Navigating Consent Managers under DPDPA: Business Models, Liability, and Unresolved Issues
As of June 2026, the Digital Personal Data Protection Act, 2023 (DPDPA) has firmly established its presence in India’s digital landscape. A cornerstone of this new regime is the concept of ‘consent,’ which the DPDPA elevates to a paramount position, especially through the introduction of Consent Managers (CMs). While the DPDPA itself lays the foundational principles, the recently notified DPDPA Rules have begun to flesh out the operational specifics for CMs, offering a glimpse into their transformative potential for data governance in India. These entities are poised to empower Data Principals by streamlining their consent management, but their precise business models, liability frameworks, and a host of open questions continue to evolve.
The Evolving Business Model of Consent Managers in India
The DPDPA envisions Consent Managers as key facilitators in the digital ecosystem, acting as a single, interoperable, and accessible platform for Data Principals to manage their consent. As outlined in Section 6(8) of the DPDPA, a Data Principal may give, manage, review, or withdraw consent through a CM. The DPDPA Rules, now in effect, detail the technical standards and operational protocols that CMs must adhere to, including requirements for secure, transparent, and auditable consent records. This framework is a significant departure from global norms like GDPR, which do not prescribe a dedicated CM role, underscoring India’s proactive approach to user-centric data control.
For CMs, the business model is likely to converge on offering services to Data Fiduciaries (DFs). They would likely charge DFs for facilitating consent requests, managing consent records, and processing withdrawals on behalf of Data Principals. Accreditation by the Data Protection Board of India (DPBI), as mandated by Section 6(8), will be crucial for establishing trust and market legitimacy. The successful Account Aggregator framework, regulated by the Reserve Bank of India (RBI), provides a precedent for consent-driven data sharing in India’s financial sector, and CMs under DPDPA could draw parallels, potentially expanding to other sectors overseen by SEBI or IRDAI. The challenge and opportunity lie in building a scalable, secure, and user-friendly infrastructure that encourages widespread adoption by both Data Principals and Fiduciaries.
Unpacking Liability: Who Bears the Risk?
The DPDPA framework introduces a nuanced liability landscape involving CMs. While CMs are central to the consent process, the ultimate responsibility for obtaining valid consent rests with the Data Fiduciary. Section 6(1) explicitly states that personal data can only be processed for a lawful purpose for which the Data Principal has given consent. This means a DF cannot simply outsource its consent obligations entirely to a CM. If a CM fails to accurately record or transmit consent (or withdrawal), or if there’s a security breach of the consent records they hold (a responsibility implied by Section 8(5) on security safeguards), the CM would face direct liability under the DPDPA, potentially incurring penalties under Section 33.
However, the DF’s liability remains paramount. The DF must ensure that the consent obtained via a CM is truly “free, specific, informed, unconditional, and unambiguous” as required by Section 6(1). Furthermore, DFs are obligated to cease processing upon withdrawal of consent (Section 7(1)), regardless of how that withdrawal is communicated or facilitated by a CM. This necessitates robust due diligence by DFs when selecting an accredited CM and ensuring seamless integration between their internal systems and the CM’s platform. The DPDPA Rules are expected to clarify the extent of joint or several liability, but for now, DFs must assume a significant residual responsibility for the validity and management of consent.
Open Questions and Future Trajectories
Despite the progress with the DPDPA Rules, several critical questions remain regarding CMs. Firstly, ensuring interoperability across different CM platforms will be vital for a truly seamless consent experience for Data Principals. The DPDPA Rules must specify robust technical standards to prevent fragmentation and ensure that a Data Principal can manage all their consent from any accredited CM. Secondly, the success of CMs hinges on trust and adoption. What incentives will drive Data Principals to use CMs, and how will their privacy be protected, particularly concerning the data a CM itself collects to manage consent? The principle of data minimisation (Section 4) would apply here, limiting CMs to collecting only data necessary for their function.
Thirdly, potential overlaps with existing sectoral regulations, such as RBI’s norms for Account Aggregators or IT Rules, 2021, need careful harmonisation. The DPBI will need to collaborate with these sectoral regulators to ensure a consistent and coherent regulatory environment. Finally, the grievance redressal mechanism involving CMs requires further clarity. While the DPDPA outlines the DPBI’s role (Section 21) and the DF’s internal grievance mechanism (Section 13), a clear pathway for Data Principals to address issues arising specifically from CM services will be essential for building confidence and ensuring accountability.
Practical Takeaway
For Indian businesses, especially Data Fiduciaries, the time to integrate Consent Managers into your data governance strategy is now. Begin evaluating accredited CM solutions and understand their technical capabilities and compliance postures. Crucially, recognise that while CMs streamline consent, your organisation retains ultimate liability for obtaining valid consent under Section 6(1) and responding to withdrawals under Section 7(1). General Counsels and Data Protection Officers should meticulously review the DPDPA Rules pertaining to CMs, update internal privacy policies and notices, and train staff on the new consent workflows. Proactive engagement with CMs and continuous monitoring of DPBI guidance will be key to navigating this evolving landscape successfully.