Independence and Fiduciary Duty of Consent Managers
DATA PRIVACY
The Digital Personal Data Protection (DPDP) Rules establish a robust governance framework for Consent Managers, underscoring their role as neutral intermediaries within the consent ecosystem. Central to this framework is the imposition of stringent obligations relating to independence, transparency, and accountability. These requirements are designed to reinforce the fiduciary character of Consent Managers and to mitigate structural conflicts that could undermine trust in consent-based data processing.
Conflict of Interest Safeguards
A cornerstone of the regulatory architecture is the requirement that Consent Managers maintain strict independence from Data Fiduciaries. To this end, the Rules prohibit situations where directors, key managerial personnel (KMP), or senior management of a Consent Manager have interests that could compromise impartiality.
Specifically, a Consent Manager must ensure that none of its leadership personnel:
Hold directorship positions in any Data Fiduciary;
Possess financial or beneficial ownership interests in Data Fiduciaries;
Maintain employment or advisory relationships with Data Fiduciaries; or
Engage in any material pecuniary relationship with Data Fiduciaries.
These safeguards aim to prevent conflicts that could distort the Consent Manager’s role as a trusted fiduciary acting in the best interests of Data Principals. By structurally separating Consent Managers from Data Fiduciaries, the Rules seek to ensure that consent facilitation remains unbiased and free from commercial influence.
Transparency and Disclosure Obligations
To complement the independence mandate, the DPDP Rules impose comprehensive disclosure obligations on Consent Managers. These requirements enhance accountability and enable both regulatory authorities and the public to scrutinize governance structures.
Consent Managers are required to make the following information readily accessible—typically through their website or application interface:
Details of promoters, directors, KMP, and senior management;
Information on shareholders holding more than 2% equity in the entity; and
Disclosures of any body corporate in which promoters, directors, KMP, or senior management hold more than 2% shareholding, as determined on the first day of the preceding calendar month.
This level of transparency serves multiple purposes. It promotes informed stakeholder engagement, facilitates regulatory oversight, and deters the emergence of undisclosed relationships that could give rise to conflicts of interest. In effect, it operationalizes the principle that trust in digital consent mechanisms must be grounded in visibility and openness.
Restrictions on Change of Control
Further reinforcing governance integrity, the Rules impose strict conditions on any transfer of control of a Consent Manager. Whether through merger, acquisition, or any other form of restructuring, a change in control cannot be effected without prior approval from the Data Protection Board.
This requirement ensures continuity in compliance standards and prevents the circumvention of regulatory safeguards through indirect ownership changes. It also allows the Board to assess the suitability of new controlling entities, particularly with respect to their independence and alignment with the fiduciary obligations imposed under the DPDP framework.
Conclusion
Taken together, these provisions reflect a deliberate regulatory effort to position Consent Managers as trustworthy custodians within India’s data protection ecosystem. By embedding independence, mandating transparency, and controlling ownership transitions, the DPDP Rules seek to preserve the integrity of consent as a lawful basis for data processing. As the framework evolves, the effectiveness of these safeguards will depend on rigorous enforcement and continued vigilance against emerging forms of conflict and influence.
Related Stories
Decode Legal © 2026
Decode Legal empowers the next generation of lawyers to unravel complex legal issues.
Reframe your inbox
Subscribe to our newsletter and never miss an article.
We care about your data in our privacy policy.