Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Consent Manager Report

  • All Blogs
  • Digital Personal Data Act, 2023
  • Consent Manager Report
  • 17 July 2026 by
    Consent Manager Report
    CKonnect

    1. Introduction

    The Digital Personal Data Protection (DPDP) Act, 2023 introduces Consent Managers as a central mechanism for enabling individuals (Data Principals) to give, manage, review, and withdraw their consent in a transparent, accessible, and interoperable way. The DPDP Rules, 2025 provide detailed eligibility, registration conditions, operational duties, and governance norms.

    The below report explains in simple operational terms, how the consent manager must function, comply, and maintain accountability in accordance with the DPDP Act, 2023 and DPDP rules 2025.

    2. Definition

    (a) Statutory Definition

    A Consent Manager is defined under DPDP Act s.2(g) as: “A person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”

    (b) Legal Framework

    Relevant provisions:

    • Act: s.6(7)-(9) -Consent generation, rights, accountability & registration of Consent Managers.
    • Act: s.13 -Consent Manager’s role in grievance redressal.
    • Act: s.27 - Board inquiries and penalties for breach of obligations.
    • Rules 2025: Rule 4 + First Schedule (Part A & B) – Registration, technical, operational, financial & governance obligations.

    Together, these create a licensed, regulated, accountability-based ecosystem for managing consent flows.

    3. Eligibility & Registration Process

    (a) Eligibility Criteria (First Schedule – Part A)

    To apply for registration, an applicant must:

    Corporate Structure

    • Must be a company incorporated in India.
    • Must have a minimum net worth of not less than ₹2 crore.

    Capacity Requirements

    • Sufficient technical, operational, and financial capacity to operate a large-scale interoperable consent platform.
    • Sound financial condition and good character of management.

    Management & Governance Requirements

    • Directors, Key Managerial Personnel (KMP) and senior management must have general reputation of fairness and integrity.
    • MOA/AOA must include:

      • Conflict-of-interest restrictions (aligned with Part B items 9 & 10).
      • Amendments to these sections require prior approval of the Board.

    Platform Certification Requirement

    • Independent certification that the interoperable platform:

      • Complies with data protection standards published by the Board.
      • Implements necessary techno-legal controls.

    Business Suitability

    • Proposed operations must be in the interests of Data Principals.
    • Business volume and earning prospects must be adequate.

    (b) Registration Process (Rule 4)

    1. Application filing

      • Submit application to the Data Protection Board with required documents, financials, platform certification, and particulars prescribed on Board’s website.
    2. Board inquiry & verification

      • Board may conduct any inquiries necessary to verify eligibility conditions in First Schedule Part A.
    3. Decision by the Board

      • If satisfied → Registration granted, and particulars published on Board’s website.
      • If not satisfied → Application rejected with reasons communicated.
    4. Post-registration compliance

      • Consent Manager must comply with all operational obligations in Part B.

    4. Technical & Security Standards

    (a) Interoperable Platform Requirements

    (First Schedule Part A, item 9)

    The platform must be independently certified to meet standards related to:

    • Consent issuance
    • Consent management
    • Consent withdrawal
    • Authentication of Data Principals
    • End-to-end secure data exchange
    • Interoperability with Data Fiduciaries

    (b) Security Controls (Part B Item 7)

    A Consent Manager must take reasonable security safeguards, including:

    • Encryption/obfuscation/masking of personal data.
    • Secure access control mechanisms.
    • Logs & monitoring for unauthorised access.
    • Technical & organisational controls for prevention of breaches.

    (c) Non-readability Rule

    Part B item 2 requires:

    The Consent Manager must ensure that any personal data shared through its platform is not readable by it.

    So, the CM must be a blind pipe, not a data processor.

    5. Consent Record-Keeping Requirements

    As mandated under Part B items 3 & 4, the Consent Manager must maintain records of:

    Types of Records

    • Consents given, denied, or withdrawn.
    • Notices issued with or preceding consent requests.
    • Records of personal data sharing with transferee Data Fiduciaries.

    Access Rights

    • Must provide Data Principals access to their consent records.
    • Must provide machine-readable exports upon request.

    Retention Period

    • Minimum 7 years, or longer if:

      • required by law, or
      • mutually agreed with the Data Principal.

    This is a strict statutory retention requirement.

    6. Interoperability & Connectivity Requirements

    (a) API-Based Connectivity

    The Consent Manager must enable:

    • Requests for consent from Data Fiduciaries.
    • Routing of consents between Data Fiduciaries (e.g., Case 2 example of B1 ↔ B2).
    • Secure relay of personal data from custodians (like banks, lockers) to requestors.

    (b) Platform Availability

    • Must develop and maintain a website and/or app as primary access points.
    • Must ensure that all consent interactions can occur digitally.

    (c) No Sub-Contracting

    The Consent Manager cannot sub-contract any core obligations (Part B item 6).

    Technology hosting (cloud etc.) may be used, but functions cannot be outsourced.

    7. Governance & Compliance Requirements

    (a) Fiduciary Duty to Data Principals

    Under Part B item 8:

    The Consent Manager must act in a fiduciary capacity towards the Data Principal.

    This means:

    • Prioritising user interest
    • Avoiding exploitation
    • Ensuring fairness and transparency

    (b) Conflict of Interest Controls

    (Part B items 9–10)

    The CM must:

    • Avoid conflicts with Data Fiduciaries.
    • Ensure directors/KMPs/senior management do not hold:

      • Directorships
      • Financial interest
      • Employment
      • Beneficial ownership
      • Material pecuniary relationships
        in Data Fiduciaries.

    Internal policies must prevent such conflicts.

    (c) Transparency Disclosures

    Must publish (Part B item 11):

    • Promoters, directors, KMP, senior management
    • Shareholders holding >2% stake
    • Corporate bodies where these individuals hold >2% stake
    • Any additional disclosures required by Board

    (d) Audit Mechanisms

    (Part B item 12)

    • Must conduct periodic audits covering:

      • Technical & organisational controls
      • Registration conditions
      • Obligations under Act & Rules
    • Audit results must be reported to the Board.

    (e) Control Transfer Restriction

    (Part B item 13)

    • Consent Manager cannot sell, merge, or transfer control without prior Board approval.

    8. Suspension / Cancellation Scenarios

    Under Rule 4(5) and Act s.27, the Board may:

    (a) Grounds for Suspension or Cancellation

    • Non-adherence to registration conditions
    • Non-compliance with obligations in Part B
    • Breach affecting interests of Data Principals
    • violation of fiduciary obligations
    • Failure to prevent or report security breaches
    • Conflict of interest violations
    • Misrepresentation during registration
    • Failure to provide information to Board
    • Audit failures or governance lapses

    (b) Procedure

    1. Board identifies non-compliance.
    2. CM is given an opportunity of being heard.
    3. Board may:

      • Direct corrective actions
      • Issue further directions
      • Suspend registration
      • Cancel registration
    4. Board reasons must be recorded in writing.

    (c) After Cancellation

    Board may issue protective directions to safeguard Data Principals.

    9. Practical Role & Future Market Implications

    (a) Practical Role in DPDP Ecosystem

    Consent Managers are expected to:

    • Standardise consent capture & withdrawal
    • Reduce compliance load for small Data Fiduciaries
    • Provide Data Principals a single control dashboard
    • Enable secure sharing of personal data from verified custodians
    • Increase trust & transparency in digital services

    (b) Industry Adoption

    Consent Managers will likely emerge in:

    • Fintech
    • Health-tech
    • Ed-tech
    • Telecom
    • E-commerce
    • Wallets & payments
    • Government benefit delivery

    (c) Trust Infrastructure

    They will act as a trust layer, similar to:

    • Account Aggregators
    • Digi Locker ecosystem
    • Unified consent management standard

    (d) Future Market Implications

    • High demand for certified interoperable platforms
    • Strong business opportunity in B2B consent orchestration
    • Regulatory scrutiny will be strict due to fiduciary nature

    Potential integration with DPI (Digital Public Infrastructure)

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Comparision Draft and Final Rules
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies