Top 10 operational impacts of India’s DPDPA – Consent management

This article is part of a series that explores components of the DPDPA.

The Digital Personal Data Protection Rules, 2025, notified by India’s Ministry of Electronics and Information Technology, clarify the terms and conditions for registering consent managers and outline their responsibilities.

Defining consent managers 

The Digital Personal Data Protection Act defines a consent manager as a single point of contact to enable data principals — the users of a service — to give, manage, review and withdraw consent for personal data processing through an accessible, transparent and interoperable platform. Consent managers are required to be accountable to the data principal and to act on their behalf. Consent managers are to be registered with the Data Protection Board of India, a new oversight body established under the law. 

The DPDPA requires the data principal's consent to be free, specific, informed, unconditional and unambiguous with clear affirmative action. Their consent should signify an agreement to the processing of personal data for a specified purpose and be limited to personal data that is necessary for the purpose.

In the Srikrishna Committee Report of 2017 — one of the first guiding documents that informed the DPDPA — consent managers were envisaged as trusted intermediaries between users and businesses, operating a "dashboard" enabling users to choose consent preferences for various data types from a menu of options.