Whose Consent Is It Anyway? The Promise Behind India’s Consent Manager

This article is part of a series examining the features of India’s Digital Personal Data Protection Act, 2023 that are unique to, or diverge from, the GDPR.

India’s Digital Personal Data Protection Act, 2023 (DPDPA) represents a new phase in the country’s data protection landscape. While inspired by global frameworks such as the GDPR, it introduces several of its own institutional and procedural mechanisms. One of the most notable among them is the Consent Manager, which signals a uniquely Indian approach to operationalizing consent.

What Exactly Is a Consent Manager?

Under the DPDPA, a ‘Consent Manager’ is a registered entity serving as a centralized, interoperable platform through which individuals (known as ‘Data Principals’ under the DPDPA) can give, review, manage, or withdraw consent in a transparent and user-friendly manner. Unlike the GDPR or CCPA, which place the burden of consent management directly on businesses, the DPDPA introduces a regulated intermediary model, enabling Data Principals to interact with Data Fiduciaries (i.e. the DPDPA equivalent for data controllers) through authorized Consent Managers. The Consent Manager acts as a trusted intermediary between Data Principals and Data Fiduciaries and aims to simplify and standardize how consent is managed across the digital ecosystem.

The DPDPA states that a Consent Manager may be any “person” which it defines to include individuals and incorporated as well as non-incorporated entities. However, the draft Digital Personal Data Protection Rules, 2025 (Draft Rules) clarify that a Consent Manager must, amongst other things:

• Be an Indian-incorporated company,
• Possess a minimum net worth of ₹2 crore (≈€195,000), and
• Obtain formal approval and registration from the Indian data protection supervisory authority (Board).

Thus, while the DPDPA seems to permit individuals, firms, or associations to serve as Consent Managers, the Draft Rules effectively limit this role to corporate entities with sufficient financial and operational stability. While this approach reflects an effort to institutionalize trust through corporate accountability and regulatory oversight, it remains to be seen whether the final version of the Draft Rules makes any changes to these requirements.

The idea behind having in place a consent management system can be traced all the way back to 2017 when talks of implementing a central data protection law first got under way. During this time, a system that would allow users to view and manage all their consents in one place rather than interact separately with each company was first envisioned. Almost eight years later, the DPDPA now gives that vision a legal foundation.

The Power (and Paradox) of the Model

The concept of a Consent Manager is not a novel one in the Indian context. India’s apex banking institution, the Reserve Bank of India, has already provided for an ‘account aggregator framework’ which similarly facilitates consent-based data sharing between customers and financial institutions. The DPDPA adapts this approach for personal data across sectors, signaling a broader move toward regulated intermediaries that enhance both transparency and accountability.

What distinguishes the Consent Manager from other intermediaries is its dual accountability structure. Though appointed by Data Fiduciaries, it acts on behalf of and in the interest of Data Principals. The DPDPA explicitly requires the Consent Manager to “act in a fiduciary capacity in relation to the Data Principal”. This therefore creates a unique fiduciary duty, one where a company’s intermediary must, paradoxically, act in the interest of the person whose data is being processed.

How Does It Work in Practice?

The Draft Rules illustrate two simple cases using a fictional Consent Manager platform, “P,” and two banks, “B1” and “B2”:

Direct Consent:

A user, X, gives consent through P to B1, allowing it to process her bank account data stored in her digital locker.

Routed Consent:

X routes consent through her existing bank, B2, instructing B2 via P to share her account data with B1.

In both cases, the Consent Manager acts as the orchestrator of trust and control, enabling X to manage their data flow without needing them to navigate each bank’s internal processes on their own. The Draft Rules require the Consent Manager to establish and maintain a website or mobile application, or both, to serve as the primary channel for Data Principals to access the services it provides.

Record-keeping and Compliance Obligations

The DPDPA and its Draft Rules impose extensive record-keeping and transparency requirements. Consent Managers must maintain, for at least seven years, records of:

• All consents given, denied, or withdrawn,
• Notices accompanying consent requests, and
• Data sharing activities with transferee fiduciaries.

Data Principals must have direct access to these records, and the information must be exportable in machine-readable form. The Draft Rules further require that the Consent Manager ensure that any personal data it makes available or facilitates for sharing is transmitted in a manner that prevents the data from being readable by it.

In addition, Consent Managers are required to:

• Operate via a public website or mobile app,
• Maintain robust technical and organizational security safeguards,
• Not sub-contract or assign the performance of any of its obligations,
• Conduct periodic audits, and
• Disclose corporate ownership and governance structures in a transparent manner.

This regulatory approach combines elements of GDPR-style accountability with India’s sectoral licensing framework, similar to the oversight currently applied to financial or payment intermediaries in the country.

Rights and Redressal

The DPDPA grants Data Principals the right to grievance redressal against the Consent Manager for non-performance or breach of duty. Consent Managers must specify, on their website or app, the time period for responding to such grievances and demonstrate that their systems can ensure compliance within that period.

While the DPDPA does not prescribe a fixed timeframe for responding to grievances, it would be interesting to see if the Rules adopt a 30-day response standard, aligning with several international standards or if it does not define a response timeframe.

Non-compliance carries significant consequences: the Board may suspend or revoke registration, impose monetary penalties, or issue binding remedial directions to safeguard Data Principals’ interests. This marks a shift from traditional privacy models, where such liability typically rests with Data Fiduciaries.

Beyond Compliance: A Shift in Power Dynamics

The concept of Consent Managers is unique to Indian law. Neither the GDPR nor other data protection laws have institutionalized a comparable consent-management intermediary. By giving individuals a practical way to exercise control, the DPDPA reimagines what digital consent could mean in a country of 1.4 billion people. If implemented well, Consent Managers could transform consent from a checkbox into a living relationship, one defined by transparency, interoperability, and user empowerment.

Although appointing a Consent Manager is not mandatory, Data Fiduciaries are likely to adopt them to benefit from interoperability and streamlined compliance. Over time, this framework could also lay the groundwork for data portability, even though the DPDPA does not explicitly provide for it at present.

Challenges and Open Questions

While in theory the concept of Consent Managers makes sense, there appear to be certain operational and conceptual uncertainties at the offset. The Draft Rules lack clarity on several key points:

• Interoperability: How will different Consent Managers communicate or transfer data between their platforms? To what extent would this be allowed?
• Eligibility: Can existing account aggregators or identity verification providers transition into Consent Managers?
• Certification: What does it mean, in practice, for Consent Managers to act in a “fiduciary capacity” or self-certify compliance?

The DPDPA envisions interoperability across diverse sectors, for example, finance, healthcare, e-commerce, telecom, each with distinct technical standards and consent formats. Creating a unified, industry-spanning infrastructure will demand substantial coordination and regulatory guidance.

For businesses, integration will likely entail technical upgrades, data synchronization, and financial investment. For individuals, the user experience may depend on finding a Consent Manager that actually covers all relevant Data Fiduciaries, an issue that could fragment the system if multiple competing platforms emerge. Depending on which Consent Manager collects consent for which Data Fiduciary, there is a possibility that individuals may end up liaising with several Consent Managers, which begs the question of whether the envisaged consent management structure is ultimately convenient for them.

Looking Ahead

The promise of the Consent Manager lies in its ambition, but its success will hinge on execution. Without clear standards for interoperability, independence, and fiduciary responsibility, this innovation risks becoming another layer of bureaucracy rather than a true instrument of empowerment. The challenge for law makers and regulators will be to ensure that the Consent Manager does not merely centralize consent but also decentralizes control back to the individual. Ultimately, only time will tell.