Consent Managers Under the DPDP Act and DPDP Rules, 2025: Functions, Obligations, and Governance

What is a Consent Manager Under DPDPA?

A Consent Manager under the DPDP is a duly registered intermediary established by India’s Digital Personal Data Protection Act (DPDPA), 2023, to function as a secure and impartial intermediary between individuals (Data Principals) and organisations (Data Fiduciaries). Its principal mandate is to establish a unified, transparent, and interoperable platform enabling individuals to give, manage, review, and revoke their consent for the processing of personal data. In essence, a Consent Manager serves as a centralised consent governance framework, substituting disparate, application-specific consent prompts with a unified, auditable, and user-controlled consent record.

Introduction

It was the Personal Data Protection Bill of 2019 that introduced the concept of a “Consent Manager”. In the 2019 Bill, a “consent manager” was defined as a “data fiduciary” who “enables a data principal to gain, withdraw, review, and manage his consent through an accessible, transparent, and interoperable platform.” In another development, the Reserve Bank of India introduced the concept of Account Aggregators (AA), aimed at empowering individuals with control over their financial data by allowing them to securely and digitally share their financial information across different financial institutions. Similarly, the authorities have finalised and notified the Digital Personal Data Protection Act, 2023 (DPDPA), along with the associated Digital Personal Data Protection Rules. 

The DPDP Rules, 2025 (DPDP Rules), have now been finalised and notified after their initial release as draft rules for public consultation on January 3, 2025. Section 2(g) of the DPDPA specifies the definition of “Consent Manager” as a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. 

Eligibility and Registration Requirements for Consent Managers  

Financial and Governance Standards  

To operate as a Consent Manager under the DPDP Rules, 2025, entities must meet Part A of the First Schedule:  

• Incorporation: Must be incorporated in India (private or public company, society, or trust). Minimum Net Worth: ₹2 crore (adjusted annually for inflation)  

• Governance Framework: Board of Directors with clear conflict-of-interest policies  

• Technical Infrastructure: Secure servers, data encryption (AES-256 minimum), and audit-ready logging systems 

• Prohibition on Dual Roles: Cannot simultaneously act as data fiduciary or processor for the same data principal whose consent it manages 

• Non-Discrimination: Must facilitate consent flows neutrally across all data fiduciaries without preferential treatment 

• Transparent Pricing: Cannot generate revenue from data sharing or consent manipulation; pricing models must be published and non-discriminatory 

• No Undisclosed Benefits: Cannot receive payments or inducements from data fiduciaries that would create conflicts of interest 

• Governance Safeguards: Board oversight to prevent conflicts and ensure Data Principal alignment 

DPDP Rules on Consent Management 

The Digital Personal Data Protection Rules 2025 establish a comprehensive framework for consent, notice requirements, and consent management that balances data protection with practical implementation. 

• Rule 3 – Standards for Notice and Consent 

Data fiduciaries are required to issue clear, concise notices that explicitly outline categories of personal data, specify the purposes of processing, and include accessible links for withdrawing consent, exercising rights, and submitting complaints. The notice must be comprehensible on its own without dependence on supplementary documents. 

• Rule 4 & First Schedule – Consent Manager Framework 

Consent managers are required to be registered entities that satisfy the financial, governance, and technical standards outlined in Part A, First Schedule, including incorporation within India and maintaining a minimal net worth of ₹2 crore. Once registered, obligations under Part B, First Schedule come into effect, encompassing the facilitation of direct and routed consent flows, the retention of seven-year consent records, the restriction of personal data readability, and the implementation of safeguards against conflicts of interest. 

• Rule 10 – Verifiable Consent for Minors 

Processing children’s personal data necessitates verifiable parental consent. Verification may be based on identity information already maintained by the fiduciary, credentials authenticated by authorised identity verification entities, or details verified through the Digital Locker, with illustrative examples provided in the Rule. 

• Rule 11 – Verifiable Consent for Individuals with Disabilities 

Where processing necessitates the consent of a lawful guardian, the guardian’s status must be confirmed via court orders, authorised officials under the 2016 Act, or local committees established under the National Trust Act, 1999. 

• Rule 12 & Fourth Schedule – Exemptions for Children’s Data 

Certain entities and purposes outlined in Parts A and B of the Fourth Schedule (such as healthcare providers, educational institutions, childcare centres, transportation services, and safety-related processing) are exempt from Section 9(1) & (3) under specified conditions which exempts them from obtaining Verifiable Parental Consent and prohibitions against tracking, behavioural monitoring of children or targeted advertising directed towards children. 

• Rules 6 & 7 – Safeguards and Breach Response Procedures 

Fiduciaries are required to establish and maintain appropriate security protocols, including encryption, access controls, continuous monitoring, and logging for a period of one year. Breach notifications shall be promptly communicated to the Board and the affected Data Principals, with a comprehensive report submitted within 72 hours or as otherwise authorised. 

• Framework of Consent 

The rules facilitate both direct consent (from the principal to the fiduciary) and intermediated consent (through consent managers), establishing a regulated, auditable, and interoperable consent framework. 

• Commencement Timeline Rules 1, 2, and 17-21 are effective immediately; Rule 4 takes effect after 1 year; and Rules 3, 5-16, and 22-23 become operative eighteen months from the date of notification. 

Impact of Consent Managers on the Privacy Landscape India 

Data governance 

Consent managers transition consent management from fragmented, ad hoc approaches to a standardised digital record system that facilitates verifiable, auditable consent documents and uniform notice administration. This enhances organisations’ capacity to demonstrate compliance with the consent obligations outlined in the DPDP Act. 

Financial Services and Financial Technology (Fintech) 

Consent managers use the user-centric consent principle from the RBI’s Account Aggregator (AA) ecosystem to make it easier to keep track of verifiable consent records for different types of personal data. They also keep a separate, legal framework under the DPDP regime. Consent managers supplement sector-specific AA regulations; they do not supersede RBI regulations or AA technical and licensing requirements. 

Healthcare 

In the healthcare sector, consent managers facilitate the acquisition and preservation of verifiable parental or guardian consent for the processing of sensitive health information, in accordance with the rules, thereby enhancing legal defensibility without altering clinical decision-making. 

E-commerce 

The DPDP Act and Rules limit behavioural monitoring and targeted advertising aimed at children, and they mandate verifiable guardian consent where applicable. Consent managers are capable of recording and verifying age verifications and parental consents; however, they do not conduct behavioural surveillance nor authorise processing activities that are prohibited by law. No lawful assent may be employed to authorise processing explicitly prohibited by statute. 

Responsibilities and Operational Mandates 

A Consent Manager’s primary function is to act as a single, accessible point of control for the Data Principal’s digital identity and consent lifecycle. 

Roles  

The CM acts as a representative of the Data Principal and is subject to strict governance: 

• Consent Facilitator: The CM is the single point of contact enabling a Data Principal to give, manage, review, and withdraw her consent to Data Fiduciaries. 

• Fiduciary Duty: The CM must operate in a fiduciary capacity. This means they must always act honestly and in the best interests of the data principal. They are directly accountable to the Data Principal. 

• Operational Integrity: To ensure stability and trust, the CM is generally prohibited from subcontracting or assigning the performance of its core statutory obligations. 

Retention Rules  

As the custodian of consent, the CM must ensure a durable, auditable trail of all consent actions: 

• Record Mandate: The CM must maintain a tamper-proof digital record of every consent, withdrawal, and notice request, along with the corresponding responses. 

• Minimum Retention Period: These records must be preserved for a minimum period of seven years, unless a longer retention period is specifically agreed upon with the Data Principal or mandated by another law. 

User Dashboard  

The interface must be accessible, transparent, and user-centric: 

• Primary Access: The CM must develop and maintain a website or application (app), or both, as the primary means for the Data Principal to access and manage its services. 

• Data Portability: Upon the Data Principal’s request, the CM must make the information contained in the consent record available to her in a machine-readable form. 

Transparency Obligations  

To maintain public trust and regulatory compliance, the CM must be constantly verifiable: 

• Security Audits: The CM must implement effective audit mechanisms to continuously review and monitor its operations. They must also take reasonable security safeguards to prevent a personal data breach. 

• Scope of Audit: Audits specifically check the adequacy of technical and organisational controls, systems, procedures, and safeguards. They also verify the CM’s continued adherence to the initial registration conditions and all legal obligations. 

• Reporting: The outcomes of these audits must be periodically reported to the Data Protection Board of India (DPBI), or on other occasions as directed by the Board. 

Responsibilities and Operations Mandates 

Core Roles of Registered Consent Managers 

Under Part B of the First Schedule, DPDP Rules 2025, Consent Managers operate across three interdependent functional dimensions: 

Role 1: Direct Consent Facilitation 

Consent managers enable data principals to provide direct consent to data fiduciaries through the consent manager’s platform, with the following responsibilities: 

• Provide an accessible, transparent, and interoperable interface for consent grant, review, and withdrawal 

• Maintain real-time consent status dashboards accessible 24/7 to data principals 

• Implement consent withdrawal mechanisms that are as seamless as the original consent process, with no additional verification steps or delays 

• Ensure consent confirmations are provided immediately upon action (grant or withdrawal) 

• Maintain audit logs of all consent transactions with timestamps and device identifiers

Role 2: Routed Consent Management 

Consent managers act as intermediaries where data fiduciaries route consent requests through the consent manager’s platform:

• Receive consent requests from data fiduciaries and present them to data principals 

• Ensure consent notices comply with Rule 3 standards (clear, standalone, itemized by purpose, accessible, , 

comprehensible) 

• Avoiding dark patterns (pre-ticked boxes, confusing language, deceptive design) 

• Validate that notice language meets accessibility standards (readability scores, multilingual support) 

• Facilitate consent decision-making without bias or influence 

• Route consents back to requesting data fiduciaries with cryptographic proof of consent

Consent Record Retention Rules

Under Part B, Item 3 of the First Schedule, DPDP Rules 2025, Consent Managers must maintain rigorous recordkeeping obligations: 

Conclusion 

The DPDP Rules impose stringent conditions for Consent Manager registration under Rule 4 and the First Schedule, including requirements relating to financial soundness, technical and operational capacity, and governance standards. These safeguards ensure that only competent and trustworthy entities may operate as consent managers. Their obligations, such as maintaining detailed consent records, ensuring non-readability of personal data routed through their platforms, preventing conflicts of interest, and implementing robust security controls, reinforce the commitment to protecting data principals’ rights. 

Within this framework, the Consent Manager functions as a fiduciary intermediary representing the Data Principal’s interests and plays a central role in standardising consent flows across the ecosystem. By establishing clear registration criteria and enforceable operational duties, the DPDPA and the DPDP Rules ensure that consent processes are transparent, accountable, and aligned with the best interests of Data Principals.  

Frequently Asked Questions (FAQ) on Consent Managers under DPDPA 

Q1: What exactly is a Consent Manager under DPDPA?
A Consent Manager is a registered intermediary under India’s Digital Personal Data Protection Act, 2023, enabling individuals (data principals) to give, manage, review, and withdraw consent via a transparent, interoperable digital platform. It acts as a “consent broker,” centralizing your data consents securely with cryptographic proof, beyond conventional “I agree” boxes [Section 2(g), Rule 4, DPDP Rules 2025].  

Q2: What is the minimum net worth required for Consent Manager registration?
The minimum net worth is ₹2 crore, as mandated under Part A of the First Schedule, DPDP Rules 2025. This figure is inflation-adjusted annually and verifies an entity’s capacity to maintain secure systems and insurance coverage.  

Q3: How long must Consent Managers retain consent records?
Consent Managers must retain consent records for at least 7 years from the date of consent or withdrawal, whichever is later. Records must be digital, auditable, and available to data principals on request with secure deletion after the retention period [Part B, First Schedule, DPDP Rules].  

Q4: Can Consent Managers act as data processors for the same individuals?
No. Consent Managers are prohibited from acting as data fiduciaries or processors for the same data principals they serve to avoid conflicts of interest. Violation can lead to suspension or cancellation of registration [Rule 4, Part B, DPDP Rules 2025].  

Q5: Are certain sectors exempt from Consent Manager requirements?
Partially. Rule 12 and the Fourth Schedule exempt certain organizations like healthcare providers (emergency treatments), educational institutions (student biometric data), childcare centers, and government agencies for specific prescribed purposes. Nonetheless, general data processing must comply with consent management norms.  

Q6: What are the penalties for failing to maintain consent compliance?
Civil penalties under Section 27 may reach up to ₹500 crore for non-compliance with Consent Manager duties, failure to retain records, or delayed breach notification. Criminal penalties (Section 28) include imprisonment up to 3 years and fines up to ₹200 crore for negligent or deliberate violations. 

Ready to Start Your Consent Manager Compliance Journey? 

Book your DPDP consultation today for advice tailored to your organization’s needs.  

For more information, visit Tsaaro Consulting or contact us at [email protected].