Consent Managers Are India's Next Big Opportunity: Here's The FAQ You Need

Introduction and Legal Recognition of Consent Managers

India's Digital Personal Data Protection Act, 2023 (DPDP Act), introduces a groundbreaking concept, a new regulated entity called the Consent Manager, designed to give individuals greater control over their personal data.

A Consent Manager is defined as an entity registered with the Data Protection Board that serves as a single point of interaction for individuals (Data Principals) to grant, manage, review, or withdraw consent through a platform that is accessible, transparent, and interoperable. In simple terms, Consent Managers provide users with a centralised dashboard to oversee and control consent across multiple organisations (Data Fiduciaries), making it easier to track how and where their data is being used.

This mechanism is one of the most forward-thinking features of India's data protection framework. Consent Managers operate in a fiduciary role, meaning they must act in the best interest of the individual and maintain trust. They are not data brokers or processors for businesses; rather, they function as user-side intermediaries empowered by law.

Frequently Asked Questions (FAQ)

Q1. Is using a Consent Manager mandatory for individuals or companies?

A: No, using a Consent Manager is optional for Data Principals. Individuals can still give consent directly to each Data Fiduciary as they do today. Consent Managers are an additional, convenient option provided by law for those who wish to centrally manage consents. For Data Fiduciaries (companies), there is no mandate that they must integrate a Consent Manager; however, they must accept and honour consents/withdrawals routed through any registered Consent Manager. In practice, if Consent Managers become popular, companies will likely integrate with them to provide a smoother user experience. Some large businesses may initially try to manage consents on their own, but they cannot refuse a valid consent just because it came via a Consent Manager.

Q2. How to register as a Consent Manager in India?

A: To operate as a Consent Manager, an entity must be a company incorporated in India and meet all eligibility criteria set out in the DPDP Rules (First Schedule, Part A). Key requirements include a minimum net worth of INR 2 Crore, demonstration of technical/operational capacity, an unblemished management team, and mechanisms to avoid any conflicts of interest with data fiduciaries. The company must then apply for registration to the Data Protection Board of India, providing evidence of meeting these criteria and an independent certification of its platform's interoperability and security measures. The Board will review the application, possibly ask for clarifications, and if satisfied, register the company as a Consent Manager. The registration process details (application form, documents) will be published by the Board on its website in due course. Once registered, the company can start offering consent management services. Keep in mind that registration is not perpetual – ongoing compliance is needed or the Board can revoke it.

Q3. Can a bank or Big Tech company serve as a Consent Manager for its own customers?

A: In general, no – not in any straightforward "captive" way. The rules require Consent Managers to be independent and avoid conflicts of interest with Data Fiduciaries. If a bank or large tech company tried to register a Consent Manager subsidiary, it would face strict scrutiny: its directors and management must not overlap with the parent (to satisfy conflict rules), and the Consent Manager's articles must forbid preferential treatment. Essentially, a Data Fiduciary cannot simply self-appoint itself as a Consent Manager for consents relating to its own services – that would defeat the purpose of having a neutral third party. The law aims for Consent Managers to be honest brokers, not beholden to any one service. However, a corporate group could create a separate entity that applies to be a Consent Manager, provided it truly meets independence requirements (e.g., independent directors, no shared executives, perhaps even a diverse set of clients not just the affiliate company). The Board would decide based on the applicant's structure whether sufficient independence is maintained.

Q4. What does it mean that a Consent Manager acts in a "fiduciary capacity" to the Data Principal?

A: It means the Consent Manager must act with loyalty and care solely in the interest of the individual (Data Principal) when handling their consents. Much like a fiduciary (such as a lawyer, guardian, or trustee) is expected to act in the beneficiary's best interest, a Consent Manager should not misuse the trust placed in it by the user. In practical terms, the Consent Manager should only process the user's data as needed to provide consent services, keep the user's data confidential, avoid any conflicting incentives, and generally ensure the user's privacy choices are respected above all. If a situation arises where the Consent Manager's financial interest conflicts with the user's privacy interest, the Consent Manager must side with the user. This fiduciary duty is also why strict conflict of interest rules exist – to remove temptations that could compromise the Consent Manager's loyalty to users.

Q5. Can foreign companies or organisations become Consent Managers in India?

A: No, the applicant must be an Indian-incorporated company. This doesn't bar foreign investment or partnership, but the legal entity providing consent management service must be based in India and subject to Indian jurisdiction. The rationale is to ensure the Data Protection Board can effectively regulate and enforce against Consent Managers. Additionally, India may require localisation of certain data for oversight. Foreign tech firms could partner with or fund Indian startups to create Consent Managers, but they would need to ensure all Indian legal conditions (like data localisation, if any, and the aforementioned independence criteria) are met.

Q6. What data does a Consent Manager see or store?

A: A Consent Manager primarily stores metadata about consents – e.g., "User X consented to Y for purpose Z on date T" – and user account information needed for its service (like the user's name, contact, etc.). It is not supposed to store the actual personal data that is being shared between Data Fiduciaries, except transiently in encrypted form to transmit it. By rule, the Consent Manager must not be able to read the contents of the personal data being handled. So, for example, if a bank statement is passed through the Consent Manager, it should remain encrypted – the CM's system might technically route it from source to destination but without the ability to decrypt or store it. The Consent Manager will keep logs of transactions (for audit and user reference) but those logs contain references and timestamps, not the raw data. In essence, the Consent Manager deals in permissions and pointers, not in the full troves of personal data that the various Data Fiduciaries hold. This design minimises privacy risk and makes the Consent Manager's job focused on consent brokerage, not becoming another giant database of personal information.

Q7. What if a Consent Manager mishandles data or is breached?

A: If a Consent Manager fails to protect personal data or misuses it, it faces serious consequences. Firstly, it would be in violation of its obligations (e.g. the security safeguard requirement) and the Board can investigate and impose penalties up to INR 250 Crore for major breaches . The Board can also suspend or cancel its registration in the interest of Data Principals. A data breach by a Consent Manager must be reported to the Board and to users immediately, and a detailed report filed within 72 hours. Affected individuals could file complaints, and the Board could order compensation or redress under broader powers (though the DPDP Act currently focuses on penalties over compensation). In short, a breach could effectively ruin a Consent Manager's business by causing a loss of trust and a license. Consent Managers are expected to implement state-of-the-art security precisely to avoid this. From a user perspective, if you suspect a Consent Manager mishandled your data, you should lodge a grievance with them and, if unsatisfied, complain to the Data Protection Board. The Board is empowered to inquire into such complaints and penalise the Consent Manager.

Q8. What are the penalties if a Consent Manager violates the rules?

A: The penalties range from monetary fines to deregistration. Monetary penalties are specified in the DPDP Act's Schedule – up to INR 50 crore for many violations, and higher (INR 200–250 Crore) for very critical ones like breach of children's data or large-scale security failures. For Consent Managers, likely fines for breach of obligations would be in tens of crores (exact amount depends on severity as decided by the Board). Additionally, the Board can revoke the Consent Manager's registration, effectively barring it from operation. The Board may also issue binding directions to remedy the harm (for example, ordering the CM to delete improperly collected data, or to notify all affected parties). Each instance of non-compliance can attract separate penalties, and persistent negligence would invite higher fines. It's also possible that Data Principals aggrieved by a Consent Manager could seek compensation through civil courts, but under DPDP the focus is regulatory penalties. In essence, a Consent Manager stands to lose a lot – financially and reputation-wise – if it doesn't rigorously follow the law.

Q9. Will there be multiple Consent Managers, and can they all access my data?

A: Yes, the framework envisions multiple Consent Managers competing or specialising in the market. They will all operate under the DPB's oversight and to the same standards and ideally be interoperable. You, as a Data Principal, can choose any registered Consent Manager and sign up with them. Consent Managers do not have open access to your data; they only facilitate transfers that you explicitly authorise. If you use Consent Manager "A" exclusively, then only A will handle your consent transactions. If you use multiple (say A for finance-related consents, B for health), that's your choice, but there is no requirement to use more than one. Data Fiduciaries will interact with whichever Consent Manager their customers use. So, if one user comes via Consent Manager X and another via Y, the company will honour both through the interoperability mechanism. In short, multiple Consent Managers can exist, but each acts as your agent separately – they don't pool or share your information with each other unless you instruct a switch (portability between Consent Managers could be a feature in future, allowing you to transfer your consent log from one to another if you switch services).

Q10. When will Consent Managers be available for use?

A: The DPDP Rules stipulate a phased implementation. The provisions regarding Consent Manager registration and obligations come into effect 12 months from the Rules' notification, i.e. by November 13, 2026. We can expect the DPB to start inviting applications for registration, possibly a few months before that date, so that by late 2026,6 the first Consent Managers are approved. The actual use by individuals might ramp up thereafter. Meanwhile, Data Fiduciaries have 18 months (till May 2027) to comply with all operational provisions, including integrating consent withdrawal links. So realistically, 2026-27 is when we'll see Consent Managers go live and users gradually adopt them. Some pilot implementations (especially government-led ones in health or finance) might appear earlier on a trial basis. If you are a business, it would be wise to follow DPB announcements in 2026 regarding certification standards and begin integration testing with any emerging Consent Manager platforms. If you are a user, you'll start hearing about these services towards 2027 as companies and regulators promote the concept for easier data control.

For more information, refer to our Guide:

https://www.akandpartners.in/_files/ugd/077257_971dfc2631e44aa1a48ede358d07a95f.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.