Consent Manager under DPDPA
The Consent Manager is a new regulatory entity created by DPDPA — a registered intermediary that enables Data Principals to give, manage, and withdraw consent across multiple Data Fiduciaries through a single platform. Rules 3-4 of the DPDP Rules 2025 prescribe registration, eligibility, and operational obligations.
The Consent Manager is DPDPA’s most distinctive institutional innovation. Unlike GDPR, which relies on Data Protection Officers and Supervisory Authorities, DPDPA creates a separate registered entity whose sole function is consent intermediation. This entity is accountable to Data Principals, not Data Fiduciaries.
Consent Manager Registration Process
Entity Eligibility Assessment
Verify incorporation in India, minimum net worth, governance structure, and absence of conflicts of interest with prospective Data Fiduciary clients.
Technical Platform Development
Build consent management platform meeting interoperability, security, availability, and performance standards. Implement consent artefact creation, modification, and withdrawal mechanisms.
Application Preparation
Compile documentation including technical architecture, governance framework, financial statements, conflict of interest declarations, and operational policies.
Board Application & Assessment
Submit application to Data Protection Board of India. Board evaluates against prescribed criteria — technical capability, financial soundness, governance, independence.
Registration & Ongoing Compliance
Upon Board approval, commence operations subject to registration conditions. Submit to periodic audits, maintain interoperability standards, and comply with Board directions.
6 Core Obligations of a Consent Manager
Consent Lifecycle Management
Enable Data Principals to give, manage, review, and withdraw consent for each Data Fiduciary and each processing purpose. Consent withdrawal must cascade to all downstream processors in real time.
Section 6(4), Rule 4Interoperability
Consent Managers must be interoperable — Data Principals should be able to switch between Consent Managers without losing their consent records. This requires standardised consent artefact formats and API-based data portability.
Rule 4Audit Trail & Transparency
Maintain verifiable records of every consent given, modified, or withdrawn, including timestamp, purpose, Data Fiduciary identity, and Data Principal acknowledgement. These records serve as evidence in enforcement proceedings.
Section 6, Rule 4Conflict of Interest Prohibition
Consent Managers must not have any interest that conflicts with their role as a neutral intermediary. This includes financial relationships with Data Fiduciaries that could compromise independence.
Rule 3-4Accountability to Data Principals
The Consent Manager is accountable to Data Principals — not to Data Fiduciaries. This reversal of the typical B2B relationship creates a unique regulatory position where the entity's primary obligation runs to the individual, not the paying client.
Section 6(5)Technical Standards Compliance
Meet Board-prescribed technical standards for platform availability, security, data protection, and performance. The platform must handle consent transactions at scale without degradation.
Rule 3-4What Data Fiduciaries Need to Know
Integration Requirement
Data Fiduciaries must be prepared to integrate with registered Consent Managers. When a Data Principal chooses to manage consent through a Consent Manager, the Fiduciary must honour consent artefacts issued by that Manager — including withdrawal signals.
Consent Validity
Consent given through a registered Consent Manager has the same legal validity as consent given directly to the Data Fiduciary. Fiduciaries cannot reject consent artefacts from registered Consent Managers or require separate direct consent.
Withdrawal Cascade
When a Data Principal withdraws consent through a Consent Manager, the withdrawal signal must reach the Data Fiduciary and all downstream processors promptly. Fiduciaries must implement technical mechanisms to receive and act on withdrawal signals.
Not a Substitute for Compliance
Using a Consent Manager does not transfer the Fiduciary\'s compliance obligations. The Fiduciary remains responsible for all processing, security safeguards, breach notification, and Data Principal rights. The Consent Manager only handles consent intermediation.
Related DPDPA Resources
Consent Management
Section 6 consent deep-dive
Compliance Checklist
8-phase implementation guide
DPDPA vs GDPR
Consent Manager comparison
DPDP Rules 2025
Full Rules analysis
DPDPA for Startups
Building consent platforms
Significant Data Fiduciary
Section 10 obligations
Enterprise Governance
Board-level framework
DPDPA Consulting
Counsel-led advisory
Consent Manager Advisory
Whether you are building a Consent Manager platform, integrating with one, or advising clients on consent architecture — AMLEGALS brings 27 years of regulatory experience to this new institutional framework under DPDPA.
Request a Confidential Briefing
Our data privacy counsel will reach out within one working day.
What practitioners and boards are asking
What is a Consent Manager under DPDPA?
A Consent Manager under DPDPA is a registered entity that acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries. Section 6 enables consent through Consent Managers, and Rules 3-4 of the DPDP Rules 2025 prescribe registration, eligibility, obligations, and technical requirements. Consent Managers must be interoperable, maintain audit trails, avoid conflicts of interest, and are accountable to Data Principals. not Data Fiduciaries. This is DPDPA's most distinctive institutional innovation compared to GDPR. AMLEGALS advises on Consent Manager registration, platform development, and Data Fiduciary integration.