MARCH 03 , 2025

By M G Kodandaram, IRS. Assistant Director (Retd) ADVOCATE and CONSULTANT

THE Digital Personal Data Protection Act, 2023 (DPDP Act)¹, which is yet to be implemented, aims to revolutionize the regulation and protection of personal data in India. One of its most transformative provisions is the introduction of the "Consent Manager," a designated intermediary that grants Data Principals greater control over their personal data. These entities serve as a crucial link between Data Principals - individuals whose data is being processed - and Data Fiduciaries, the organizations managing that data. By streamlining the consent process, Consent Managers are expected to enhance the ease and effectiveness of data management for individuals.

The idea of a consent manager can be traced back to the Srikrishna Committee Report of 2017, a document guiding the formulation of the DPDPA. It envisioned a consent manager as a trusted intermediary who would operate a "dashboard" between users and businesses and facilitate users to select their consent preferences from a range of options. Data Empowerment and Protection Architecture (DEPA) document, published by NITI Aayog, guides the technical aspects of consent dashboards. In India, models similar to the DPDPA's consent manager have already been implemented in the financial and health sectors, which may provide a useful reference point for how consent managers might operate under the DPDPA.

Consent Managers function independently, operating through digital platforms that facilitate the granting, modification, or withdrawal of consent in a transparent and efficient manner. Given the increasing concerns about data privacy in the digital age, these managers prioritise user-centric approaches, ensuring individuals have full autonomy over their personal information.

To ensure reliability and accountability, all Consent Managers must be registered with the Data Protection Board of India (DPBI or Board), which regulates their activities and compliance with the law. As per Section 2(g) of the DPDP Act, a Consent Manager is "a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw individual's consent through an accessible, transparent, and interoperable platform." This definition underlines their central role in facilitating consent throughout its lifecycle, positioning them as a basis of data autonomy. Consent, as per Section 6(1), must be "free, specific, informed, unconditional, and unambiguous with a clear affirmative action," and Consent Managers are instrumental in ensuring these principles are effectively implemented rather than remaining theoretical ideals.

The importance of Consent Managers is further reinforced by Section 6(7), which grants Data Principals the explicit right to "give, manage, review, or withdraw her consent to the Data Fiduciary through a Consent Manager." This marks a substantial shift from a system where Data Fiduciaries exclusively managed consent, placing greater control in the hands of Data Principals. Section 6(8) further mandates that a Consent Manager "shall be accountable to the Data Principal and shall act on her behalf," thereby creating a fiduciary duty of loyalty and care, reinforcing the Consent Manager's role as a guardian of individual data rights.

The DPDP Act also establishes a structured regulatory framework for Consent Managers. Section 6(9) mandates registration with the Board and compliance with conditions related to technical, operational, and financial standards. The Digital Personal Data Protection Rules, 2025² (DPDP Rules), being circulated for comments in draft form, provide further details, with Rule 4 and the First Schedule specifying the requirements for registration. Part A of the First Schedule stipulates that only entities with sufficient financial and operational capacity - demonstrated through a net worth of at least INR 2 crore - can qualify as Consent Managers. The ethical integrity of personnel involved is also emphasized, ensuring that these entities uphold high standards of data protection.

Beyond registration of consent managers, the Act incorporates mechanisms for monitoring and enforcement. Section 27(1) empowers the Board to investigate breaches by Consent Managers based on complaints from Data Principals (Section 27(1)(c)) and to impose penalties for non-compliance (Section 27(1)(d)). Rule 4(4) allows the Board to scrutinize violations, and Rule 4(5) enables it to suspend or revoke a Consent Manager's registration if necessary. These provisions serve as essential checks and balances, ensuring that Consent Managers uphold their responsibilities effectively.

Further, the role of Consent Managers strengthens Data Principals' grievance redressal mechanisms. Section 13 of the Act mandates that individuals must first seek resolution through the Data Fiduciary or the Consent Manager before escalating matters to the Board. Rule 13(1) further requires Consent Managers to publish clear guidelines on how Data Principals can exercise their rights, reinforcing accessibility and transparency. Rule 13(3) sets timelines for grievance resolution, ensuring a user-friendly and efficient redressal process.

Interoperability is a key feature of Consent Managers. Part A of the First Schedule requires their platforms to align with standardized data protection frameworks established by the Board. By providing Data Principals with a unified interface to manage consent across multiple Data Fiduciaries, Consent Managers alleviate the fragmentation currently present in consent management, thereby enhancing user convenience and control.

A primary function of Consent Managers is to present consent requests in a clear and understandable manner, eliminating the complexity often associated with lengthy legal documents. Additionally, they maintain secure digital records of all consents, serving as verifiable proof of authorization. A centralized dashboard allows users to review and manage their consents efficiently, ensuring easy withdrawal whenever felt necessary by the principal.

Despite the advantages, the Consent Manager system faces several challenges. Industry-wide adoption may require more time, and businesses will need to integrate these entities into existing data management frameworks. Given that Consent Managers handle sensitive consent data, also act as fiduciaries, and, therefore, robust cybersecurity measures are essential to prevent breaches and unauthorized access. Regulatory oversight by the Board is crucial to maintaining the integrity of the system, and widespread public awareness campaigns will be necessary to educate users about their rights and the role of Consent Managers.

The success of this system hinges on effective implementation and strict compliance. The Board carries the responsibility of maintaining a robust ecosystem through regular audits and supervision. Moreover, public awareness is vital to ensure Data Principals fully utilize their rights under the DPDP Act.

It is prudent to realise that the Consent Manager under the Act is more than just a technical intermediary - it represents a paradigm shift toward a data-principal-centric framework. The introduction of consent manager platforms presents a lucrative business opportunity for both startups and established companies, driven by the growing emphasis on data privacy and regulatory compliance. With stringent laws like GDPR, CCPA, and India's Data Protection Act requiring businesses to obtain and manage user consent transparently, organizations increasingly need reliable solutions to handle consent efficiently. A consent manager platform can offer services such as user-friendly consent collection, granular preference management, secure data storage, and seamless integration with various digital platforms. Companies that develop scalable and compliant consent management solutions can tap into a rapidly expanding market, catering to enterprises across industries like finance, healthcare, e-commerce, and technology. As data privacy awareness grows among consumers, businesses prioritizing ethical data practices will seek robust consent management tools, making this a sustainable and high-demand venture.

By empowering individuals with control over their data, acting as a counterbalance to Data Fiduciaries, and adhering to stringent registration and accountability protocols, Consent Managers play a crucial role in ensuring data privacy and security. The long-term success of the DPDP Act depends on the effectiveness of the Consent Manager system, public engagement, and proactive regulatory oversight to address emerging challenges in an evolving digital landscape.

[The views expressed are strictly personal.]

¹ https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

² https://static.mygov.in/innovateindia/2025/01/03/mygov-999999999568142946.pdf