含羞草社区

The Digital Personal Data Protection Act, 2023 (DPDPA), introduced the concept of consent managers. These are entities registered with the Data Protection Board to act as single points of contact, enabling data principals to give, manage, review and withdraw their consent through accessible, transparent, and interoperable platforms. The recently issued draft Digital Personal Data Protection Rules, 2025 (draft rules), set out requirements for consent managers and detail operational aspects of their role.

Under the draft rules, only an Indian company with a minimum net worth of INR20 million (USD233,000) may qualify as a consent manager. Consent managers should have sufficient capacity, particularly in the technical, operational and financial areas, with the leadership having a record of fairness and integrity. They must act in a fiduciary role in relation to data principals and avoid conflicts of interest with data fiduciaries.

The draft rules detail the obligations of consent managers. These include operating transparent, independently certified platforms, allowing data principals to manage their consent with data fiduciaries onboarded onto the platform; maintaining digital records of consent requests for a minimum of seven years; ensuring robust security measures to prevent data breaches; having effective audit mechanisms in place, and ensuring that they are data blind in their operations.

Consent management frameworks are not new. Sectoral initiatives such as the financial sector’s account aggregator framework and the National Health Authority’s Ayushman Bharat Digital Mission in the health sector already manage user consent. These frameworks derive from the Data Empowerment and Protection Architecture, launched by Niti Aayog in 2020. This envisaged a consent-based data-sharing framework granting individuals the power to control, manage and seamlessly share their data.

Despite existing frameworks being a template, the draft rules provide insufficient clarity as to how consent managers should operate. They do not address the problem of interoperability between consent manager platforms. This could be achieved by integrating all consent managers and data fiduciaries through open application programming interface, or API, protocols similar to the scale-up model adopted by the account aggregator framework. Although it is not mandatory for a data fiduciary to use a consent manager, the advantages of being part of a consent management ecosystem will likely facilitate wider adoption by data fiduciaries. The consent manager framework could facilitate future data portability, even though the DPDPA does not expressly provide for such a possibility.

The introduction of consent managers is a good business opportunity for startups and established companies. However, the draft rules are unclear about a number of operational aspects. They are silent as to whether existing entities in the account aggregator ecosystem or other similar consent management initiatives can pivot to become consent managers under the DPDPA. There is no guidance as to whether companies providing other ancillary services, such as digital identity verification, may also operate consent manager platforms. This will require additional direction given the requirements that consent managers must have no conflicts of interest and be data-blind in their operations. Some obligations, such as requiring consent managers to act in a fiduciary capacity regarding data principals or independently certifying their platform, are ambiguous. The draft rules do not give sufficient information as to how these obligations are to be carried out.

The draft rules do not offer guidance on the monetisation models for consent managers. The lack of guidelines for service requirements and payment structures may result in a few players dominating the market. To scale effectively, consent managers will need a commercially viable business model. Some players are considering a per-consent charge but are cautious of possible pricing caps limiting growth and profitability.

Despite the DPDPA not yet being in force and the Data Protection Board yet to be established, industry players are already in the process of creating compliance protocols. As the Data Protection Board will have broad powers to suspend or cancel the registration of consent managers, clarity is needed to dispel ambiguity and facilitate growth and compliance in the consent manager ecosystem.

Ada Shaharbanu is a senior associate and Sean McDonald is a lawyer at Spice Route Legal.