Consent Manager Framework Under DPDPA

DPDPA introduces Consent Managers as registered intermediaries enabling data principals to manage consent across multiple data fiduciaries. This novel framework creates new compliance interfaces for organisations integrating with Consent Manager platforms. Understanding registration requirements and operational obligations is essential.

Section 2(g) defines Consent Manager as a person registered with the Data Protection Board enabling data principals to give, manage, review, and withdraw consent through accessible, transparent, and interoperable platforms. Consent Managers act as intermediaries between data principals and data fiduciaries, centralising consent management across multiple relationships.

Rule 4 prescribes registration requirements including technical capability to ensure interoperability, financial stability demonstrated through net worth requirements, absence of conflict of interest with data fiduciaries, and operational transparency. Registration is mandatory before operating as Consent Manager. Unregistered operation constitutes violation.

Registered Consent Managers must: maintain transparency about their operations, ensure data principal identity verification, provide accessible interfaces for consent management, maintain accurate consent records, notify data fiduciaries of consent actions, and operate on fiduciary basis prioritising data principal interests.

Data Fiduciaries must accommodate consent management through Consent Managers. This requires API integration for consent verification, acceptance of Consent Manager authenticated requests, and real-time response to consent withdrawal notifications. Technical interoperability standards are awaited from the Board.