Consent & Obligations
What Is a Consent Manager Under the DPDP Act?
A Consent Manager is a platform registered with the Data Protection Board of India that lets individuals give, review, manage, and withdraw consent across services from a single interface. Registration under Rule 4 opens on 13 November 2026, with eligibility conditions covering net worth, governance, and interoperability.
What Is a Consent Manager?
Section 6(7)–(9) of the DPDP Act 2023; Rule 4 of the DPDP Rules 2025
A Consent Manager is a registered intermediary that helps Data Principals manage their consent across multiple Data Fiduciaries — acting on their behalf through an interoperable platform.
The Act introduces the concept of a Consent Manager — an entity through which Data Principals can give, manage, review, and withdraw consent. Think of it as a consent dashboard that sits between individuals and the organisations that process their data.
A Consent Manager is accountable to the Data Principal and acts on their behalf. This means the Consent Manager takes instructions from the individual, not from the Data Fiduciary.
Every Consent Manager must be registered with the Data Protection Board. Rule 4 sets out the conditions for registration, which are detailed in the First Schedule, Part A. To qualify, a Consent Manager must be a company incorporated in India, have a net worth of at least two crore rupees, demonstrate adequate technical and operational capacity, and obtain an independent certification.
The Board reviews applications and may either register or reject a Consent Manager. Registration can also be suspended or cancelled if the Consent Manager fails to meet its obligations.
The obligations of a Consent Manager are set out in the First Schedule, Part B. They must enable consent management through an interoperable platform — meaning it works across different Data Fiduciaries, not just one. Personal data passing through the platform must not be readable by the Consent Manager itself. Records must be maintained for seven years. Subcontracting is prohibited — the Consent Manager must perform its functions directly. And there must be no conflicts of interest.
Key Points
- A Consent Manager enables Data Principals to manage consent across multiple organisations.
- Consent Managers are accountable to the Data Principal, not the Data Fiduciary.
- Registration with the Data Protection Board is mandatory.
- Eligibility: incorporated in India, net worth of at least two crore rupees, adequate capacity, independent certification.
- Must operate an interoperable platform where personal data is not readable by the Consent Manager.
- Must maintain records for 7 years, cannot subcontract, and must avoid conflicts of interest.
- The Board can suspend or cancel registration.
Not sure if you meet these requirements?
Take the free DPDP Readiness Assessment to get an instant compliance score and a detailed gap analysis report.
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. It is a plain-English interpretation of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. The official gazette text is the only authoritative source. Consult qualified legal counsel before making compliance decisions.