DPDP Consent Manager Registration: Who Needs It and How to Apply

The Digital Personal Data Protection Act, 2023 introduces a new category of regulated entity that did not exist under India’s previous data protection regime: the Consent Manager. Under Section 6(8)–(9) of the Act and Rule 4 of the DPDP Rules 2025, any entity that wants to operate as a Consent Manager must register with the Data Protection Board of India before 13 November 2026.

This article explains exactly who needs to register, the eligibility conditions, the registration process, ongoing obligations, and the critical difference between a statutory Consent Manager and a consent management software platform.

What Is a Consent Manager Under the DPDP Act?

Section 6(8) of the DPDP Act defines a Consent Manager as a person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to:

• Give consent to Data Fiduciaries through a unified interface
• Manage existing consents across multiple services
• Review what consents are active and what data is being processed
• Withdraw consent from one or more Data Fiduciaries simultaneously

The concept draws from NITI Aayog’s 2020 Data Empowerment and Protection Architecture (DEPA) framework and the Account Aggregator model already operational in India’s financial sector. A Consent Manager is a consent intermediary: it sits between Data Principals (individuals) and Data Fiduciaries (organisations processing data), giving individuals a single dashboard to control their data-sharing preferences across platforms.

Key statutory provision: Under Section 6(8), the Consent Manager is accountable to the Data Principal, not to any Data Fiduciary. This fiduciary duty to the individual is foundational to the entire regulatory design.

Consent Manager vs Consent Management Platform

This is where most organisations get confused. The DPDP Act uses “Consent Manager” as a specific legal term for a registered intermediary entity. It is not the same as a consent management platform (CMP), the software tools that Data Fiduciaries use to collect, store, and manage consent from their own users.

Aspect	Consent Manager (DPDP Act)	Consent Management Platform (CMP)
Legal status	Registered entity under Section 6(9)	Software product / SaaS tool
Registration	Must register with DPB	No registration required
Accountable to	Data Principal (individual)	Data Fiduciary (client company)
Function	Cross-platform consent intermediary	Single-organisation consent collection and management
Net worth	Rs 2 crore minimum	No statutory requirement
Who uses it	Individuals managing consents across services	Companies managing consent from their own users
Examples	Account Aggregator-style entity	ConsentOS, OneTrust, CookieYes

The distinction in plain terms: If your organisation is a Data Fiduciary looking for software to manage consent from your users, you need a consent management platform, not Consent Manager registration. If you want to build a cross-platform consent intermediary that individuals use to manage their consents across multiple services, you need DPB registration as a Consent Manager.

The November 2026 Deadline

The DPDP Act and DPDP Rules 2025 are being implemented in phases. Consent Manager provisions fall under Phase II, effective 12 months from the notification date:

Phase	Effective Date	What Comes into Force
Phase I	13 November 2025	Data Protection Board of India setup, institutional framework
Phase II	13 November 2026	Consent Manager registration mandatory; Section 6(9) and Rule 4 obligations in force
Phase III	TBD (expected May 2027)	Full DPDP enforcement, penalties up to Rs 250 crore per incident

Any entity operating as a Consent Manager after 13 November 2026 without DPB registration will be in violation of Section 6(9). With penalties under the DPDP Act reaching Rs 250 crore, operating without registration is not a viable strategy.

Several large incumbents, including major IT services and telecom players, are preparing to pursue Consent Manager registration as neutral cross-sector intermediaries. For a Data Fiduciary, this does not change the obligation. It makes interoperability the requirement: your consent systems must be ready to exchange grant, review, and withdrawal signals with whichever registered Consent Managers your Data Principals choose to use.

Eligibility Conditions for Consent Manager Registration

Part A of the First Schedule to the DPDP Rules 2025 sets out nine conditions that an applicant must satisfy. The Board must be satisfied on all of them before granting registration.

1. Indian Incorporation

The applicant must be a company incorporated in India under the Companies Act, 2013. LLPs, partnerships, sole proprietorships, and foreign entities cannot apply. This effectively excludes global players like OneTrust from registering as Consent Managers in India unless they set up an Indian subsidiary.

2. Sufficient Technical, Operational, and Financial Capacity

The entity must demonstrate it can deliver on the Consent Manager mandate: building and maintaining an interoperable consent platform, handling high volumes of consent transactions, and sustaining operations over time.

3. Sound Financial Condition and Management

The Board will assess the overall financial health and governance quality of the applicant, including debt levels, revenue sustainability, and management track record.

4. Minimum Net Worth of Rs 2 Crore

This is the hard financial threshold. The requirement ensures Consent Managers have sufficient capital to sustain operations and meet obligations.

5. Adequate Business Volume, Capital Structure, and Earnings Prospects

The Board must be satisfied that the applicant’s projected business volume justifies its capital structure and that earnings prospects are sustainable. This prevents shell companies from registering purely to hold the licence.

6. Directors and KMP of Good Character

Directors, key managerial personnel (KMP), and senior management must be individuals with a general reputation and record of fairness and integrity. Background checks and character assessments form part of the application process.

7. MOA and AOA Provisions

The Memorandum of Association and Articles of Association must contain provisions:

• Requiring adherence to conflict-of-interest and fiduciary obligations (Items 9 and 10 of Part B)
• Ensuring policies and procedures for compliance are in place
• Stating that these provisions can only be amended with prior approval of the Board

8. Operations in the Interest of Data Principals

The applicant’s proposed operations must demonstrably serve the interests of Data Principals, not the commercial interests of the applicant or its affiliated Data Fiduciaries.

9. Independent Certification

The applicant must obtain independent certification confirming that:

• Its interoperable platform meets data protection standards and the assurance framework published by the Board
• It has implemented adequate safeguards for the personal data processed through its platform

Step-by-Step: The Registration Process

Rule 4 of the DPDP Rules 2025 outlines the registration procedure:

Step 1: Prepare the Application

Compile all required particulars, information, and documents as specified by the Board on its website. This includes corporate documents, financial statements, technical specifications of your platform, independent certification reports, and details of directors and KMP.

Step 2: Submit to the Data Protection Board

File the application with the DPB in the form and manner published on the Board’s website. The Board’s online portal is expected to go live well before the November 2026 deadline.

Step 3: Board Inquiry

The Board may make such inquiry as it deems fit to verify fulfilment of the Part A conditions. This could include requesting additional documentation, conducting interviews, or commissioning independent assessments.

Step 4: Registration Decision

The Board will either:

• Register the applicant: notify the applicant, publish the Consent Manager’s particulars on its website, and issue the registration
• Reject the application: communicate the reasons for rejection to the applicant

Step 5: Ongoing Compliance

Registration is not a one-time exercise. Consent Managers must continuously meet Part A conditions and comply with Part B obligations. The Board can revoke registration if conditions are no longer met.

Ongoing Obligations After Registration (Part B of First Schedule)

Once registered, Consent Managers carry significant ongoing obligations.

Record-Keeping

• Maintain comprehensive records of all consent transactions for a minimum of seven years
• Consent records may not be accessed to read the underlying personal data. The Consent Manager manages the consent artefact; the underlying data remains with the Data Fiduciary.

Independence and Conflict-of-Interest

• Must operate independently of any Data Fiduciary
• Cannot have conflicts of interest with entities that determine the purpose and means of data processing
• This prevents a Data Fiduciary from controlling a Consent Manager and using it to steer consent in its favour

Interoperability

• The consent platform must be interoperable across multiple Data Fiduciaries and services
• This aligns with the DEPA vision of open, API-driven consent infrastructure

Transparency and Accountability

• Accountable to Data Principals at all times
• Must provide clear, accessible interfaces for consent management
• Must act in the interest of the Data Principal when mediating between the individual and Data Fiduciaries

Who Should Consider Registering?

Consent Manager registration is relevant for a narrow but strategically important set of entities:

• Account Aggregators already operating under RBI’s framework who want to extend into broader personal data consent management
• FinTech platforms building cross-platform consent infrastructure for banking, lending, or insurance
• HealthTech platforms enabling patients to manage consent across hospitals, diagnostic labs, and ABDM-integrated systems
• Identity and consent startups that specifically aim to be the individual’s consent dashboard across services
• Telecom or digital platform players looking to offer consent management as a value-added service to their user base

Who does not need to register: Most businesses, including banks, NBFCs, e-commerce platforms, SaaS companies, and hospitals, are Data Fiduciaries, not Consent Managers. They need consent management software to manage their own consent collection, not Consent Manager registration. Data Fiduciaries do not register with the Board for consent management purposes, though Significant Data Fiduciaries have separate obligations under Section 10.

How Data Fiduciaries Should Prepare for Consent Managers

Even if your organisation is not registering as a Consent Manager, you need to be ready for them. Once Consent Managers go live after November 2026, Data Principals will use them to:

• Grant consent to your organisation through the Consent Manager’s platform instead of, or in addition to, your own consent flow
• Withdraw consent remotely; your systems must honour withdrawal requests that arrive via Consent Manager APIs
• Review and audit what consents they have given you; your consent records must be accurate and up-to-date

What Data Fiduciaries Should Do Now

1. Audit your consent architecture: Can your systems accept consent signals from third-party Consent Managers via APIs?
2. Build interoperable consent APIs: Consent Managers will need standardised endpoints to grant, review, and withdraw consent on behalf of Data Principals.
3. Map consent to processing purposes: Each consent must be tied to a specific, lawful processing purpose (Section 6 requires purpose-specific consent).
4. Implement consent withdrawal workflows: When a Data Principal withdraws consent via a Consent Manager, your systems must cease processing within a reasonable timeframe.
5. Maintain audit-ready consent records: Your records must match what the Consent Manager holds for the Data Principal. This intersects directly with your breach notification obligations — accurate consent records are a prerequisite for an accurate breach scope assessment.

This is where a consent management platform like ConsentOS becomes essential. ConsentOS provides the infrastructure Data Fiduciaries need to capture purpose-specific consent, maintain audit trails, handle withdrawal requests, and prepare for Consent Manager interoperability, without requiring Data Fiduciaries to build this capability from scratch. See the feature-level comparison for how ConsentOS maps to each obligation.

Common Mistakes to Avoid

Mistake	Why It Is Wrong	Correct Approach
Assuming your CMP tool makes you a “Consent Manager”	Consent Manager is a registered legal entity, not a software product	Use a CMP for internal consent management; register only if you want to operate as an intermediary
Waiting until November 2026 to start preparing	Registration requires independent certification, corporate document amendments, and Board approval; this takes months	Begin preparation by Q3 2026 at the latest
Registering as a Consent Manager while also acting as a Data Fiduciary	Conflict-of-interest provisions prohibit this	Maintain strict independence between your Consent Manager entity and any Data Fiduciary operations
Ignoring the Rs 2 crore net worth requirement	This is a hard eligibility criterion; the Board will reject applications below this threshold	Ensure net worth is met before applying; consider funding or capitalisation if needed
Not building interoperable APIs as a Data Fiduciary	Consent Managers will need to interface with your systems post-November 2026	Start building consent APIs now; align with DEPA and Account Aggregator standards

Timeline: What to Do Over the Next Five Months

Month	For Consent Manager Applicants	For Data Fiduciaries
June 2026	Finalise corporate structure; begin MOA and AOA amendments; engage independent certifier	Audit consent architecture; identify interoperability gaps
July 2026	Complete technical platform development; undergo security and data protection audits	Begin building consent APIs; map all processing purposes
August 2026	Obtain independent certification; prepare application documents; confirm Rs 2 Cr net worth	Test consent withdrawal workflows; align records with audit requirements
September 2026	Submit registration application to DPB; begin Board inquiry process	Integrate with test Consent Manager environments if available
October–November 2026	Respond to Board queries; obtain registration; publish on DPB website	Go live with Consent Manager-compatible consent infrastructure

Assessing Your Readiness

Whether you are preparing a Consent Manager registration application or building the consent infrastructure your Data Fiduciary obligations require, the starting point is an accurate picture of where you stand today.

The free Compliance Gap Assessment scores your organisation against the DPDP Act’s obligations in under 10 minutes and returns a prioritised report you can use to direct your preparation. View ConsentOS pricing tiers for compliance infrastructure built specifically for the Data Fiduciary obligations that sit adjacent to the Consent Manager framework.

For the full DPDP compliance timeline, including how the November 2026 Consent Manager deadline fits alongside the Data Principal rights framework and the privacy notice requirements that interact with consent collection, see the related articles below.