DPDPA Dive: What are the Duties of a Consent Manager?

Introduction

A draft of the Digital Personal Data Protection Rules was released on 3 January 2025, under the Digital Personal Data Protection Act (DPDPA) 2023. The rules mark a crucial step in India’s journey towards establishing a strong data privacy framework. They aim to balance safeguarding individuals’ rights for the protection of their personal data with organizational compliance obligations.

With the release of the draft, organizations have been striving to comply. A crucial aspect of this compliance is the role of the consent manager – an external or internal entity that will act as an intermediary between data fiduciaries and data principals. This role aligns with international data privacy frameworks such as the General Data Protection Regulation (GDPR).

In this article, Silverse’s experts explore the responsibilities and significance of the consent manager under the DPDPA.

What is a Consent Manager?

A consent manager is a company that helps data principals and organizations with the obtainment, management, and withdrawal of consent before personal data is processed. The consent manager achieves this by providing an interoperable, transparent platform for data principals to manage their consent.

Notably, while other regulations such as the EU’s GDPR or California’s California Consumer Privacy Act (CCPA) primarily rely on organizations to manage their own consent mechanisms, India’s Rules introduce a regulated, centralized model.

Through this centralization, the rules facilitate regulatory compliance, business efficiency, and user control. However, its success relies on robust enforcement, security safeguards, industry-wide adoption, and interoperability.

Key Obligations of the Consent Manager

Key duties of the consent manager include, as per Part B of the First Schedule of the DPDP draft Rules published on 3 January 2025:

• Enable data principals using the consent manager’s platform to consent to process their personal data by a data fiduciary onboarded onto that platform.
• Make sure that the manner of making the personal data available or sharing it is such that the contents are not readable by it.

• Maintain on its platform a record of the following:

  • Consents given, denied or withdrawn
  • Notices preceding or accompanying consent requests
  • Sharing of personal data with a transferee data fiduciary
• Give the data principal using the platform access to the abovementioned record.
• Make available to the data principal the information contained in the record, in machine-readable form, at the request of the data principal and in accordance with its terms of service.
• Maintain the record for a minimum of seven years, or for a longer period as the consent manager and data principal may agree on, or as required by law.
• Develop and maintain an app or website, or both, as the primary means through which a data principal can access the services provided by the consent manager.
• Act in a fiduciary capacity in relation to the data principal.
• Implement reasonable security safeguards to prevent personal data breaches.

Conditions for Registration

For companies to act as consent managers, they must meet several criteria, including but not limited to:

• Being incorporated in India
• Having a net worth of minimum ₹2 crores (approximately $230,000 USD)
• Possessing a certified interoperable platform for managing consent
• Having efficient operational, technical and financial capacity to meet obligations
• Possessing sound financial condition and general character of management
• Having an adequate volume of business, capital structure, and earning prospects
• The operations meant to be undertaken are in the interests of data principals
• The interoperable platform is consistent with the assurance framework and data protection standards that may be published by the Board on its website

Controls on Consent Manager Operations

The Digital Personal Data Protection Rules impose strict controls on the operations of consent managers. Some critical controls include:

• Consent managers are prohibited from assigning or subcontracting its duties under the DPDPA to any third parties.
• Consent managers must make sure that no conflict of interest arises due to its senior management, directors, or key managerial personnel holding financial interest, directorship, beneficial ownership, or employment in data fiduciaries.
• Consent managers shall publish information regarding any person holding greater than 2% of shares in the consent manager entity, as well as any corporate entity whose shares (greater than 2%) are held by key managerial personnel, promoter, senior management, or director. The goal of this control is to avoid undue influence.

• Consent managers shall implement audit mechanisms to monitor, evaluate, review and report the audit outcome to the Data Protection Board (“the Board”), with respect to:

  • Technical and organizational controls, procedures, systems, and safeguards
  • Continued fulfilment of the conditions of registration
  • Adherence to obligations under the Act and Rules
• The control of the company registered as the consent manager will not be transferred through sale, merger or otherwise, except with the previous approval of the Board and subject to fulfilment of conditions that the Board may specify.

Note that, if a consent manager is found to be violating the DPDPA, the Board might issue directives to address non-compliance. In more serious cases, the Board might suspend or cancel the consent manager’s registration to protect the interests of data principals. The Board may also request any relevant information from consent managers as necessary.

Implementing Consent Managers: Challenges

While the consent manager system offers structure to consent management, its implementation comes with several challenges for data fiduciaries, data principals, data processors, and regulators. Below are the most prominent ones.

Compliance Costs for Organizations

Many businesses will feel the pressure of implementing consent managers while minimizing costs for the same. Investments for companies may include, but are not limited to:

• Platform implementation
• Secure infrastructure for storing and processing personal data
• Employee training
• Retention of detailed transaction logs
• Legal counsel

Such costs could add financial strain to businesses, especially SMEs.

Integration and Interoperability

While the DPDPA mandates that consent managers develop interoperable platforms, each sector (finance, healthcare, e-commerce, telecom, etc.) uses different data formats, technical protocols, and consent collection methods, making seamless integration difficult. The lack of uniform interoperable protocols and standards only adds to this complexity.

Furthermore, consent managers may need to integrate with a large number of data fiduciaries, requiring significant investment in technology and resources.

Cybersecurity and Data Security

Consent managers will be responsible for managing large volumes of personal data. This will make them attractive targets for cybercriminals, further creating challenges for both consent managers and data fiduciaries in protecting personal data and complying with the DPDPA.

Conclusion

India’s consent manager system offers a regulated, centralized approach that enhances data privacy, interoperability, user control, and organizational compliance. While challenges remain in the implementation and enforcement of the consent manager framework, organizational collaboration and robust regulatory oversight can help position India as a global leader in digital data protection and privacy.

As of 18 March 2025, the draft DPDP Rules are currently under review. Once they are finalized, all organizations (whether based in India or internationally) that process digital personal data related to providing goods or services to data principals in India will be expected to revise their data privacy and protection strategies – including consent manager integration – as per the DPDPA.

Implementation, however, may be complex for many entities, especially those based outside India. That is where Silverse steps in. We craft comprehensive cybersecurity journeys, anchored by our industry expertise, extensive experience, and ecosystem of trusted partners.

Our three branches of offerings – Advisory, Implementation, and Managed Operations – will help ensure your compliance with the DPDPA, whether you are a data fiduciary, consent manager, or data processor. Contact us now to get started.