India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) introduces a novel regulated intermediary: the Consent Manager. The Digital Personal Data Protection Rules 2025 (“DPDP Rules”) further clarifies the role and obligations of a Consent Manager and stipulates the conditions for registration of a Consent Manager with the Data Protection Board of India (“Board”).

The concept of a Consent Manager builds on India’s established Data Empowerment and Protection Architecture (“DEPA”) and its implementation in the financial sector via the Account Aggregator (“AA”) system. To clarify, the DEPA constitutes a design framework for user‑centric, consented data sharing that standardises “just‑in‑time” consent artefacts for specific, limited purposes, with strong auditability. The AA system is the Reserve Bank of India’s regulated implementation of DEPA in finance, whereby licensed AAs orchestrate consented, purpose‑specific data flows between financial institutions—acting as a sealed, data‑blind conduit rather than a data store.

What a consent manager is and is not

A Consent Manager is defined under the DPDP Act as a person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw consent across multiple data fiduciaries. Critically, it also enables secure data portability, acting as a sealed courier that transports data between entities without being able to access and read the underlying personal data.

The DPDP Rules clarify that a consent manager must operate an interoperable, user‑facing website or app that:

• relays consent requests from data fiduciaries to data principals, records the consents granted by data principals and the privacy notices preceding or accompanying the request for consent, and routes both the consent and, where applicable, the requested personal data to the transferee fiduciary;
• facilitates data portability either from the data principal directly or from a data fiduciary holding the personal data of the data principal (based on the data principal’s prior consent), to a requesting fiduciary. In doing so, the consent manager must use a “data‑blind” transport layer so that it cannot read the contents of the data package in transit; and
• provides a single dashboard for the data principal to review historical consents, modify or withdraw consent granularly at any time, and access records of notices and

Core duties and operating standards of a consent manager 

Once registered with the Board, a consent manager assumes direct statutory obligations that are both user‑protective and systems‑oriented. The obligations of a consent manager include:

• Fiduciary posture and conflicts: acting in a fiduciary capacity towards data principals and avoiding conflicts with onboarded data fiduciaries, including conflicts in respect of its promoters or key managerial
• Interoperable platform and UX: building and maintaining an accessible, interoperable platform (website/app) through which data principals give, manage, and withdraw consent and enable just‑in‑time consent for specific purposes and proximate uses. Support multi‑language interfaces consistent with India’s constitutional language schedule, and make the withdrawal of consent as easy as the granting of
• Data‑blind portability: Personal data routed through the consent manager platform must not be readable by the consent manager. The platform serves as a data‑blind switch—like a sealed courier— rather than a storage
• Tamper‑evident records: maintaining comprehensive records of privacy notices provided to the data principal, consent grants/denials/withdrawals, and data‑sharing events, providing data principals access to such records on request, and retaining such records for at least seven years or longer where lawfully required or agreed.

• Security and audit: implementing reasonable security safeguards to prevent a personal data breach and effective audit mechanisms covering technical and organizational controls, and reporting audit outcomes to the Board at prescribed intervals and on
• Grievance and verification: providing a grievance redressal interface for data principals and support validation of consent status by fiduciaries in real time via secure
• No subcontracting and Board approval for change in control: subcontracting or assignment of obligations of a consent manager is prohibited, and prior Board approval must be obtained before any transfer of control of a consent manager (vide a sale, merger or otherwise), and such transfer could be subject to conditions the Board may
• Transparency: publishing on its website or app, information regarding: (i) its promoters, directors, key managerial personnel, and senior management; (ii) every person holding shares in excess of 2% of its shareholding; (iii) every body corporate in which the promoters, directors, and key managerial personnel or senior management of the consent manager have a shareholding of more than 2%.
• Grievance Redressal: providing a readily available means to data principals to submit grievances in relation to any act or omission of a consent manager regarding performance of its obligations related to processing of personal data of such data principal. A consent manager is obligated to respond to such grievances within 90

Notably, the DPDP Rules do not mandate that data fiduciaries use a consent manager. Data fiduciaries may continue to obtain consent directly (and without engaging a consent manager) if they can meet the DPDP Act’s notice, consent, withdrawal, and record‑keeping standards independently.

In practice, however, it is possible that sectoral ecosystems that rely on cross‑entity data flows (financial services, health, public benefits, credit underwriting, etc.) will gravitate to consent managers because they provide a common portability fabric with auditability and user control.

Conditions for registration

To register as a consent manager under the DPDP Act and DPDP Rules, an entity must satisfy the Board— up front and on an ongoing basis—that it can operate a trusted, interoperable, consent platform. Additionally, a consent manager must be a company incorporated in India with adequate technical, operational and financial capacity; have sound financial condition and governance; and maintain a minimum net worth of INR 2 crore, with capital structure, earning prospects and likely business volume that are commensurate with the role. Further, a consent manager’s directors, key managerial personnel and senior management must have a reputation for fairness and integrity, and its memorandum and articles of association must hard‑wire compliance with the conflict‑of‑interest and fiduciary duties prescribed for consent managers under the DPDP Rules and make those provisions amendable only with the Board’s prior approval. Critically, to register as a consent manager, an independent certification must confirm that the relevant entity’s interoperable platform for granting, managing, reviewing and withdrawing consent aligns with the data‑protection standards and assurance framework the Board publishes, and that appropriate technical and organisational measures are in place to comply with the obligations prescribed for consent managers under the DPDP Rules.

Liability and enforcement

A registered consent manager is “accountable to the data principal” and subject to the Board’s inquiry for its own breaches. The DPDP Act prescribes a monetary penalty of up to INR 50 crores in case of non- compliances by Consent Managers. Beyond monetary penalties, the Board may direct cure, suspend or cancel the registration of a consent manager, and issue protective directions in the interests of data principals.

Way Forward

The consent manager framework under the DPDP Act and DPDP Rules formalises a trusted mechanism for data principals to manage their consents and for data fiduciaries-particularly those processing large volumes of personal data or lacking a direct interface with data principals-to ensure compliance with the consent and notices requirements under the law. Designating a consent manager can enable seamless portability of personal data between data fiduciaries, help data fiduciaries demonstrate compliance by maintaining auditable records of consents obtained and privacy notices provided, simplify audit readiness, and reduce duplicative consent friction.

In short, the consent manager is India’s cross‑sector data‑portability switch, wrapped in a fiduciary duty to the data principal. It turns consent from a once‑and‑done checkbox into a just‑in‑time, auditable control at the moment of data movement, aligning privacy with utility.