BACK TO DPDP ACT
DPDP Act 2023

Section 19

Consent Manager

THE STATUTE

Original Text

(1) A Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. (2) A Consent Manager shall be accountable to the Data Principal and shall act on behalf of the Data Principal and enable the Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. (3) The Consent Manager shall maintain a log of all consent artefacts in such manner and for such duration as may be prescribed.

Simplified

[DPDP Rules 2025 — Rule 4 and First Schedule operationalise this section; Rule 4 in force 13 Nov 2026] Section 19 establishes the regulatory framework for Consent Managers — the DPDP Act's most novel institutional innovation with no direct GDPR equivalent. A Consent Manager is a registered intermediary that sits between Data Principals and multiple Data Fiduciaries, providing a unified dashboard for managing consent across all the platforms and services a person uses. The practical vision: instead of managing separate privacy settings on twenty different apps and websites — each with different consent flows, different withdrawal mechanisms, and different data sharing arrangements — a Data Principal would use a single registered Consent Manager platform to see all their consents, modify them, and withdraw them in one place. Three core obligations apply. First, registration with the Board under prescribed technical, operational, and financial conditions — the Consent Manager must be authorised before it can operate, preventing unregulated entities from positioning themselves as consent intermediaries. Second, accountability to the Data Principal and acting on their behalf — the Consent Manager is explicitly the Data Principal's agent, not the Data Fiduciary's. This is architecturally important: the Consent Manager's loyalty runs to the individual, not to the platforms whose data processing it facilitates. Third, maintaining a log of all consent artefacts — records of when consent was given, in what form, for what purpose, and any withdrawals. This log is the evidence base for consent disputes between Data Principals and Data Fiduciaries. The interoperability requirement means Consent Manager platforms must be able to interface with any Data Fiduciary's consent systems — a significant technical standardisation challenge that the DPDP Rules and Board regulations will need to address. The Consent Manager framework could become the backbone of India's digital consent infrastructure — analogous to the Account Aggregator framework in financial services.

Common Queries

A Consent Manager is a registered intermediary that gives Data Principals a single platform to manage all their data consents across multiple services. India needs Consent Managers because the average person interacts with dozens of digital platforms, each requiring separate consent management — making unified control practically impossible without an intermediary.
The Data Protection Board of India. Consent Managers must register with the Board and comply with prescribed technical, operational, and financial conditions. The Board can investigate and penalise non-compliant Consent Managers.
No. A Data Processor processes data on behalf of a Data Fiduciary. A Consent Manager acts on behalf of the Data Principal — helping them manage consent. Their accountability runs in opposite directions.
This would create a fundamental conflict of interest — the Consent Manager's accountability runs to the Data Principal, not the platform. The DPDP Rules are expected to address whether combined roles are permitted and what conflict-of-interest safeguards would apply.

Legal Context

The Consent Manager concept was developed from the Account Aggregator (AA) framework in financial services, where RBI-licensed intermediaries enable customers to share financial data across institutions with granular consent controls. The DPDP Act generalises this model to all personal data. The framework draws on India's experience with the Data Empowerment and Protection Architecture (DEPA) initiative, which explored consent-based data sharing infrastructure.

Key Rules & Provisions

Unique innovation — no GDPR equivalent; closest analogy is the Account Aggregator model in Indian financial services.

Consent Manager is accountable to Data Principal, not Data Fiduciary — principal loyalty is explicit.

Consent artefact logs create a verifiable audit trail for consent disputes.

Interoperability requirement will require technical standardisation across all Data Fiduciary consent systems.

Rule 4 (DPDP Rules 2025, in force 13 Nov 2026): registration requires Indian incorporation, ₹2 crore minimum net worth, Board-certified interoperable platform.

First Schedule Part B: Consent Manager must be data-blind — cannot read contents of data it routes.

First Schedule Part B: 7-year consent artefact log retention; machine-readable access for Data Principals.

First Schedule Part B: strict conflict-of-interest rules — no financial interests >2% in any onboarded Data Fiduciary.

Change of control requires Board pre-approval.

Related Case Laws

RBI Master Directions on Account Aggregators (2021)

RBI/DNBR/2016-17/49 Master Direction
RELEVANCE

The RBI's Account Aggregator framework — which Section 19's Consent Manager provision directly mirrors — has already established the legal and technical architecture for consent-based data sharing in financial services. Rule 4 of the DPDP Rules 2025 and the First Schedule adapt this proven model to all personal data.