Consent Manager Registration Opens November 2026: The Complete Guide for Organisations Planning to Apply

Introduction

The Consent Manager registration window opens on November 13, 2026 — exactly eight months from today. For organisations planning to operate as registered Consent Managers under the DPDPA, this date represents both a massive opportunity and a hard deadline. According to CookieYes' analysis of the DPDP Rules 2025, the registration process will be administered by the Data Protection Board of India (DPBI), with strict eligibility criteria that organisations must satisfy before submitting their applications. The consent manager concept under the DPDPA is transformative: registered Consent Managers serve as intermediaries between Data Principals and Data Fiduciaries, providing individuals with a single, unified platform to view, grant, manage, and withdraw consent across all organisations that process their data. Think of it as a 'consent wallet' — a centralised interface that puts Data Principals in control of their digital privacy. This guide provides the definitive roadmap for organisations planning to apply, covering every eligibility requirement, technical standard, and preparation step you need to execute between now and November 2026.

What Is a Consent Manager Under the DPDPA?

A Consent Manager is a new category of regulated entity created by the DPDPA. Section 6 of the Act and Rule 4 of the DPDP Rules 2025 define a Consent Manager as a person registered with the DPBI who acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. The Consent Manager does not process personal data itself — it facilitates the consent transaction between the Data Principal and the Data Fiduciary. This distinction is critical: a Consent Manager is an intermediary, not a data processor. Its role is to ensure that Data Principals can exercise their rights efficiently and that Data Fiduciaries receive valid, auditable consent signals. As Lexology's legal analysis notes, the Consent Manager framework draws parallels with the Account Aggregator (AA) framework in financial services, where licensed intermediaries facilitate data sharing with user consent. The AA framework has been widely successful, with over 100 million linked accounts within three years of launch. The Consent Manager ecosystem is expected to follow a similar trajectory, creating a market opportunity that industry analysts estimate could exceed ₹5,000 crore annually by 2030.

• Intermediary role — Acts between Data Principals and Data Fiduciaries; does not process personal data for its own purposes
• Single point of contact — Provides Data Principals with one dashboard to manage consent across all Data Fiduciaries
• Registered entity — Must be registered with the DPBI; operating without registration is a violation of the Act
• Interoperable platform — Must support standardised consent artefacts that work across Data Fiduciaries
• Accountability — Accountable to the Data Principal and subject to DPBI oversight, with registration revocable for non-compliance

Eligibility Requirements: The Complete Checklist

The DPDP Rules 2025 establish stringent eligibility requirements for Consent Manager registration. According to Lexology's detailed breakdown, these requirements are designed to ensure that only financially stable, technically capable, and conflict-free organisations can operate in this critical role. Every requirement must be satisfied at the time of application, and the DPBI is expected to verify compliance rigorously before granting registration. Organisations should begin preparing now — several of these requirements, particularly the net worth threshold and independent certification, require months of advance preparation.

• Indian incorporation — The applicant must be a company incorporated in India under the Companies Act, 2013. Foreign entities, partnerships, LLPs, and sole proprietorships are not eligible
• Minimum net worth of ₹2 crore (INR 20 million) — The company must demonstrate a net worth of at least ₹2 crore as certified by a chartered accountant. This threshold ensures financial stability and the ability to sustain operations
• Technical capacity — The applicant must demonstrate the technical infrastructure and capability to operate a consent management platform that is secure, reliable, accessible, and interoperable
• No conflict of interest — The applicant must not have any conflict of interest that could compromise its independence as a consent intermediary. This is particularly relevant for organisations that are also Data Fiduciaries processing personal data
• Independent certification — The applicant must obtain an independent certification from a body specified by the DPBI, verifying that its technology platform and processes meet the prescribed standards
• Fit and proper criteria — Directors and key management personnel must meet fit and proper criteria, including no history of criminal convictions related to fraud, financial crimes, or data protection violations
• Grievance redressal mechanism — The applicant must have a functioning grievance redressal mechanism for Data Principals

The Net Worth Requirement: What ₹2 Crore Really Means

The minimum net worth requirement of ₹2 crore (approximately $240,000 USD) serves as both a financial stability threshold and a barrier to entry that filters out unserious applicants. Net worth is calculated as total assets minus total liabilities, as certified by a chartered accountant. For startups and early-stage companies, this requirement means that the company must have either accumulated sufficient retained earnings or received sufficient equity investment to meet the threshold. Bridge loans, unsecured debt, and contingent liabilities can affect the calculation, so careful financial planning is essential. According to CookieYes, the DPBI may require the net worth to be maintained continuously, not just at the time of application — meaning organisations must ensure ongoing financial health to retain their registration. For organisations currently below the ₹2 crore threshold, the eight months until November 2026 provide a window to raise capital, restructure finances, or convert debt to equity. Given the anticipated market size of the consent management ecosystem, investors are likely to view Consent Manager registration as a valuable and defensible business asset.

Technical Capacity Requirements: Building the Platform

The technical requirements for Consent Manager platforms are substantial and reflect the critical nature of the role. The platform must handle millions of consent transactions securely, provide real-time consent status to Data Fiduciaries, and offer an intuitive interface for Data Principals — many of whom may have limited digital literacy. While the DPBI has not yet published detailed technical specifications, the DPDP Rules and IAPP's operational analysis indicate that the following capabilities will be required. Organisations planning to apply should begin platform development now, as building, testing, and certifying a consent management platform that meets these standards will take at minimum six months of dedicated engineering effort.

• Secure consent capture — Cryptographically signed consent artefacts with timestamps, purpose specifications, and Data Principal identity verification
• Real-time consent status API — Data Fiduciaries must be able to query consent status in real-time; the platform must support high-throughput, low-latency API calls
• Data Principal portal — An accessible, multi-language interface where individuals can view all active consents, grant new consent, modify consent parameters, and withdraw consent with a single action
• Audit trail — Complete, immutable logs of all consent transactions, accessible to the DPBI for regulatory audits
• Interoperability — Support for standardised consent schemas that enable seamless integration with any Data Fiduciary, regardless of their technology stack
• Security standards — ISO 27001 certification or equivalent, encryption at rest and in transit, penetration testing, and vulnerability management
• Availability and resilience — 99.9% uptime SLA, disaster recovery, and data centre redundancy within India
• Scalability — Architecture capable of handling exponential growth as the consent ecosystem matures and more Data Fiduciaries integrate

Conflict of Interest: The Independence Requirement

The conflict of interest restriction is one of the most significant — and least discussed — eligibility requirements. A Consent Manager must act in the interest of the Data Principal, not the Data Fiduciary. This creates a fundamental tension for organisations that are themselves Data Fiduciaries: can a company that processes personal data for its own purposes simultaneously serve as an independent consent intermediary? The DPDP Rules suggest the answer is nuanced. An organisation that processes personal data in a completely different domain from its Consent Manager activities may not have a material conflict. However, an organisation that operates a consent management platform while also operating a business that benefits from user consent (e.g., a digital advertising platform or a data analytics company) would likely face scrutiny. According to Chambers and Partners, the DPBI is expected to evaluate conflicts on a case-by-case basis, considering factors such as corporate structure, revenue model, data access, and governance arrangements. Organisations with potential conflicts should consider structural solutions — such as establishing a separate subsidiary for the Consent Manager function, implementing Chinese walls between the Consent Manager and Data Fiduciary operations, or appointing an independent board for the Consent Manager entity.

Independent Certification: What to Expect

The requirement for independent certification adds an additional layer of preparation that organisations must not underestimate. The DPBI is expected to specify approved certification bodies and the standards against which platforms will be assessed. While the exact certification framework has not yet been published, industry observers expect it to draw on established standards. PwC's regulatory analysis suggests that the certification process will assess platform security (aligned with ISO 27001 and SOC 2), data handling practices, consent artefact integrity, API security, and accessibility compliance. The certification process itself is likely to take two to four months, including application, assessment, remediation of findings, and final certification. Given that registration opens in November 2026, organisations should target completing their certification by September 2026 at the latest — which means initiating the certification engagement no later than May or June 2026. For organisations that do not yet have ISO 27001 or SOC 2 certification, pursuing these foundational certifications in parallel with Consent Manager-specific certification is advisable, as the foundational work significantly accelerates the domain-specific assessment.

The Application Process: Step-by-Step Timeline

While the DPBI has not yet published the formal application process, the DPDP Rules and regulatory precedent from similar frameworks (particularly the Account Aggregator registration process administered by the RBI) provide a reasonable basis for anticipating the process. Organisations should plan against this indicative timeline to ensure readiness by November 2026. The DPDP compliance timeline positions Consent Manager registration within the Phase 2 implementation window, suggesting that the DPBI intends for the consent ecosystem to be operational before the full compliance deadline of May 2027.

• March–May 2026: Preparation phase — Finalise corporate structure, ensure net worth compliance, begin platform development, initiate independent certification engagement
• May–July 2026: Platform development — Complete core platform build, conduct security assessments, implement consent artefact standards, build Data Principal portal
• July–September 2026: Certification — Submit for independent certification, address assessment findings, obtain certification
• September–October 2026: Application preparation — Compile documentation, obtain chartered accountant net worth certification, prepare board resolutions, finalise grievance redressal mechanism
• November 13, 2026: Registration window opens — Submit application to DPBI via prescribed process
• November 2026–February 2027: DPBI review — Respond to DPBI queries, provide additional documentation as requested, await approval
• Q1 2027: Registration granted — Begin operations as a registered Consent Manager, onboard Data Fiduciaries, launch Data Principal-facing platform

How Kraver.ai Maps to Consent Manager Requirements

Kraver.ai's consent management platform is architecturally aligned with the DPDPA's Consent Manager requirements. While Kraver.ai currently operates as a compliance technology provider helping Data Fiduciaries manage consent, our platform's capabilities map directly to the technical requirements for registered Consent Managers. Our consent artefact framework generates cryptographically signed, purpose-specific consent records with full audit trails. Our Data Principal rights module provides a self-service portal for individuals to view, manage, and withdraw consent. Our API infrastructure supports high-throughput, real-time consent status queries. And our platform is hosted entirely on Indian cloud infrastructure, meeting data residency requirements. For organisations building Consent Manager platforms, Kraver.ai provides the foundational compliance technology — from data discovery and classification to access control and audit reporting — that accelerates platform development and certification readiness. For Data Fiduciaries preparing to integrate with registered Consent Managers, Kraver.ai ensures your consent infrastructure is ready for the standardised consent ecosystem that will emerge post-November 2026.

Conclusion

The Consent Manager registration window opening on November 13, 2026 represents a once-in-a-generation regulatory opportunity. The organisations that register first will establish early-mover advantage in a market that is expected to grow exponentially as the DPDPA's compliance timeline drives universal adoption of consent management. But the window to prepare is finite. The ₹2 crore net worth requirement, independent certification, platform development, and conflict-of-interest structuring all require months of advance work. An organisation that starts preparing in September 2026 will almost certainly miss the November registration window. An organisation that starts today has a clear, executable path to readiness. Whether you are a technology company planning to build a Consent Manager platform, an existing consent management provider planning to formalise your status, or a compliance consultancy exploring adjacent opportunities, this guide provides the roadmap you need. The eight-month countdown has begun. Kraver.ai is here to help you make every month count.