India’s Digital Personal Data Protection Act, 2023 (DPDP Act) introduced a new player in the privacy ecosystem: the Consent Manager. This is not a Cookie Banner. This is not a pop-up tool you buy and install. A Consent Manager under the DPDP Act is a registered intermediary — a licensed entity that gives individuals a single, interoperable platform to give, manage, review, and withdraw their consent across multiple data fiduciaries.
The DPDP Rules 2025, notified on November 13, 2025, operationalised the framework. The Consent Manager provisions kick in exactly 12 months later — November 13, 2026. That’s less than 5 months away.
Whether you are a Data Fiduciary wondering how to integrate with this new layer, an organisation considering registering as a Consent Manager, or a DPO or CIO building your consent architecture — this guide covers everything, grounded in the actual statutory text.
1. What Is a Consent Manager Under the DPDP Act?
The term is defined in Section 2(g) of the DPDP Act, 2023:
“Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.”
Three words in this definition deserve special attention:
Accessible — the platform must work for all users, regardless of technical literacy or disability.
Transparent — users must be able to see clearly which data fiduciaries they have given consent to, for what purpose, and when.
Interoperable — a single Consent Manager must communicate consent signals across multiple, unrelated data fiduciaries. Think of it like UPI for consent — one interface, many recipients.
Section 6(6) of the DPDP Act further clarifies the accountability relationship:
“A Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.”
Key distinction: A Consent Manager does not read, process, or access the personal data being shared between the Data Principal and Data Fiduciary. It is a consent orchestration layer — it routes signals, not data.
2. How Is a Consent Manager Different from a Cookie Consent Tool?
| Feature | Cookie Consent Tool | DPDP Consent Manager |
|---|---|---|
| Registration required | No | Yes — with Data Protection Board of India |
| Scope | Single website / app | Cross-fiduciary — works across multiple organisations |
| Accesses personal data | Sometimes | No — consent signals only, not the data |
| Regulatory status | Vendor product | Licensed intermediary with fiduciary duty to Data Principal |
| Net worth requirement | None | Minimum ₹2 crore (First Schedule, DPDP Rules 2025) |
| Record retention | Varies | Mandatory 7 years |
| Conflict of interest restrictions | None | Cannot act as Data Fiduciary/Processor for the same Data Principal |
Tools like OneTrust, CookieYes, or Cookiebot may help you manage cookie consent on your website. But they are not DPDP Act Consent Managers. If a Consent Manager becomes mandatory in your sector, you will need to integrate with a registered intermediary — a separate, regulated entity.
3. Who Can Register as a Consent Manager? The First Schedule Requirements
The First Schedule of the DPDP Rules 2025 (Part A) sets out the eligibility conditions for Consent Manager registration:
3.1 Incorporation
The applicant must be a company incorporated in India — a private or public limited company, society, or trust registered under Indian law. Foreign entities cannot register directly.
3.2 Minimum Net Worth
The applicant must have a minimum net worth of ₹2 crore (approximately USD 225,000). This figure is subject to annual inflation adjustment and signals financial capacity to maintain secure systems, insurance, and sustained operations as a regulated entity.
3.3 Technical Infrastructure
- Secure, encrypted infrastructure for handling consent records
- Interoperability standards compliance — API connectivity across different data fiduciary systems
- Independent certification of technical and organisational security measures
3.4 Governance Requirements
- A Board of Directors with documented conflict-of-interest policies
- Directors and key personnel must not hold material financial interests in data fiduciaries for whom the Consent Manager manages consent
- The entity cannot simultaneously act as a data fiduciary or data processor for the same data principals whose consent it manages
⚠️ Important: As of June 2026, no organisation has yet been registered as a Consent Manager under the DPDP Act. The DPBI registration portal has not opened. Begin technical architecture work now — do not wait for the portal to go live.
4. What Are the Obligations of a Registered Consent Manager?
4.1 Fiduciary Duty to the Data Principal
The Consent Manager is not a vendor to the data fiduciary — it is an agent of the individual. Its legal obligation runs to the person, not the business. This accountability structure does not exist for cookie consent tools.
4.2 Enable Four Consent Actions
- Give consent — to one or more data fiduciaries for specified purposes
- Manage consent — view current consents and their scope
- Review consent — access historical consent records
- Withdraw consent — revoke consent from any data fiduciary at any time, with immediate effect
All four must be equally simple. The DPDP Act is explicit: withdrawal must be as easy as the original act of giving consent.
4.3 No Access to Personal Data
A Consent Manager must not access the contents of the personal data being shared. It handles consent signals only — not the data itself. This is a hard architectural requirement.
4.4 Consent Record Retention — 7 Years
Every consent event — given, reviewed, modified, or withdrawn — must be retained for a minimum of 7 years from the date of the relevant event. This creates a substantial audit trail obligation with significant implications for data storage, encryption, and security architecture.
5. Do Data Fiduciaries Have to Use a Consent Manager?
No — use is optional, not mandatory, under the DPDP Act as currently written.
A data fiduciary may obtain, manage, and record consent directly, provided it meets all requirements of Section 6 of the DPDP Act. However, certain sectors will see effective mandates through sector-specific regulations:
| Sector | Why Consent Manager Relevance is High |
|---|---|
| Financial Services / BFSI | Cross-entity data flows (bank, insurer, NBFC, AA framework) require interoperable consent |
| Healthcare / Healthtech | Multi-provider data sharing (hospital, lab, insurer, pharmacy) requires single consent view |
| Government / DigiLocker ecosystem | Cross-ministry data flows likely to require registered Consent Manager |
| Significant Data Fiduciaries (SDFs) | SDFs processing high-volume data may receive sector-specific Consent Manager mandates |
Strategic Advice for CIOs: Even if Consent Manager integration is not yet mandatory for your sector, build your consent architecture to be API-ready. Retrofitting a non-interoperable consent system after a mandate is expensive and operationally disruptive.
6. What Must Data Fiduciaries Do Now? Preparation Roadmap
- Audit your current consent framework — Map every consent touchpoint. Use our DPDP Act Compliance Checklist to benchmark against all 8 obligation areas.
- Redesign consent notices — Comply with Rule 3 of DPDP Rules 2025: specific, purpose-based, plain language, available in Indian languages on request.
- Implement consent record-keeping — Log every consent event with timestamp, notice version, purpose, channel, and user action. Retain for 7+ years.
- Build API-ready consent infrastructure — Develop API endpoints to receive consent signals from external Consent Managers and propagate withdrawals immediately across all internal systems.
- Appoint a Data Protection Officer — Significant Data Fiduciaries must appoint a DPO. MYITMANAGER offers DPO as a Service for CIPP/E-qualified expertise without a full-time hire.
- Integrate with a registered Consent Manager — Once the DPBI registration portal opens (expected Q4 2026), evaluate and integrate a certified Consent Manager.
7. Penalties for Consent Violations Under the DPDP Act
| Violation Type | Maximum Penalty |
|---|---|
| Processing personal data without valid consent | Up to ₹200 crore |
| Failure to implement adequate security safeguards (leading to breach) | Up to ₹250 crore |
| Failure to notify DPBI or Data Principals of a data breach | Up to ₹200 crore |
| Non-compliance with children’s data obligations | Up to ₹200 crore |
| Failure to fulfil Data Principal rights | Up to ₹50 crore |
| Obstruction of DPBI proceedings | Up to ₹10 crore |
Critical — Section 6(11) Burden of Proof: In any enforcement proceeding where consent is disputed, the Data Fiduciary must prove that notice was given and consent was validly obtained. The burden rests with you, not the regulator. Consent record-keeping is your legal defence.
8. DPDP Act vs GDPR — Key Consent Differences
| Dimension | GDPR | DPDP Act 2023 |
|---|---|---|
| Lawful bases for processing | 6 bases (including legitimate interests) | Consent + specific exempt categories — no legitimate interests basis |
| Consent Manager concept | Not defined | Defined statutory role with registration and fiduciary obligations |
| Children’s consent age | 16 (or 13 with member state law) | 18 — verifiable parental consent required below 18 |
| Consent notice language | Clear and plain language | Plain language + Indian languages available on request |
The most significant difference: GDPR’s “legitimate interests” basis — widely used in B2B marketing and analytics — does not exist in the DPDP Act. Organisations relying on this basis will need to re-map processing activities to consent or specific exemptions. See our GDPR compliance services for cross-border guidance.
Frequently Asked Questions: Consent Manager India DPDP Act
When does the Consent Manager framework become operational in India?
The Consent Manager framework under the DPDP Rules 2025 becomes operational on November 13, 2026 — exactly 12 months after the Rules were notified. The full DPDP Act compliance deadline for all other obligations is May 13, 2027.
Is using a Consent Manager mandatory for all businesses in India?
No. The DPDP Rules 2025 do not mandate that Data Fiduciaries use a registered Consent Manager. Direct consent management is permitted provided it meets Section 6 requirements. Certain sectors (BFSI, healthcare, government data flows) may be required to use one through sector-specific regulations.
What is the minimum net worth required to register as a Consent Manager?
The First Schedule of the DPDP Rules 2025 requires a minimum net worth of ₹2 crore (approximately USD 225,000). The entity must also be incorporated in India and meet technical, operational, and governance conditions.
What is the penalty for processing data without valid consent?
Up to ₹200 crore per incident under the DPDP Act Schedule. The Data Protection Board of India determines actual penalties based on nature, gravity, duration of the violation, and mitigating factors.
How long must consent records be retained?
A minimum of 7 years from the date of the relevant consent action — giving, reviewing, modifying, or withdrawing consent, whichever is later.
Can a company be both a Data Fiduciary and a Consent Manager?
No. The DPDP Rules 2025 prohibit a Consent Manager from simultaneously acting as Data Fiduciary or Data Processor for the same Data Principal whose consent it manages. This conflict-of-interest restriction is fundamental to the fiduciary role.
When will the DPBI open registration for Consent Managers?
As of June 2026, the DPBI registration portal for Consent Managers has not yet opened. No organisation has yet been registered. Monitor MeitY and the DPBI for portal activation announcements.
What is the difference between a Consent Manager and a cookie consent tool?
A cookie consent tool is a website-level vendor product. A DPDP Act Consent Manager is a licensed, registered intermediary with a fiduciary duty to the Data Principal, works cross-fiduciary across multiple organisations, does not access personal data, requires ₹2 crore net worth, and must retain records for 7 years. Tools like OneTrust or CookieYes are not DPDP Act Consent Managers.
Related MYITMANAGER Guides
- DPDP Act Compliance Checklist India 2026 — Complete Guide
- DPDP Compliance Services — End-to-End Implementation
- DPO as a Service — CIPP/E Qualified DPO for Indian Organisations
- GDPR Compliance Services — Cross-Border Data Protection
- Data Discovery & Classification — Know What Data You Hold
- RBI Cybersecurity Guidelines 2026 — What Banks and NBFCs Must Do
