Navigating India's Consent Managers: Business, Responsibility, and the Road Ahead

As of May 2026, the Digital Personal Data Protection Act (DPDPA) 2023 is firmly in effect, and the accompanying Rules, particularly those governing Consent Managers, are shaping India’s data economy. The DPDPA marks a significant shift towards empowering Data Principals, and Consent Managers (CMs) are poised to be a cornerstone of this new regime. Unlike many global privacy frameworks, India has explicitly mandated and defined CMs, creating both opportunities and complexities for businesses and individuals alike.

The Business of Consent Management: A New Digital Frontier

The DPDPA introduces Consent Managers as a registered entity acting on behalf of a Data Principal to give, manage, review, and withdraw consent (Section 2(h)). This formal recognition elevates CMs beyond mere technical tools, positioning them as critical intermediaries in the data ecosystem. Their primary function, as outlined in Section 6(4), is to facilitate the exercise of a Data Principal’s consent rights with Data Fiduciaries.

The business model for CMs is still evolving but likely encompasses several avenues. Many will operate on a subscription basis, offering Data Principals a consolidated platform to manage their digital consents across various services. Others might charge Data Fiduciaries for verified consent signals or for integrating CM services into their data processing workflows. Given India’s robust digital public infrastructure, CMs could integrate seamlessly with platforms like Account Aggregators (regulated by RBI), which already manage financial data consent, or the Open Network for Digital Commerce (ONDC). The DPDPA Rules on Consent Managers are expected to detail the registration process with the Data Protection Board of India (DPBI), prescribing stringent technical and operational standards, including data security protocols and interoperability requirements. This will necessitate significant investment in secure infrastructure and user-friendly interfaces, creating a specialized market for CM service providers.

Understanding the Liability Landscape for Consent Managers

The DPDPA places unique responsibilities on CMs, which inherently come with a distinct liability framework. As an entity acting on behalf of the Data Principal, a CM is entrusted with a fiduciary-like duty to accurately convey and manage consent instructions. Any failure to do so could lead to significant repercussions. For instance, if a CM erroneously grants consent or fails to withdraw it as instructed by the Data Principal, they could be held accountable for the resulting unauthorized processing of personal data. While the primary liability for data processing rests with the Data Fiduciary (Section 8), the CM’s role as an agent means they bear responsibility for their specific actions or inactions related to consent management.

The DPDPA Rules are expected to clarify the extent of CM liability, potentially including penalties for non-compliance with prescribed standards, misrepresentation, or failure to uphold the Data Principal’s instructions. This is a critical distinction from frameworks like the GDPR, which lacks a direct CM equivalent and places the onus of consent management almost entirely on the Data Controller. In India, the CM’s neutrality and adherence to the Data Principal’s wishes are paramount. Sectoral regulators, such as the RBI for Account Aggregators, have already established specific guidelines for consent management, and the DPBI’s rules for CMs will need to harmonise with these, ensuring a consistent and robust framework across different sectors.

Open Questions and the Road Ahead

Despite the clarity offered by the DPDPA and its Rules, several open questions remain for the Consent Manager ecosystem:

• Interoperability and Standardisation: While the Rules are likely to mandate technical standards, ensuring seamless interoperability between various CMs and a multitude of Data Fiduciaries will be crucial. Will there be a single, universally accepted API or a set of minimum standards?
• Cost and Accessibility: Who bears the cost of CM services? If Data Principals are charged, will this create a barrier to privacy for certain segments of the population? How will CMs cater to individuals with varying levels of digital literacy, ensuring inclusive access to consent management tools?
• Regulatory Oversight and Auditing: Beyond initial registration, what will be the ongoing regulatory oversight mechanism for CMs? Will the DPBI conduct regular audits to ensure continued compliance with security, transparency, and operational standards?
• Data Security and Breach Management: CMs will handle highly sensitive consent instructions. The DPDPA Rules must specify robust data security requirements, and the consequences for CMs in the event of a data breach involving consent data will need to be clearly defined.
• Integration with Existing Frameworks: How will the DPDPA’s CM framework fully integrate with existing consent-driven systems like the RBI’s Account Aggregators? Will the DPBI’s rules complement or potentially supersede certain aspects of sectoral guidelines regarding consent?

These questions highlight the dynamic nature of India’s evolving data protection landscape. The success of CMs will depend on clear regulatory guidance, technological innovation, and a strong commitment to Data Principal empowerment.

Practical takeaway: Indian businesses, particularly Data Fiduciaries, must proactively prepare for the integration of Consent Managers into their data processing workflows. This involves understanding the DPDPA Rules on CMs, assessing their current consent acquisition and management practices, and identifying suitable CM partners. General Counsels and Data Protection Officers should conduct thorough due diligence on prospective CMs, focusing on their registration status with the DPBI, adherence to prescribed technical and security standards, and their liability framework. Businesses must also update their internal policies and systems to seamlessly receive and act upon consent signals from CMs, ensuring compliance with Section 6(4) of the DPDPA and avoiding potential penalties for non-compliance.