Skip to main content
Consent Management

Consent Manager vs Consent Management Platform: The DPDP Act Distinction

A Consent Manager is a registered legal entity. A consent management platform is software. The DPDP Act treats them differently, and so should your budget.

9 min read
On This Page

Two terms circulate in every DPDP procurement conversation, and they are one word apart: Consent Manager, and consent management platform. Vendors use them interchangeably. The DPDP Act does not. One is a registered legal entity with a Rs 2 crore net worth requirement and a registration deadline. The other is software. Buying the wrong one wastes a budget cycle. Claiming to be the wrong one is a statutory breach.

This article draws the line. For the full anatomy of the registered entity, see What Is a Consent Manager Under the DPDP Act? For the software category, see DPDP Compliance Software: How to Choose a Platform.

The Act uses Consent Manager as a defined legal term, not a product description. Four provisions carry the regime.

Section 2(g) defines a Consent Manager as “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”

Three operative subsections of Section 6 build on that definition:

  • Section 6(7) gives the Data Principal the option to give, manage, review, or withdraw consent to a Data Fiduciary through a Consent Manager.
  • Section 6(8) makes the Consent Manager accountable to the Data Principal, not to any business that pays it.
  • Section 6(9) requires every Consent Manager to be registered with the Data Protection Board of India, subject to prescribed technical, operational, and financial conditions.

The prescribed conditions arrived with Rule 4 and the First Schedule of the DPDP Rules 2025: Indian incorporation, a minimum net worth of Rs 2 crore, fit-and-proper directors, and conflict-of-interest provisions embedded in the company’s constitutional documents. Registration becomes mandatory from 13 November 2026. The registration procedure runs through the Data Protection Board and takes months of preparation.

Read that list again. It describes a regulated intermediary, closer to a licensed financial entity than to a SaaS subscription.

A consent management platform, commonly shortened to CMP, is software a Data Fiduciary deploys to discharge its own obligations. It is not a legal category under the Act. The Act never uses the phrase. What the Act does is impose duties that are impractical to meet without one:

  • Section 5 requires an itemised notice before or at the time of requesting consent, stating the personal data sought and the purpose of processing.
  • Section 6(1) requires consent to be free, specific, informed, unconditional, and unambiguous, given by clear affirmative action, limited to the specified purpose.
  • Section 6(4) requires that withdrawing consent be as easy as giving it.
  • Section 6(10) puts the burden of proving that valid notice was given and valid consent taken on the Data Fiduciary, whenever the question arises in a proceeding.

That last provision is the one that makes software necessary. When the Data Protection Board asks an organisation to prove that a specific customer consented to a specific purpose on a specific date, a spreadsheet does not answer. A consent management platform exists to produce that answer: purpose-specific capture, a timestamped consent record, withdrawal handling, and an audit trail.

ConsentOS sits in this category. It is consent and compliance infrastructure for Data Fiduciaries, not a registered intermediary. The feature-level comparison maps each capability to the obligation it serves.

The Distinction, Side by Side

AspectConsent ManagerConsent management platform (CMP)
Legal statusRegistered entity under Section 6(9)Software product. No registration category exists
Defined in the ActYes, Section 2(g)No. The Act never uses the term
Who it servesData Principals, across many Data FiduciariesOne Data Fiduciary, for its own users
Accountable toThe Data Principal, under Section 6(8)The business that deploys it, by contract
Entry requirementsIndian incorporation, Rs 2 crore net worth, Board registration under Rule 4A procurement decision
Deadline pressureRegistration mandatory from 13 November 2026None specific. Obligations under Sections 5 and 6 already apply
Who needs oneEntities building a cross-platform consent intermediary businessEvery Data Fiduciary that collects consent at scale

Why the Confusion Persists

Three forces keep these terms tangled.

Vendor marketing. Some compliance tools describe themselves as “consent managers” because the phrase predates the Act in global privacy tooling. Under Indian law that phrase now has a statutory meaning. A software product that calls itself a Consent Manager without Board registration is describing itself as something it legally is not.

The single-word overlap. Both manage consent. The difference is direction: a CMP manages the consent your organisation collects. A Consent Manager manages the consents an individual has given across many organisations.

Imported GDPR habits. Teams familiar with European cookie-consent tooling assume “CMP” is the regulated term everywhere. The DPDP Act took a different route: it regulated the intermediary and left the Data Fiduciary’s tooling choice open, so long as the obligations are met.

Which One You Need: Three Scenarios

You are a business that collects personal data from your own customers. You need consent management capability, not registration. Your obligations are Sections 5 and 6, and the proof burden in Section 6(10). A CMP, whether built or bought, is how those obligations become operational. This describes nearly every company reading this page.

You intend to operate a consent intermediary that individuals use across multiple services. You need Data Protection Board registration under Section 6(9) before 13 November 2026, and you must clear the Rule 4 conditions first. Begin with the registration guide. The preparation runs months, not weeks.

You are a Data Fiduciary wondering whether Consent Managers affect you even without registering. They do, eventually. Section 6(7) means a customer may one day route consent to you through a registered Consent Manager, and your systems will need to honour consent and withdrawal signals arriving through that channel. Interoperability readiness belongs on the 2027 roadmap, not the panic list.

The Penalty Line

Getting the label wrong has a price on both sides.

An entity operating as an unregistered Consent Manager after 13 November 2026 breaches Section 6(9). A Data Fiduciary that treats buying software as the end of its consent obligations, and cannot produce valid consent records when the Board asks, breaches Section 6. Both violations fall in the Act’s residual penalty tier, which runs up to ₹50 crore per instance. The software was never the obligation. The obligation is the notice, the consent, the record, and the proof.

What This Means For You

Decide which side of the line you stand on, then act on that side only. If you are a Data Fiduciary, stop evaluating “Consent Manager registration” and start evaluating whether you can prove notice and consent under Section 6(10) today. Consent management under the DPDP Act lists what that requires. If you cannot answer the proof question, run the Gap Assessment. It scores your consent architecture against the obligations the Board will actually test.

Know where you stand on DPDP compliance

Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.

Enforcement milestones, rule notifications, and deadline analysis.

One email when it matters, no more.