Consent Managers Under Digital Personal Data Protection Act, 2023 (DPDP): Who Can Register and What Are Their Obligations?

‍

Introduction

India’s digital data landscape is evolving and with it, a new category of regulated intermediary is emerging: the Consent Manager. Under the DPDP Rules 2025, a Consent Manager plays a central role in helping individuals (Data Principals) give, manage, review, and withdraw consent for their personal data. But not anyone can become one. This blog explains who can register as a Consent Manager, what criteria they must meet, and the ongoing obligations they must uphold so that your business and your users remain audit‑ready and compliant.

What Is a Consent Manager?

A Consent Manager acts as a trusted intermediary between the user (Data Principal) and organisations processing personal data (Data Fiduciaries). In simple terms, it’s a platform where users can centrally exercise consent, rather than managing consent separately with each service provider.  

Under the DPDP Rules, a Consent Manager must be registered with the Data Protection Board of India (DPB), satisfy eligibility criteria, and comply with detailed obligations (Part B, First Schedule) when they start operating.  

Who Can Register as a Consent Manager?

According to Rule 4 of the DPDP Rules 2025 and the First Schedule (Part A), here are the eligibility criteria:

• Must be a company incorporated in India.  

• Demonstrate technical, operational and financial capacity to fulfil the duties of a Consent Manager.  

• Minimum net worth threshold (e.g., at least ₹2 crore) and sound management reputation.  

• Corporate governance requirements: The entity’s memorandum & articles must include provisions to avoid conflicts of interest, and these may not be amended without Board approval.  

In short: Only serious, domestically incorporated companies with strong governance and capacity can register.

What Are the Core Obligations of a Registered Consent Manager?

Once registered, a Consent Manager must comply with Part B of the First Schedule (Rules in effect after registration date). These include:

1. Enable users to give, review, withdraw consent through the platform for any Data Fiduciary.  

2. Maintain accurate records of:
   
   1. Consents given/denied/withdrawn
   2. Notices preceding or accompanying consent requests
   3. Sharing of personal data with transferee Data Fiduciaries
      These records must be made available to the user (Data Principal) and be exportable in machine‑readable form.  

3. Maintain minimal data access the Consent Manager should not be able to read the actual personal data being processed by the Data Fiduciary; the CM acts as a conduit, not a data controller.  

4. Avoid conflicts of interest Directors, senior management or shareholders of the Consent Manager must not have material interests in Data Fiduciaries that undermine its user‑centric role.  

5. Security safeguards and audit mechanisms maintain technical and organisational measures, undergo audits, maintain logs, implement controls. dpdpa.com

6. Grievance and transparency obligations publish details of promoters, key management, large shareholders; have mechanisms for complaints; report to the Board.  

Failure to comply can result in suspension or cancellation of registration by the Board. dpdpa.com

Why This Matters for Your Business

• If your users start managing consent via registered Consent Managers, your business (as a Data Fiduciary) must recognise and honour those consents otherwise you risk processing data without lawful basis.  

• Choosing to integrate early with Consent Managers or building compatible internal systems ensures seamless compliance and customer experience.

• Consent Managers can significantly reduce your compliance burden by centralising consent, logging, and audit trails which help when dealing with the DPDP Act’s high penalties (up to ₹250 crore).

• Having a compliant Consent Manager platform can become a competitive advantage for your business in the Indian market.

‍

The Consent Manager is a cornerstone of India’s privacy‑centric ecosystem under the DPDP Act. For businesses, the takeaway is clear: either build your systems with the expectation of consent‑manager‑mediated workflows or integrate early to stay ahead of compliance. Registered Consent Managers must operate with transparency, security, and user‑first design, and businesses must be ready to work with them or through equivalent in‑house mechanisms.