India’s data protection landscape has long positioned ‘consent’ as a cornerstone of lawful data processing, and the Digital Personal Data Protection Act, 2023 (‘Act’) continues to place consent as a primary legal basis for processing digital personal data. However, the Act elevates the threshold for obtaining valid consent by embedding the principles of transparency, accountability and individual autonomy by requiring it to be free, specific, informed, unambiguous and affirmative consent.[1]
Recognizing the operational and compliance challenges inherent in managing consent at scale by Data Fiduciaries[2], the Act introduces ‘Consent Managers’[3] to serve as an independent platform that facilitates the giving, management, review and withdrawal of consent by Data Principals.[4]
In this article, we explore the defined role, responsibilities and operational contours of a Consent Manager as provided in the recently released draft Digital Personal Data Protection Rules, 2025 (‘Draft Rules’).
Eligibility criteria for registration as a Consent Manager
Under the Act, any entity seeking to function as a Consent Manager is required to be registered with the Data Protection Board of India[5] (‘DPB’). The Draft Rules specify a detailed set of technical, operational and financial criteria that an applicant must fulfill to be eligible for such registration. These requirements are designed to ensure that a Consent Manager possesses the requisite institutional capacity, governance standards and technical capabilities to effectively discharge its obligations under the Act.
Some of the key requirements include:
* Incorporation as a company in India, demonstrating sound financial position and competent management;
* Possessing adequate technical, operational and financial capacity to perform Consent Manager functions effectively;
* Maintaining a minimum net worth of INR 2,00,00,000 (rupees two crore);
* Express provisions for adherence to conflict-of-interest obligations and any amendments thereto (with prior approval from the DPB) in its memorandum and articles of association;
* Aligning its operational objectives with the interests and rights of Data Principals; and
* Have its platform independently certified for compliance with such standards, as specified by the DPB.
Obligations and functions of a Consent Manager
The Draft Rules set out a detailed regulatory framework governing the role and obligations of Consent Managers, whereby a Consent Manager is envisaged not merely as an intermediary for consent collection but as a pivotal entity responsible for enabling secure, transparent and user-centric consent management. Specifically, it must operate an interoperable digital platform—accessible through a website or mobile application—that performs the dual functions of: (a) enabling a Data Principal to give, manage, review and withdraw her consent based on the privacy notice or other relevant information provided to her; and (b) allowing the Data Fiduciary to rely on such consent to lawfully deliver its goods or services to such Data Principal.
Further, a Consent Manager is directly accountable to the Data Principal and is expected to act on her behalf as per the conditions prescribed under the Draft Rules. To this end, the Draft Rules impose specific operational constraints. Firstly, the Consent Manager must remain ‘data blind,’ implying that it should ensure that personal data underlying the consent is not accessible or readable by the Consent Manager. Secondly, it is prohibited from subcontracting or assigning any of its obligations under the Act to third parties. Third, the Consent Manager must maintain institutional independence from Data Fiduciaries, including in respect of its directors, promoters and key managerial personnel.
In addition to the above, the Draft Rules also prescribe other ongoing obligations for Consent Managers, such as:
* Maintaining detailed records of consents obtained, notices associated with those consents, and all data-sharing activities conducted through their platforms;
* Providing Data Principals with access to their consent records and, upon request, in a machine-readable format;
* Retaining all relevant records for a minimum period of seven (7) years;
* Publishing on the digital platform relevant corporate disclosures, such as company ownership and shareholding structure;
* Maintain audit mechanisms to assess compliance with the Act and Draft Rules and periodically submit such audit reports to the DPB; and
* Seeking prior approval from the DPB before any transfer of control of the company through sale, merger, or other restructuring process.
Conclusion
In response to stringent regulations such as the European Union’s General Data Protection Regulation, a global ecosystem of technology service providers has emerged to support Data Fiduciaries in managing the consent required for lawful data processing. Notably, India’s DPDP Act distinguishes itself as the first legislative framework to formally institutionalize the role of a Consent Manager within its regulatory architecture. By providing an option to onboard a Consent Manager, the Act and the Draft Rules aim to reduce the operational burden of Data Fiduciaries while enhancing transparency and user agency for Data Principals. However, the success of this model will depend upon various factors, including demand-side pressures, revenue models and the extent of acceptance by Data Principals.
Nonetheless, this model opens a spectrum of business opportunities in India, especially for entities engaged in offering data privacy and cybersecurity solutions (such as consent orchestration), who may be well-positioned to undertake this role. It will be critical to watch regulatory responses as well as evolving business models in this context, with the notification of the Rules.
[The author is an Associate in Technology Law practice at Lakshmikumaran & Sridharan Attorneys, Hyderabad]
[1] Section 6(1) of the Act.
[2] Section 2(i) of the Act provides that, the term ‘Data Fiduciary’ means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
[3] Section 2(g) of the Act provides that, the term ‘Consent Manager’ means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
[4] Section 2(j) of the Act provides that, the term ‘Data Principal’ means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
[5] Section 18 of the Act.
