How to Register as a Consent Manager Under the DPDP Act
Step-by-step guide to Consent Manager registration under the DPDP Act: eligibility, the Rs 2 crore net worth gate, documents, and the application process.
On This Page
- Before You Apply: Confirm the Role Fits
- Step 1: Confirm Eligibility Against the Nine Part A Conditions
- Step 2: Meet the Rs 2 Crore Net Worth Gate
- Step 3: Amend the MOA and AOA
- Step 4: Build the Interoperable Consent Platform
- Step 5: Obtain Independent Certification
- Step 6: Compile and Submit the Application
- Step 7: Respond to the Board Inquiry and Maintain Compliance
- A Realistic Preparation Timeline
- Common Mistakes to Avoid
- If You Are a Data Fiduciary, Not an Applicant
- Assess Your Readiness
This is the procedure for registering as a Consent Manager with the Data Protection Board of India under Rule 4 of the DPDP Rules 2025. It is written for the narrow set of entities that intend to operate as a cross-platform consent intermediary, not for Data Fiduciaries managing consent from their own users.
If you are still deciding whether the role applies to you, start with the explainer on what a Consent Manager is under the DPDP Act, which sets out the statutory definition, the difference from a consent management platform, and who actually needs to register. This page assumes that decision is made and covers the registration steps.
The registration regime falls under the later phase of the DPDP Rules 2025. The DPDP Rules were gazetted on 13 November 2025. The Consent Manager registration window is expected to open around November 2026, ahead of broader enforcement expected from May 2027. Treat these as expected timing set by the Board’s notifications, not as fixed statutory dates, and verify against the Board’s own publications before you act.
Before You Apply: Confirm the Role Fits
Consent Manager is a registered legal status, not a software category. Under Section 6(8) of the DPDP Act, a Consent Manager is a single point of contact that lets a Data Principal give, manage, review, and withdraw consent across multiple Data Fiduciaries through one interface, and it is accountable to the individual, not to any Data Fiduciary.
Register only if you intend to operate that intermediary. Account Aggregators extending beyond financial data, FinTech and HealthTech platforms building cross-platform consent infrastructure, and identity or consent startups aiming to be the individual’s consent dashboard are the typical applicants. A Data Fiduciary that simply needs to capture and record its own users’ consent does not register. It needs a consent management platform.
Step 1: Confirm Eligibility Against the Nine Part A Conditions
Part A of the First Schedule to the DPDP Rules 2025 sets nine conditions. The Board must be satisfied on every one before it grants registration. Confirm each before you spend on platform development or certification.
- Indian incorporation. The applicant must be a company incorporated in India under the Companies Act, 2013. LLPs, partnerships, sole proprietorships, and foreign entities cannot apply. A foreign company would need an Indian subsidiary.
- Technical, operational, and financial capacity. Demonstrated ability to build and run an interoperable consent platform at volume and to sustain operations over time.
- Sound financial condition and management. The Board assesses financial health, debt levels, revenue sustainability, and management track record.
- Minimum net worth of Rs 2 crore. The hard financial threshold. It is covered in detail in Step 2.
- Adequate business volume, capital structure, and earnings prospects. The Board must be satisfied that projected volume justifies the capital structure and that earnings prospects are sustainable. This filters out shell applicants.
- Directors and KMP of good character. Directors, key managerial personnel, and senior management must have a general reputation and record of fairness and integrity. Background and character assessments form part of the process.
- MOA and AOA provisions. The constitutional documents must embed the conflict-of-interest and fiduciary obligations. Step 3 covers this.
- Operations in the interest of Data Principals. Proposed operations must demonstrably serve individuals, not the commercial interests of the applicant or affiliated Data Fiduciaries.
- Independent certification. Confirmation that the interoperable platform meets the Board’s standards and assurance framework and that adequate safeguards are in place. Step 5 covers this.
Step 2: Meet the Rs 2 Crore Net Worth Gate
Net worth of at least Rs 2 crore is a hard eligibility criterion. The Board will reject applications below this threshold.
Two points decide whether this step is clear:
- It must be met before you apply. Plan capitalisation or funding so the net worth is in place and evidenced in financial statements at the time of filing.
- It must be maintained on an ongoing basis. This is not a one-time gate at application. Registration can be revoked if conditions cease to be met, so net worth has to hold after registration as well.
For a new entity pursuing the role, this is the constraint that most often sets the funding timeline. Resolve it early.
Step 3: Amend the MOA and AOA
The Memorandum and Articles of Association must contain provisions that:
- Require adherence to the conflict-of-interest and fiduciary obligations in Part B of the First Schedule.
- Ensure policies and procedures for compliance are in place.
- State that these provisions can be amended only with the prior approval of the Board.
The independence requirement is the substance here. A Consent Manager must operate independently of any Data Fiduciary that determines the purpose and means of processing. Embedding that independence in the constitutional documents, with Board-gated amendment, is what prevents a Data Fiduciary from controlling a Consent Manager and steering consent in its own favour. Engage company counsel to draft these amendments and pass the board resolutions before the application is filed.
Step 4: Build the Interoperable Consent Platform
The platform you register is the substance of the application, not an afterthought to it. It must be able to exchange grant, review, and withdrawal signals across multiple Data Fiduciaries and services. This is the open, API-driven design the DEPA framework and the Account Aggregator model already use.
Build against the Board’s assurance framework from the outset, because the independent certification in Step 5 tests the platform against exactly that. Record-keeping is part of the design: the platform must retain consent transaction records for a minimum of seven years, while the underlying personal data stays with the Data Fiduciary. The Consent Manager manages the consent artefact and may not access the records to read the underlying personal data.
Step 5: Obtain Independent Certification
The applicant must obtain independent certification confirming two things:
- The interoperable platform meets the data protection standards and assurance framework published by the Board.
- Adequate safeguards are in place for the personal data processed through the platform.
This is a gating document for the application, and certification takes time to schedule, conduct, and remediate. Engage the certifier while the platform is in development rather than after it is complete, so that findings can be addressed before the registration window opens.
Step 6: Compile and Submit the Application
Rule 4 directs the applicant to file with the Board in the form and manner published on the Board’s website. Assemble the full set:
- Corporate documents, including the amended MOA and AOA and the relevant board resolutions.
- Financial statements evidencing the Rs 2 crore net worth and overall financial soundness.
- Technical specifications of the interoperable consent platform.
- The independent certification report.
- Particulars of directors and key managerial personnel for the good-character assessment.
File the application through the Board’s process once it is published. The Board’s online portal is expected to go live before the registration window. Do not assume a portal address, form number, or fee in advance. Use the official details the Board publishes.
Step 7: Respond to the Board Inquiry and Maintain Compliance
After filing, the Board may make such inquiry as it considers fit. This can include requests for additional documentation, interviews, or independent assessments. The Board then either registers the applicant, notifies it, and publishes the Consent Manager’s particulars on its website, or rejects the application and communicates the reasons.
Registration is not the finish line. It carries continuing Part B obligations:
- Record-keeping. Maintain consent transaction records for a minimum of seven years, without accessing them to read the underlying personal data.
- Independence and conflict-of-interest. Operate independently of any Data Fiduciary, with no conflict of interest with entities that determine the purpose and means of processing.
- Interoperability. Keep the consent platform interoperable across Data Fiduciaries and services.
- Transparency and accountability. Remain accountable to Data Principals, provide clear consent-management interfaces, and act in the individual’s interest when mediating with Data Fiduciaries.
The Board can revoke registration if these conditions are no longer met, which is why net worth, independence, and certification standards must hold continuously, not just at the point of approval.
A Realistic Preparation Timeline
The expected November 2026 window is the planning anchor, not the start date. The work that precedes a filing runs over months.
| Stage | What it covers |
|---|---|
| Foundations | Confirm Indian incorporation, establish and document the Rs 2 crore net worth, engage counsel for MOA and AOA amendments. |
| Build | Develop the interoperable consent platform against the Board’s assurance framework, with seven-year record retention built in. |
| Certify | Engage the independent certifier, complete the assessment, and remediate findings. |
| File | Compile corporate, financial, technical, certification, and director documents, then submit through the Board’s published process. |
| Inquiry | Respond to Board queries, obtain registration, and stand up continuing Part B compliance. |
The sequence matters more than precise dates. Net worth and incorporation gate everything. Certification gates the filing. Begin foundations well before the window so certification and filing are not compressed against a notification deadline.
Common Mistakes to Avoid
| Mistake | Why it is wrong | Correct approach |
|---|---|---|
| Treating a CMP tool as registration | Consent Manager is a registered entity, not a software product | Use a CMP for internal consent; register only to operate as an intermediary |
| Starting at the deadline | Net worth, MOA changes, platform build, and certification take months | Begin foundations well ahead of the expected November 2026 window |
| Underfunding net worth | Rs 2 crore is a hard gate the Board enforces at and after application | Capitalise to and maintain Rs 2 crore before filing |
| Registering while acting as a conflicted Data Fiduciary | Conflict-of-interest provisions prohibit it | Maintain strict independence in both structure and operations |
| Assuming portal, form, or fee details | The Board publishes the official form and manner | Use only the Board’s published process and documents |
If You Are a Data Fiduciary, Not an Applicant
Most organisations, including banks, NBFCs, insurers, e-commerce platforms, SaaS companies, and hospitals, are Data Fiduciaries. They do not register as Consent Managers. Their obligation is to be ready to interoperate with registered Consent Managers once the regime is live: accepting grant, review, and withdrawal signals through Consent Manager APIs and keeping consent records that match what the Consent Manager holds.
That readiness is a consent management platform requirement, not a registration one. For the full picture of where this sits in the wider rollout, see the DPDP compliance timeline, and for the obligations adjacent to it, the Significant Data Fiduciary framework under Section 10.
Assess Your Readiness
Whether you are preparing a Consent Manager application or building the consent infrastructure your Data Fiduciary obligations require, start from an accurate picture of where you stand. The free Compliance Gap Assessment scores your organisation against the DPDP Act’s obligations in under 10 minutes and returns a prioritised report. View ConsentOS pricing tiers for the consent infrastructure that sits adjacent to the Consent Manager framework.
Know where you stand on DPDP compliance
Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.
Enforcement milestones, rule notifications, and deadline analysis.
One email when it matters, no more.
Resources
Continue Reading
Related DPDP Act 2023 guidance from the ConsentOS knowledge base.
DPDP Consent Manager Registration: Who Needs It and How to Apply
Most companies do not need to register. Who does, the 13 November 2026 deadline, the Rs 2 crore net worth test, and what Sections 6(7) to 6(9) require.
12 min read
Regulatory UpdatesDPDP Act 2023 Compliance Deadlines & Enforcement Dates (India)
Every DPDP Act date: Rules notified Nov 2025, Consent Manager registration Nov 2026, penalty enforcement May 2027. Plan your compliance timeline.
5 min read
Compliance AreasSignificant Data Fiduciary (SDF): DPO and Audit Rules in India
SDF designation under Section 10 of the DPDP Act triggers a DPO in India, data protection impact assessments, and independent audits. Who qualifies and how to prepare.
6 min read
Implementation GuidesDPDP Compliance Software: How to Choose a Platform in 2026
Eight DPDP compliance platforms compared by buyer type: Privy, Consentin, Perfios, CookieYes, KavachOne, Complynz, OneTrust, ConsentOS. Pick by obligation, not by feature list.
11 min read