India's Digital Personal Data Protection Act 2023 (DPDP Act) is one of the most significant pieces of legislation to emerge from Indian Parliament in the last decade. It fundamentally changes how businesses collect, store, and use personal data — and at the centre of that change is a concept many organisations are still grappling with: the Consent Manager.
If you're a business operating in India, understanding what a Consent Manager is — and whether you need one — is no longer optional. With the DPDP Rules 2025 now notified and a compliance deadline of May 2027 on the horizon, the clock is running.
This article explains everything you need to know: what a Consent Manager is under the DPDP Act, how it works, who needs to register, and what it means in practice for your organisation.
What the DPDP Act Actually Says About Consent
Before understanding the Consent Manager role, it helps to understand why consent is so central to the DPDP Act in the first place.
Under Section 6 of the DPDP Act, a Data Fiduciary (any entity that determines the purpose and means of processing personal data) must obtain valid consent from a Data Principal (the individual whose data is being processed) before collecting or using their information. That consent must be:
- Free — not coerced or bundled with other conditions
- Specific — limited to a stated purpose
- Informed — the individual must understand what they're agreeing to
- Unconditional — access to a service cannot be conditioned on consent
- Unambiguous — demonstrated through a clear, affirmative action
Pre-ticked boxes, vague terms, and blanket consent clauses are all explicitly invalid under the Act. Every consent interaction must be documented, auditable, and reversible — meaning individuals must be able to withdraw consent as easily as they gave it.
For large enterprises processing data at scale — think banks with millions of loan applicants, insurers capturing health data, or telecom companies managing subscriber records — managing this at volume is a genuine operational challenge. That's precisely where the Consent Manager comes in.
What Is a Consent Manager Under the DPDP Act?
Section 6(7) of the DPDP Act defines a Consent Manager as a person registered with the Data Protection Board of India (DPBI) who acts as a single point of contact, enabling Data Principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.
In plain language: a Consent Manager is a regulated intermediary that sits between individuals and the organisations using their data. It gives individuals a unified interface — a single dashboard or app — through which they can see exactly who has their consent, for what purpose, and can revoke it at any time.
The concept is modelled closely on India's Account Aggregator (AA) framework in financial services. Just as Account Aggregators enable consent-based sharing of financial data between banks and lenders, Consent Managers are designed to do the same for personal data across sectors — healthcare, retail, telecommunications, insurance, and beyond.
The key distinction: a Consent Manager acts for the individual, not the organisation
This is arguably the most important thing to understand about the Consent Manager role. A Consent Manager does not work on behalf of the Data Fiduciary. It works on behalf of the Data Principal — the individual. It's a trust layer that protects the person, not the company.
This creates a structural check on data practices that didn't exist before. A business cannot manipulate its own consent records if an independent, registered Consent Manager is the entity holding and managing those records.
How Does a Consent Manager Work in Practice?
The operational flow of a Consent Manager looks roughly like this:
Data Fiduciary requests consent
A bank, hospital, or e-commerce platform wants to collect personal data. Rather than presenting their own in-house consent form (which may be opaque or manipulative), they route the consent request through a registered Consent Manager.
The Consent Manager presents a standardised notice
The Consent Manager generates a clear, plain-language notice explaining what data will be collected, for what purpose, who it will be shared with, and for how long. Under the DPDP Rules, these notices must be available in all 22 scheduled Indian languages.
The Data Principal gives or refuses consent
The individual interacts directly with the Consent Manager's interface — not the company's. They can grant consent for specific purposes, decline others, and ask questions. Their choice is recorded on an auditable, tamper-evident ledger.
Consent records are maintained
The Consent Manager maintains a complete, timestamped audit trail of every consent interaction — what was asked, when, what the individual chose, and any subsequent changes. This record is available for regulatory inspection at any time.
Withdrawal is as easy as consent
At any point, the individual can return to the Consent Manager's platform and withdraw consent for any specific purpose. The Consent Manager notifies the Data Fiduciary, who must then cease processing the relevant data.
Who Needs to Register as a Consent Manager?
Registration as a Consent Manager is mandatory for any entity that wants to provide this intermediary role commercially. The DPDP Rules set out eligibility requirements covering:
- Technical infrastructure — the platform must be capable of managing consent securely, with robust encryption, audit logging, and real-time data accuracy
- Financial soundness — minimum net worth requirements to ensure operational continuity
- Governance standards — clear accountability structures, grievance redressal mechanisms, and data security practices compliant with DPDP Rules
- Interoperability — the Consent Manager's systems must be able to connect with any Data Fiduciary's existing infrastructure through open APIs
Importantly, the Act also allows organisations to manage consent internally — as long as they meet the same technical and legal requirements as a registered Consent Manager. However, for most mid-to-large enterprises, appointing an independent third-party Consent Manager is the more practical and credible path. It demonstrates neutrality, reduces legal risk, and is significantly easier to audit.
Why Does the DPDP Act Require Consent Managers at All?
The rationale is straightforward: self-regulation doesn't work for consent.
Historically, consent in India has been a compliance checkbox — dense terms and conditions that nobody reads, pre-ticked boxes, and vague umbrella clauses that give organisations sweeping rights over personal data. The DPDP Act is designed to end that.
But simply mandating "better consent" isn't enough. Without an independent, technically robust layer between individuals and organisations, there's no reliable way to ensure consent records are accurate, unmanipulated, or accessible to the people they concern.
The Consent Manager model — borrowed in structure from the Account Aggregator framework — addresses this by introducing a trusted, registered intermediary. It shifts the power dynamic: instead of organisations deciding how consent is recorded, an independent entity does.
What Are the Obligations of a Consent Manager?
A registered Consent Manager carries significant obligations under the DPDP Act and Rules:
Accuracy and integrity of consent records
Every consent record must be accurate, current, and tamper-proof. Any modification to a consent record — whether a grant, withdrawal, or change of scope — must be logged with full audit trail.
Accessibility and language compliance
The Consent Manager's platform must be accessible to all Data Principals, including those with disabilities (WCAG compliance), and must offer consent flows in English and all 22 scheduled Indian languages.
Interoperability
The Consent Manager must be able to connect with the systems of any Data Fiduciary seeking to use its services. API-first design is effectively a requirement.
Grievance redressal
A clear, responsive mechanism must exist for Data Principals to raise complaints about consent interactions. Response timelines are specified under the DPDP Rules.
Data minimisation
A Consent Manager may only access personal data to the extent necessary to manage consent. It cannot use the data it handles for its own commercial purposes.
Regulatory reporting
The Consent Manager must be able to generate compliance reports on demand for the Data Protection Board and must notify the Board of any material breaches.
Blockchain and Consent Management: Why It Matters
One of the structural challenges of consent management at scale is tamper-resistance. Traditional database systems — even well-secured ones — are vulnerable to manipulation. A record in a SQL database can be updated or deleted. In a consent management context, this creates a compliance risk: if a Data Fiduciary can alter consent records, the entire system of accountability breaks down.
This is why blockchain-based consent management infrastructure is attracting serious attention from regulators and enterprises. A blockchain ledger is immutable by design — once a consent record is written, it cannot be altered without detection. This makes it structurally ideal for the DPDP Act's requirements around audit trails, tamper-evidence, and regulatory reporting.
The key architecture that works within DPDP's constraints is a permissioned blockchain with off-chain personal data storage. This means:
- The consent record (what was consented to, when, by whom in pseudonymous form, and any subsequent changes) is stored on-chain — immutable and auditable
- The personal data itself is stored off-chain, encrypted, with access controlled by the blockchain consent record
This architecture respects both the DPDP Act's requirement for tamper-proof consent trails and its data minimisation principle, while also accommodating the right to erasure — personal data can be deleted off-chain while the consent audit trail remains intact on-chain.
What This Means for Your Business
Whether you're a Data Fiduciary evaluating compliance options, or a technology company considering registering as a Consent Manager, the DPDP Act creates clear obligations and clear opportunities.
For enterprises (Data Fiduciaries)
You need a consent management solution that is DPDP-compliant by the May 2027 deadline. That means obtaining valid, specific, auditable consent for every piece of personal data you process — and being able to demonstrate this to regulators on demand. Building this in-house is possible but expensive. Working with a registered Consent Manager is typically faster, cheaper, and provides a ready-made compliance layer.
For technology platforms
The Consent Manager category represents a new class of regulated infrastructure in India. Registration with the DPBI, combined with a technically robust platform, positions you as neutral, trusted infrastructure for the data economy — a role analogous to what payment gateways played in India's fintech revolution.
For BFSI sector organisations
Banks, NBFCs, insurance companies, and wealth managers sit at the intersection of maximum data sensitivity and maximum regulatory scrutiny. The DPDP Act's consent requirements overlap significantly with existing RBI and IRDAI data governance frameworks. A Consent Manager that integrates with your existing CRM, LOS, and core banking systems — and produces audit-ready reports — is not a nice-to-have. It's infrastructure.
Frequently Asked Questions
Is appointing a Consent Manager mandatory under the DPDP Act?
Not mandatory for every organisation. Data Fiduciaries can manage consent internally if they meet the technical and legal requirements. However, using a registered, independent Consent Manager is the lower-risk path for most enterprises, as it provides structural separation between the organisation and the consent records it relies on.
When does the DPDP Act come into full force?
The DPDP Rules 2025 were notified in November 2025, setting a phased compliance timeline. Most enterprise compliance obligations, including consent management, must be met by May 2027.
Can a Data Fiduciary also be a Consent Manager?
The DPDP Act's intent is that Consent Managers operate independently of the Data Fiduciaries they serve — a neutrality requirement that mirrors the Account Aggregator framework's design. An entity simultaneously acting as both would face significant conflict-of-interest scrutiny from the DPBI.
What happens if consent is not properly managed?
Failure to obtain and maintain valid consent is a direct violation of Section 6 of the DPDP Act. The Data Protection Board can impose penalties of up to ₹250 crore per violation, with separate penalty caps for different types of breaches. Consent failures are among the most clearly defined enforcement triggers in the Act.
Does DPDP consent management apply to B2B data?
The DPDP Act applies to the processing of digital personal data — data relating to identifiable natural persons. If your B2B interactions involve personal data of individuals (employees, directors, contact persons), those interactions are in scope. Pure company-to-company data with no individual-level personal data is generally out of scope.
The Bottom Line
The Consent Manager is one of the most consequential new concepts in India's data protection landscape. It transforms consent from a legal formality into a live, auditable, individual-controlled right — and it creates a regulated infrastructure role for the entities that manage it.
For businesses in India, the question is no longer whether to take consent management seriously. The DPDP Act has settled that. The question now is how to build or adopt a consent management system that is technically robust, regulatorily sound, and operationally scalable before the compliance deadline arrives.