Skip to main content
Consent Management

How to Register as a Consent Manager Under the DPDP Act

Step-by-step guide to Consent Manager registration under the DPDP Act: eligibility, the Rs 2 crore net worth gate, documents, and the application process.

10 min read
On This Page

This is the procedure for registering as a Consent Manager with the Data Protection Board of India under Rule 4 of the DPDP Rules 2025. It is written for the narrow set of entities that intend to operate as a cross-platform consent intermediary, not for Data Fiduciaries managing consent from their own users.

If you are still deciding whether the role applies to you, start with the explainer on what a Consent Manager is under the DPDP Act, which sets out the statutory definition, the difference from a consent management platform, and who actually needs to register. This page assumes that decision is made and covers the registration steps.

The registration regime falls under the later phase of the DPDP Rules 2025. The DPDP Rules were gazetted on 13 November 2025. The Consent Manager registration window is expected to open around November 2026, ahead of broader enforcement expected from May 2027. Treat these as expected timing set by the Board’s notifications, not as fixed statutory dates, and verify against the Board’s own publications before you act.

Before You Apply: Confirm the Role Fits

Consent Manager is a registered legal status, not a software category. Under Section 6(8) of the DPDP Act, a Consent Manager is a single point of contact that lets a Data Principal give, manage, review, and withdraw consent across multiple Data Fiduciaries through one interface, and it is accountable to the individual, not to any Data Fiduciary.

Register only if you intend to operate that intermediary. Account Aggregators extending beyond financial data, FinTech and HealthTech platforms building cross-platform consent infrastructure, and identity or consent startups aiming to be the individual’s consent dashboard are the typical applicants. A Data Fiduciary that simply needs to capture and record its own users’ consent does not register. It needs a consent management platform.

Step 1: Confirm Eligibility Against the Nine Part A Conditions

Part A of the First Schedule to the DPDP Rules 2025 sets nine conditions. The Board must be satisfied on every one before it grants registration. Confirm each before you spend on platform development or certification.

  1. Indian incorporation. The applicant must be a company incorporated in India under the Companies Act, 2013. LLPs, partnerships, sole proprietorships, and foreign entities cannot apply. A foreign company would need an Indian subsidiary.
  2. Technical, operational, and financial capacity. Demonstrated ability to build and run an interoperable consent platform at volume and to sustain operations over time.
  3. Sound financial condition and management. The Board assesses financial health, debt levels, revenue sustainability, and management track record.
  4. Minimum net worth of Rs 2 crore. The hard financial threshold. It is covered in detail in Step 2.
  5. Adequate business volume, capital structure, and earnings prospects. The Board must be satisfied that projected volume justifies the capital structure and that earnings prospects are sustainable. This filters out shell applicants.
  6. Directors and KMP of good character. Directors, key managerial personnel, and senior management must have a general reputation and record of fairness and integrity. Background and character assessments form part of the process.
  7. MOA and AOA provisions. The constitutional documents must embed the conflict-of-interest and fiduciary obligations. Step 3 covers this.
  8. Operations in the interest of Data Principals. Proposed operations must demonstrably serve individuals, not the commercial interests of the applicant or affiliated Data Fiduciaries.
  9. Independent certification. Confirmation that the interoperable platform meets the Board’s standards and assurance framework and that adequate safeguards are in place. Step 5 covers this.

Step 2: Meet the Rs 2 Crore Net Worth Gate

Net worth of at least Rs 2 crore is a hard eligibility criterion. The Board will reject applications below this threshold.

Two points decide whether this step is clear:

  • It must be met before you apply. Plan capitalisation or funding so the net worth is in place and evidenced in financial statements at the time of filing.
  • It must be maintained on an ongoing basis. This is not a one-time gate at application. Registration can be revoked if conditions cease to be met, so net worth has to hold after registration as well.

For a new entity pursuing the role, this is the constraint that most often sets the funding timeline. Resolve it early.

Step 3: Amend the MOA and AOA

The Memorandum and Articles of Association must contain provisions that:

  • Require adherence to the conflict-of-interest and fiduciary obligations in Part B of the First Schedule.
  • Ensure policies and procedures for compliance are in place.
  • State that these provisions can be amended only with the prior approval of the Board.

The independence requirement is the substance here. A Consent Manager must operate independently of any Data Fiduciary that determines the purpose and means of processing. Embedding that independence in the constitutional documents, with Board-gated amendment, is what prevents a Data Fiduciary from controlling a Consent Manager and steering consent in its own favour. Engage company counsel to draft these amendments and pass the board resolutions before the application is filed.

The platform you register is the substance of the application, not an afterthought to it. It must be able to exchange grant, review, and withdrawal signals across multiple Data Fiduciaries and services. This is the open, API-driven design the DEPA framework and the Account Aggregator model already use.

Build against the Board’s assurance framework from the outset, because the independent certification in Step 5 tests the platform against exactly that. Record-keeping is part of the design: the platform must retain consent transaction records for a minimum of seven years, while the underlying personal data stays with the Data Fiduciary. The Consent Manager manages the consent artefact and may not access the records to read the underlying personal data.

Step 5: Obtain Independent Certification

The applicant must obtain independent certification confirming two things:

  • The interoperable platform meets the data protection standards and assurance framework published by the Board.
  • Adequate safeguards are in place for the personal data processed through the platform.

This is a gating document for the application, and certification takes time to schedule, conduct, and remediate. Engage the certifier while the platform is in development rather than after it is complete, so that findings can be addressed before the registration window opens.

Step 6: Compile and Submit the Application

Rule 4 directs the applicant to file with the Board in the form and manner published on the Board’s website. Assemble the full set:

  • Corporate documents, including the amended MOA and AOA and the relevant board resolutions.
  • Financial statements evidencing the Rs 2 crore net worth and overall financial soundness.
  • Technical specifications of the interoperable consent platform.
  • The independent certification report.
  • Particulars of directors and key managerial personnel for the good-character assessment.

File the application through the Board’s process once it is published. The Board’s online portal is expected to go live before the registration window. Do not assume a portal address, form number, or fee in advance. Use the official details the Board publishes.

Step 7: Respond to the Board Inquiry and Maintain Compliance

After filing, the Board may make such inquiry as it considers fit. This can include requests for additional documentation, interviews, or independent assessments. The Board then either registers the applicant, notifies it, and publishes the Consent Manager’s particulars on its website, or rejects the application and communicates the reasons.

Registration is not the finish line. It carries continuing Part B obligations:

  • Record-keeping. Maintain consent transaction records for a minimum of seven years, without accessing them to read the underlying personal data.
  • Independence and conflict-of-interest. Operate independently of any Data Fiduciary, with no conflict of interest with entities that determine the purpose and means of processing.
  • Interoperability. Keep the consent platform interoperable across Data Fiduciaries and services.
  • Transparency and accountability. Remain accountable to Data Principals, provide clear consent-management interfaces, and act in the individual’s interest when mediating with Data Fiduciaries.

The Board can revoke registration if these conditions are no longer met, which is why net worth, independence, and certification standards must hold continuously, not just at the point of approval.

A Realistic Preparation Timeline

The expected November 2026 window is the planning anchor, not the start date. The work that precedes a filing runs over months.

StageWhat it covers
FoundationsConfirm Indian incorporation, establish and document the Rs 2 crore net worth, engage counsel for MOA and AOA amendments.
BuildDevelop the interoperable consent platform against the Board’s assurance framework, with seven-year record retention built in.
CertifyEngage the independent certifier, complete the assessment, and remediate findings.
FileCompile corporate, financial, technical, certification, and director documents, then submit through the Board’s published process.
InquiryRespond to Board queries, obtain registration, and stand up continuing Part B compliance.

The sequence matters more than precise dates. Net worth and incorporation gate everything. Certification gates the filing. Begin foundations well before the window so certification and filing are not compressed against a notification deadline.

Common Mistakes to Avoid

MistakeWhy it is wrongCorrect approach
Treating a CMP tool as registrationConsent Manager is a registered entity, not a software productUse a CMP for internal consent; register only to operate as an intermediary
Starting at the deadlineNet worth, MOA changes, platform build, and certification take monthsBegin foundations well ahead of the expected November 2026 window
Underfunding net worthRs 2 crore is a hard gate the Board enforces at and after applicationCapitalise to and maintain Rs 2 crore before filing
Registering while acting as a conflicted Data FiduciaryConflict-of-interest provisions prohibit itMaintain strict independence in both structure and operations
Assuming portal, form, or fee detailsThe Board publishes the official form and mannerUse only the Board’s published process and documents

If You Are a Data Fiduciary, Not an Applicant

Most organisations, including banks, NBFCs, insurers, e-commerce platforms, SaaS companies, and hospitals, are Data Fiduciaries. They do not register as Consent Managers. Their obligation is to be ready to interoperate with registered Consent Managers once the regime is live: accepting grant, review, and withdrawal signals through Consent Manager APIs and keeping consent records that match what the Consent Manager holds.

That readiness is a consent management platform requirement, not a registration one. For the full picture of where this sits in the wider rollout, see the DPDP compliance timeline, and for the obligations adjacent to it, the Significant Data Fiduciary framework under Section 10.

Assess Your Readiness

Whether you are preparing a Consent Manager application or building the consent infrastructure your Data Fiduciary obligations require, start from an accurate picture of where you stand. The free Compliance Gap Assessment scores your organisation against the DPDP Act’s obligations in under 10 minutes and returns a prioritised report. View ConsentOS pricing tiers for the consent infrastructure that sits adjacent to the Consent Manager framework.

Know where you stand on DPDP compliance

Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.

Enforcement milestones, rule notifications, and deadline analysis.

One email when it matters, no more.