Introduction
It was the Personal Data Protection Bill, 2019 that introduced the concept of “Consent Manager”. In the 2019 Bill, a ‘consent manager’ was defined as a “data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.” In another development, the Reserve Bank of India, introduced the concept of Account Aggregators (AA), aimed to empower individuals with control over their financial data by allowing them to securely and digitally share their financial information across different financial institutions. Similar to this, we find the concept of Consent Managers under the Digital Personal Data Protection Act, 2023 (DPDPA) and the allied draft Digital Personal Data Protection Rules, 2025 (DPDP Rules), which were released for public consultation on 3rd January, 2025.
Section 2 (g) of the DPDPA specifies the definition of “Consent Manager” as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
Draft DPDP Rules on Consent Manager
Rule 4 of the draft DPDP Rules read with the First Schedule of the Rules deal with the registration and obligations of consent manager. There are certain conditions, as outlined in Part A of the First Schedule of the draft DPDP Rules, which have to be met before applying to the Data Protection Board of India (“Board”) for registration as a Consent Manager. The application must include the necessary particulars, information, and documents as published by the Board on its website. Upon receiving the application, the Board may conduct an inquiry to ensure the applicant meets the conditions set out in Part A. If satisfied, the Board will register the applicant as a Consent Manager, inform the applicant, and publish the particulars on its website. If not satisfied, the Board will reject the application and communicate the reasons for rejection to the applicant.
The Consent Manager must adhere to the obligations specified in Part B of the First Schedule. If the Board finds that a Consent Manager is not complying with these conditions and obligations, it will inform the Consent Manager and direct them to take corrective measures. If necessary, the Board can suspend or cancel the registration of the Consent Manager after giving them an opportunity to be heard. The Board may also issue directions to protect the interests of Data Principals.
Additionally, the Board may require the Consent Manager to furnish any information it deems necessary for the purposes of this rule. This ensures that Consent Managers operate with transparency, integrity, and in the best interests of Data Principals, while adhering to stringent data protection standards.
Registration
Part A of the First Schedule of the draft DPDP Rules, 2025 lay down the following conditions for registration of consent manager:
- The applicant must be a company incorporated in India.
- It should possess adequate technical, operational, and financial capacity to fulfil its obligations as a Consent Manager.
- The applicant’s financial health and the general character of its management must be sound.
- The company must have a net worth of at least ₹2 crore.
- The applicant should demonstrate adequate business potential, a robust capital structure, and favourable earning prospects.
- Its directors, Key Managerial Personnel (KMP), and senior management must have a reputation for fairness and integrity.
- The company’s Memorandum and Articles of Association must include provisions ensuring adherence to the obligations outlined in items 9 and 10 of Part B. These obligations include avoiding conflicts of interest with Data Fiduciaries, including those involving promoters, KMP, or senior management, and implementing measures to prevent conflicts arising from financial or material relationships with Data Fiduciaries. Amendments to these provisions require prior Board approval.
- The applicant’s proposed operations should be aligned with the interests of Data Principals.
- Independent certification must confirm that:
a. The interoperable platform provided by the applicant facilitates Data Principals in giving, managing, reviewing, and withdrawing consent, complying with the data protection standards and assurance framework published by the Board.
b. Effective technical and organizational measures are implemented to ensure adherence to these standards and the obligations outlined in item 11 of Part B.
Item 11 specifies that the Consent Manager must publish, in an accessible manner on its website or app, detailed information including:
- The promoters, directors, KMP, and senior management of the company.
- Individuals holding more than 2% of the company’s shareholding.
- Corporate entities where the Consent Manager’s promoters, directors, KMP, or senior management hold over 2% shareholding.
- Additional information as directed by the Board in the interest of transparency.
These requirements ensure the applicant is capable, transparent, and free from conflicts of interest, thereby safeguarding the rights of Data Principals.
Obligations
Part B of the First schedule of the Draft Rules outline the obligations of consent managers, which include-
The Consent Manager must enable a Data Principal to grant consent for processing their personal data by an onboarded Data Fiduciary. This consent may be provided directly to the Data Fiduciary or routed through another onboarded Data Fiduciary that maintains the personal data with the Data Principal’s consent. The DPDP Rules have provided illustrations to clarify the position:
- In Case 1, if Bank B1 requests access to X’s bank account statement stored in a digital locker, X may directly grant consent via the Consent Manager’s platform, allowing B1 access to the statement.
- In Case 2, if B1 requests access to X’s bank account statement held by Bank B2, X may use the Consent Manager’s platform to route consent through B2, instructing B2 to share the statement with B1.
- The Consent Manager must ensure that personal data shared or made available through its platform is not readable by the Consent Manager itself.
- The platform must maintain records of the following: consents granted, denied, or withdrawn by Data Principals; notices preceding or accompanying consent requests; and any sharing of personal data with transferee Data Fiduciaries. The records must be made available to the Data Principals on request as per terms of service. These records must be retained for at least seven years or as agreed with the Data Principal or required by law.
- A Consent Manager must develop and maintain a website, app, or both, as the primary means for Data Principals to access its services and should not subcontract/assign the performance under the Act and the rules.
- Adequate security safeguards must be implemented to prevent personal data breaches.
- The Consent Manager must act in a fiduciary capacity with respect to Data Principals.
- Measures must be in place to avoid conflicts of interest with onboarded Data Fiduciaries, including conflicts involving their promoters and key managerial personnel. The Consent Manager must publish accessible information on its website or app regarding details of its promoters, directors, key managerial personnel, senior management, shareholders holding more than 2% of the company, and corporate entities where such personnel hold over 2% equity. Additional disclosures may be required by the Board to ensure transparency.
- Effective audit mechanisms must be implemented to periodically review, monitor, evaluate, and report on technical and organizational safeguards, compliance with registration conditions, and adherence to obligations under the Act and rules, as directed by the Board.
- Control of the company cannot be transferred (through sale, merger, or other means) without prior Board approval and compliance with conditions specified by the Board.
These obligations ensure the Consent Manager operates transparently, securely, and in alignment with the interests of Data Principals.
Additionally, Rule 13 of the draft Rules lays down that, in order to enable Data Principals to exercise their rights under the Act, the Data Fiduciary and, where applicable, the Consent Manager must publish on their website or app:
(a) Details of how a Data Principal can request the exercise of their rights; and
(b) Any identifiers, such as a username, required to identify the Data Principal under the terms of service.
Additionally, both the Data Fiduciary and Consent Manager must publish the period for responding to grievances within their grievance redressal system. They must also implement appropriate technical and organizational measures to ensure effective grievance handling within that period.
Conclusion
The stringent conditions for registration, including financial health, technical and operational capacity, and the reputation of key personnel, ensure that only capable and trustworthy entities can act as Consent Managers. Additionally, the obligations outlined in the draft DPDP Rules, such as maintaining records of consents, implementing security safeguards, and avoiding conflicts of interest, further reinforce the commitment to protecting Data Principals’ rights.
A consent manager under the Act, is entrusted with representing the Data Principal’s interests and will hold a central role in standardizing consent. By establishing a framework for the registration and obligations of Consent Managers, the DPDPA and the draft DPDP Rules ensure that these entities operate with transparency, integrity, and in the best interests of Data Principals.
You can learn more about consent managers through this video- DPDPA Series: The Ultimate Consent Manager Playbook Ft. Akarsh Singh.