This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.

Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.

The Digital Personal Data Protection Rules, 2025, notified by India’s Ministry of Electronics and Information Technology, clarify the terms and conditions for registering consent managers and outline their responsibilities.

Defining consent managers 

The Digital Personal Data Protection Act defines a consent manager as a single point of contact to enable data principals — the users of a service — to give, manage, review and withdraw consent for personal data processing through an accessible, transparent and interoperable platform. Consent managers are required to be accountable to the data principal and to act on their behalf. Consent managers are to be registered with the Data Protection Board of India, a new oversight body established under the law. 

The DPDPA requires the data principal'sconsent to be free, specific, informed, unconditional and unambiguous with clear affirmative action. Their consent should signify an agreement to the processing of personal data for a specified purpose and be limited to personal data that is necessary for the purpose.

In the Srikrishna Committee Report of 2017 — one of the first guiding documents that informed the DPDPA — consent managers were envisaged as trusted intermediaries between users and businesses, operating a "dashboard" enabling users to choose consent preferences for various data types from a menu of options. 

Consider an example of how this could work. A user signs up with a company that is registered as a consent manager and sets their default data collection preferences. When a new company seeks to collect a set of the user's personal information, the consent settings they chose with the consent manager would be the default. This is designed to reduce consent fatigue while giving users more control over how their data is shared.

Responsibilities and oversight of consent managers 

A consent manager will operate a platform, app or website that allows a data principal to give consent to the processing of their personal data by various data fiduciaries that are onboarded on to the same platform. Examples in the DPDP Rules suggest data principals can use consent managers to share data portability instructions, such as digitally directing one bank to share an individual’s bank statement with another, with the consent managed by the consent manager. The contractual arrangement between entities onboarded to the platform and its operator may need further clarification.

The consent manager also ensures that the content of personal data provided by the data principal to the data fiduciary is not readable by the consent manager. It is tasked with maintaining a record of consents given, denied or withdrawn by a data principal, as well as any notices accompanying requests for consent and records of data sharing with a transferee data fiduciary. Notably, the consent manager cannot subcontract or assign the performance of any of its obligations under the law to any third party. contract or assign the performance of any of its obligations under the law to any third party.

The consent manager must also have measures in place to ensure there is no conflict of interest; it must also publish information about its promoter, directors, key managerial personnel and shareholders who hold more than 2% shares in the company. Consent managers cannot undergo a change of control without approval from the DPBI, presumably to ensure the conditions stated in the law continue to be met in such an event.

Entities interested in becoming a consent manager can apply to the newly constituted DPBI. Applicants must also meet specific preconditions, including being incorporated in India, satisfying a minimum net worth requirement, complying with corporate governance rules, and demonstrating sufficient technical and financial capacity to fulfill obligations under the law. Applicant organizations must also obtain an independent certification of adherence to data protection frameworks and standards published by the DPBI.

If the aforementioned criteria are met, the DPBI would register an applicant as a consent manager and retain the power to suspend or cancel the registration if the consent manager fails to comply with the conditions set forth in the law. The board also retains broad oversight authority, including the power to give any directions it considers necessary to the consent manager in order to safeguard the interest of data principals.

Consent managers should also provide a way to redress data principals' complaints. The DPBI can investigate failures to offer redress and impose penalties on the consent manager. Thus, companies planning to provide these services can expect to be heavily supervised by the board.

Operational details of consent management dashboards

The DPDPA leaves many important details to be ironed out through subordinate legislation, including the operational and technical aspects of the consent management industry.

The law states India’s government will provide for "the manner of accountability and the obligations of Consent Manager," as well as "the manner of registration of Consent Manager and the conditions relating thereto."

Despite the law's lack of specific details, existing entities that offer consent management solutions to businesses are gearing up to customize their offerings under the DPDPA, relying on various previously released government policy documents to get a sense of how consent managers may be expected to operate. 

A policy document titled "Data Empowerment and Protection Architecture – Draft for Discussion," published by NITI Aayog, the public policy think tank of the Indian government, provides insight into the technical aspects of consent dashboards. The document explains that the consent manager would only collect "consent artifacts," meaning it would track a data principal's consent preferences regarding their personal data and not have access to any of the actual personal data.

The Srikrishna Committee report explained the plan is designed to replace costly and cumbersome data sharing practices that "disempower individuals," such as physical submission of documents, username and password sharing, and terms of service requiring blanket consent.

In the DEPA's visualization of its architecture, the consent manager sits between three separate players: the data principal or user, a company that is a data provider and another company that is the data requester.

The data provider is an entity, like a bank or a government tax portal, that has secure access to user data. The data requester could be, for instance, a credit card company that needs data to provide services to the user. The consent manager has access to the user's data-sharing preferences and consent.

So, when a "data requester" seeks access to several pieces of information, the consent manager will help secure transmission of the data for which permission is provided through secure application programming interfaces without storing any actual data.

The Srikrishna Committee Report observed that a system like this would require "significant interoperability" between the consent manager and various businesses.

Consent management in the current Indian ecosystem 

The idea of a trusted intermediary handling consent between a user and a service provider is not new. Similar intermediaries, known as account aggregators, exist in the financial sector. They help users share confidential financial information with banks and other financial institutions to obtain loans and other services.

The account aggregator does not collect the data, but helps transfer it through secure channels between parties, enabled through an API connection between the account aggregator and financial institutions.

More recently, under India's Digital Health Mission, a similar consent manager framework has been proposed as a way to authorize consent-driven health care data sharing between health care providers and users. 

Concerns with interoperability 

While the success of account aggregators in the financial sector has encouraged the replication of this model across other legal frameworks, it is worth noting the financial sector is tightly regulated and both the account aggregator and financial institutions are under the jurisdiction of the same regulator, the Reserve Bank of India.

The RBI publishes technical specifications for all participants of this ecosystem, including the technical details of the APIs. All participants in the ecosystem build their IT infrastructure in accordance with these specifications, thus ensuring interoperability.

On the other hand, in the case of the DPDPA, the DPBI can only specify the operational and technical requirements for the consent manager's IT infrastructure. The board does not have jurisdiction over other players in the ecosystem. Hence, ensuring interoperability would pose a different kind of challenge.

The government has experimented with building interoperable platforms in the fields of payments and e-commerce. The idea is similar: a base public infrastructure into which different private players plug in through APIs.

The Ministry of Electronics and Information Technology's flagship payment infrastructure company, the National Payments Corporation of India, has built the infrastructure for the Unified Payment Interface. After being mandated to do so by the financial sector regulator, banks and payment apps like Google Pay have plugged into the UPI infrastructure to provide interoperable money transfer services between any two bank accounts regardless of whether a user has a particular bank account or payment app.

A similar effort has been undertaken through the Open Network for Digital Commerce to bring e-commerce companies onto this interoperable platform, enabling any seller — such as Amazon — to directly transact with any buyer on another platform — like Walmart. This project, however, has not taken off as planned. Adoption has been a major roadblock, and the ONDC has not hit critical mass in any major city in India. 

The high adoption of interoperable platforms in the financial sector, a tightly controlled sector with one centralized regulator, in contrast with the lack of adoption in the field of e-commerce, which has no centralized regulator, might suggest it is much harder to drive the adoption of a new technology on the basis of market incentives alone and without a regulator to impose technical specifications on all players through delegated legislation.

The DEPA document states it seeks to create a competitive ecosystem under the DPDPA in which any private consent manager presumably can plug into a network built on the public infrastructure of information providers and users without needing to set up "expensive, duplicative and exclusive bilateral data sharing mechanisms." However, it remains unclear what market incentives and regulatory interventions would be needed to foster a truly competitive ecosystem and ensure that level of interoperability.

Another concern is the success of this framework depending on the level of security in the underlying public infrastructure. If security is not ensured, companies and users alike would be understandably reluctant to adopt the system. It is worth noting there have, indeed, been data breaches in the past.

The way forward

Companies that act as data fiduciaries and controllers will need to focus on: 

• Engaging with the DPBI, once it is established, to ensure subordinate regulation is well-designed and commercially feasible.
• Establishing contractual safeguards to cover any liability arising from issues attributable to the consent manager.
• Instituting mechanisms for immediate communication of any changes in consent artifacts through the consent managers so data deletion procedures or other relevant next steps can be instituted promptly.
• Giving feedback on any mandatory integration with public infrastructure.

Companies that seek to act as consent managers should also engage with the DPBI to ensure any technical specifications imposed are in line with best commercial practices and ensure they are legally safeguarded from repercussions if they follow their standards. Organizations should also confirm they do not have visibility of any users' personal data as this can invite additional obligations.  

Consent managers have emerged globally for specific purposes — such as under the California Consumer Privacy Act in the U.S. and the EU General Data Protection Regulation — especially to manage cookie consent. As noted in a previous IAPP article, these consent managers are far from foolproof.

What India's DPDPA seeks to undertake is a scaled-up version of the same model. While the intent to reduce consent fatigue through consent dashboards is commendable, the actual operation of this system will require strategically designed regulations and market incentives at a scale not attempted yet in other markets.

Full series overview

The overview page for the full series can be accessed here.

• Scope, key definitions and lawful data processing
• Individual rights
• Obligations of data processing entities
• Enforcement and the Data Protection Board
• Cross-border data transfers
• Comparative analysis with the GDPR and other major data privacy laws
• Consent management
• Data audits for significant fiduciaries
• Data protection impact assessments
• Data breaches