Reimagining Consent: The Role of Consent Managers under India’s DPDP Act

Consent Managers represent a structural innovation aimed at operationalizing user autonomy at scale. By acting as regulated intermediaries between individuals and data fiduciaries, they seek to address long-standing inefficiencies in fragmented consent ecosystems and establish a unified, interoperable consent architecture.

Statutory Basis and Definition

The DPDP Act defines a Consent Manager as a person registered with the Data Protection Board of India who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.

This formulation highlights three defining elements:

• Regulated intermediary status (registration with the Board)

• User-centric functionality (control remains with the Data Principal)

• Interoperable technology architecture (across multiple data fiduciaries)

Unlike traditional consent mechanisms embedded within individual applications, Consent Managers create a centralized and auditable consent layer, enabling individuals to manage permissions across multiple platforms.

Conceptual Role in the DPDP Ecosystem

Consent Managers function as neutral conduits between:

• Data Principals (individuals)

• Data Fiduciaries (entities processing data)

Their core role is to facilitate, not determine, consent. They do not access or read personal data, serving instead as a “data-blind” transmission layer. They relay consent requests, record user decisions, and transmit them securely.

This design principle distinguishes Consent Managers from both data fiduciaries and processors, positioning them closer to regulated digital infrastructure (e.g., Account Aggregators in the financial sector).

Are Consent Managers Mandatory?

Notably, the DPDP framework does not mandate the use of Consent Managers. Data fiduciaries may continue to obtain consent directly, subject to compliance with statutory requirements.

However, in practice, Consent Managers are expected to gain traction in data-intensive sectors such as Financial services, Healthcare & E-commerce due to the complexity of multi-party data sharing and user expectations of control.

Core Obligations of Consent Managers

The DPDP framework imposes a detailed set of obligations (largely under Part B of the First Schedule to the Rules). Key compliance requirements include:

1. User Empowerment and Accessibility

• Provide tools enabling Data Principals to give, manage, and withdraw consent seamlessly

• Ensure accessible interfaces via apps or websites

• Provide Data Principals access to consent records

2. Data Minimisation and “Data-Blind” Operations

• Ensure that personal data routed through the platform is not readable or accessible by the Consent Manager

3. Record-Keeping and Retention

• Maintain detailed logs of:

  • Consents given, denied, or withdrawn

  • Notices presented

  • Data-sharing instances

• Retain records for at least seven (7) years

4. Security Safeguards

• Implement reasonable safeguards to prevent data breaches

• Ensure integrity and authenticity of consent transactions

5. Non-Delegability of Core Functions

• Prohibited from sub-contracting statutory obligations, reinforcing accountability

Consent Managers represent one of the most innovative features of India’s DPDP Act—signaling a shift from entity-driven consent models to user-centric consent infrastructure. However, their ultimate success will depend on robust implementation and ecosystem-wide adoption.