data Protection Board of India that acts as a single point of contact for Data Principals to manage their consent across multiple Data Fiduciaries.

This is not a voluntary role. To operate as a Consent Manager, an entity must be registered with the Board and must meet prescribed technical, operational, and financial standards.

A Consent Manager serves as an intermediary between Data Principals and Data Fiduciaries. Its functions include:

  • Consent aggregation: Providing Data Principals with a unified view of all consents they have given across different businesses
  • Consent withdrawal: Enabling Data Principals to withdraw consent from any Data Fiduciary through a single interface
  • Consent records: Maintaining accessible records of when, where, and for what purpose each consent was given
  • Rights facilitation: Helping Data Principals exercise their rights under the Act through a centralised channel

The concept draws from India’s Account Aggregator framework in the financial sector, where regulated intermediaries manage data sharing consent between financial institutions. The DPDP Act extends this model to all personal data processing.

Registration Requirements

The Data Protection Board will prescribe the conditions for registration as a Consent Manager. Based on the Act’s provisions and the Account Aggregator precedent, registered Consent Managers are expected to meet:

Technical Standards

  • Interoperability: Systems must communicate with Data Fiduciaries through standardised APIs
  • Security: Infrastructure must meet prescribed security standards for handling consent data
  • Availability: Systems must be operational and accessible to Data Principals at all times
  • Audit trail: Every consent action processed through the Consent Manager must be logged with cryptographic integrity

Operational Standards

  • Neutrality: A Consent Manager must act in the interest of the Data Principal, not the Data Fiduciary. It cannot receive compensation from Data Fiduciaries for influencing consent decisions.
  • Transparency: Data Principals must be able to see exactly what the Consent Manager does with their consent instructions
  • Accountability: The Consent Manager is responsible for ensuring consent instructions are accurately transmitted to Data Fiduciaries

Financial Standards

  • Net worth requirements: Minimum financial thresholds to ensure operational stability
  • Insurance: Coverage against operational failures that affect Data Principals

The specific thresholds and standards will be defined through rules issued under the Act.

Why This Matters for Businesses

Even if your business does not intend to operate as a Consent Manager, the framework affects you in two ways:

1. API Interoperability

When Consent Managers become operational, Data Fiduciaries will need to accept consent instructions from registered Consent Managers. This means your consent infrastructure must support:

  • Receiving consent grants and withdrawals from external authorised systems
  • Verifying that incoming instructions originate from a registered Consent Manager
  • Processing external consent instructions with the same effect as direct user actions
  • Reporting consent status to Consent Managers when requested

Businesses that build closed consent systems today may face costly retrofits when Consent Manager interoperability becomes mandatory.

2. Competitive Differentiation

Early Consent Manager registration creates a regulatory moat. The registration deadline is November 2026. Entities that register first will have an operational advantage in a market where compliance infrastructure is in high demand.

For businesses operating in the compliance technology space, the Consent Manager registration represents a unique opportunity to become a regulated intermediary in India’s data protection ecosystem.

The Data Protection Board is expected to begin accepting Consent Manager registration applications as enforcement approaches in November 2026. The registration window and process will be defined through Board notifications.

Entities planning to operate as Consent Managers should begin preparing their technical infrastructure, operational procedures, and registration documentation now. The DPDP compliance timeline tracks all key dates.

How ConsentOS Fits

ConsentOS is building the infrastructure layer that supports both Data Fiduciaries and Consent Manager operations. The platform handles consent capture, storage, and withdrawal with the cryptographic integrity and API interoperability that the Consent Manager framework will require.

To assess your organisation’s readiness for the Consent Manager ecosystem, take the free DPDP Gap Assessment.