Introduction
The concept of a Consent Manager is one of the most novel elements of India's Digital Personal Data Protection Act, 2023. Defined under Section 2(7) of the Act and operationalised by Rule 4 of the DPDP Rules, 2025, a Consent Manager acts as a single point of contact for Data Principals to manage their consent across multiple Data Fiduciaries — much like an account aggregator for personal data consent. Registration opens on November 13, 2026, and the eligibility requirements effectively reserve this role for India-incorporated entities with significant financial standing. This article covers everything you need to know about becoming or working with a Consent Manager.
What is a Consent Manager?
A Consent Manager is a registered intermediary that enables Data Principals (individuals) to give, manage, review, and withdraw consent for the processing of their personal data — all through a single, accessible platform. Think of it as a "consent dashboard" that aggregates an individual's data permissions across multiple organisations. The concept was first introduced in the DPDP Act's definitions (Section 2) and draws parallels from India's Account Aggregator framework in the financial sector. However, unlike account aggregators, Consent Managers deal with personal data consent — a broader and more sensitive domain.
- Single point of contact for individuals to manage consent across all Data Fiduciaries they interact with
- Consent lifecycle management — giving, reviewing, modifying, and withdrawing consent
- Transparency enabler — Data Principals can see exactly who has their consent and for what purpose
- Interoperability requirement — must work across different Data Fiduciaries and their systems
- Accountability layer — maintains auditable records of all consent transactions
Eligibility Requirements for Registration
The registration criteria are defined in Part A of the First Schedule of the DPDP Rules, 2025. They set a high bar — deliberately filtering for financially stable, professionally managed Indian entities. Notably, foreign-incorporated companies cannot register, effectively excluding global platforms like OneTrust, TrustArc, and Osano from operating as registered Consent Managers in India (Osano).
- India incorporation — the entity must be a company incorporated under Indian law, ensuring local legal accountability and jurisdiction
- Minimum net worth of ₹2 crore (approximately $230,000 USD) — demonstrates financial stability to sustain operations and meet obligations
- Technical and operational capacity — the applicant must demonstrate sufficient technical infrastructure, operational processes, and financial resources to handle consent management at scale
- Management integrity — directors, key managerial personnel, and senior management must be individuals with a general reputation and record of fairness and integrity
- Sound character assessment — the Data Protection Board evaluates the overall standing and credibility of the applicant organisation
Obligations Once Registered
Registration is just the beginning. Consent Managers have extensive ongoing obligations designed to ensure trust, transparency, and accountability. Failure to meet these obligations can result in deregistration and penalties under the Act.
- Maintain consent records for 7 years — detailed logs of all consents given, denied, or withdrawn through the platform must be retained and made available for audit
- Act solely in the interest of the Data Principal — the Consent Manager must not have conflicts of interest and cannot use consent data for its own commercial purposes
- Regular audits — undergo periodic, effective audits to review technical and organisational controls. Audit reports must be submitted to the DPBI
- Interoperability — ensure the platform works seamlessly across different Data Fiduciaries' systems and consent frameworks
- Data security — implement reasonable security safeguards to protect the consent data and personal information passing through the platform
- Grievance redressal — provide Data Principals with a mechanism to raise issues about the consent management service (Section 13)
- No data retention beyond purpose — consent data must not be retained longer than necessary, and must be deleted once the Data Principal revokes access
How Consent Managers Fit Into the DPDPA Ecosystem
The Consent Manager sits at the intersection of three key stakeholders in the DPDPA framework. Understanding this positioning is crucial for both aspiring Consent Managers and Data Fiduciaries who will integrate with them.
- Data Principal (Individual) → uses the Consent Manager to view, manage, and withdraw consent across all organisations
- Data Fiduciary (Organisation) → integrates with registered Consent Managers to receive and process consent signals from Data Principals
- Data Protection Board (DPBI) → registers, monitors, audits, and can deregister Consent Managers that fail to meet obligations
Impact on Foreign Consent Platforms
The India-incorporation requirement has significant implications for the global consent management market. Major international platforms like OneTrust, TrustArc, Osano, and CookieYes cannot register as Consent Managers unless they establish an Indian subsidiary meeting all eligibility criteria, including the ₹2 crore net worth requirement. This creates a significant opportunity for Indian companies — including compliance platforms like Kraver.ai — to fill this gap with purpose-built, DPDPA-native consent management solutions. According to CompliEZ, this represents a new business frontier under the DPDPA.
How to Prepare for November 2026
Whether you're planning to register as a Consent Manager or are a Data Fiduciary that will need to integrate with one, here's what to do now:
- If you want to become a Consent Manager: ensure your company is India-incorporated, meets the ₹2 crore net worth threshold, and has the technical infrastructure for consent management at scale
- Build interoperable consent APIs: Data Fiduciaries should start building API-based consent systems that can integrate with registered Consent Managers when they go live
- Audit your current consent mechanisms: evaluate whether your existing consent collection meets DPDPA requirements — free, specific, informed, unconditional, and unambiguous
- Implement consent lifecycle tracking: use tools like Kraver.ai's consent management platform to track consent collection, modification, and withdrawal with audit trails
- Map your Data Fiduciary relationships: understand which organisations process your users' data and how consent flows between them — this mapping will be essential for Consent Manager integration
Conclusion
The Consent Manager framework is one of the most forward-looking aspects of India's DPDPA — creating a new category of regulated intermediary that puts individuals in control of their data consent. With registration opening in November 2026 and the ₹2 crore net worth requirement ensuring only serious players participate, this is a significant opportunity for Indian compliance companies and a wake-up call for organisations that haven't yet built DPDPA-compliant consent systems. Whether you're an aspiring Consent Manager or a Data Fiduciary preparing for integration, the time to act is now. Reach out to Kraver.ai for guidance on building consent infrastructure that's ready for the November 2026 deadline.