BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 2 (13 November 2026 (for Consent Managers to register); no deadline for Data Fiduciaries to use Consent Managers) CONSENT

Rule 4

Registration and Obligations of Consent Managers

Practical Note

Consent Managers are a new regulatory category unique to India — there is no GDPR equivalent. If you want to operate as a Consent Manager intermediary, you must register with the DPBI from November 2026. Data Fiduciaries are NOT required to use a Consent Manager — they can implement their own consent mechanisms directly under Act Section 6. Consent Managers are an optional interoperability layer for users who want centralised consent management across multiple platforms.

THE STATUTE

Original Text

(1) A Consent Manager shall be registered with the Board in accordance with such procedure and on payment of such fees as the Board may specify. (2) The eligibility conditions for registration of a Consent Manager include — (a) the applicant shall be a company incorporated in India; (b) the applicant shall have a minimum net worth of two crore rupees; (c) the applicant shall fulfil such technical, operational, financial, and other conditions as specified by the Board. (3) A Consent Manager shall — (a) act on behalf of and be accountable to the Data Principal; (b) ensure that the platform through which it enables consent is accessible, transparent and interoperable; (c) not discriminate between Data Principals on any basis including the ground of their choice of Consent Manager; (d) maintain logs of all consent-related activities in such manner and for such period as the Board may specify.

Analysis & Details

Rule 4 creates the registration and compliance framework for Consent Managers — the novel intermediary category introduced by DPDP Act Section 6(9). A Consent Manager is a registered entity that acts as a centralised platform through which a Data Principal can give, manage, review, and withdraw consent across multiple Data Fiduciaries simultaneously. The concept draws inspiration from India's Account Aggregator framework (under RBI) which enables financial data portability through licensed aggregators. To register as a Consent Manager, an entity must: (a) be incorporated in India as a company; (b) have a minimum net worth of ₹2 crore (approximately USD 225,000); (c) meet additional technical, operational, and financial conditions specified by the DPBI. Foreign companies (like OneTrust, TrustArc, and other international consent management platforms) cannot directly register as Consent Managers — they would need to incorporate an Indian subsidiary. This India-incorporation requirement is a significant regulatory barrier. Once registered, Consent Managers have strict obligations: they must act in the Data Principal's interest (not the Data Fiduciary's), maintain interoperable platforms, not discriminate between users based on their choice of Consent Manager, and maintain comprehensive logs of consent activities. The accountability flows from Consent Manager to Data Principal — not to Data Fiduciaries. This creates a triangular relationship: Data Fiduciary ↔ Consent Manager ↔ Data Principal. The technical interoperability requirement is critical for the Consent Manager ecosystem to function: if Consent Manager A cannot communicate with a Data Fiduciary that integrates with Consent Manager B, the entire consent portability purpose fails. The DPBI is expected to issue technical specifications for interoperability protocols.

GDPR Parallel

No direct GDPR equivalent (closest: Consent Management Platforms, industry-regulated)

IT Act Impact

Consent Managers operating as information intermediaries may also qualify as 'intermediaries' under IT Act Section 2(1)(w) — creating overlapping obligations under IT Act Section 79's safe harbour and due diligence rules in addition to DPDP Consent Manager obligations.

Common Queries

A Consent Manager is a registered intermediary that acts as a single centralised platform through which a Data Principal can give, manage, review, and withdraw consent across multiple Data Fiduciaries. Think of it like a privacy control dashboard — instead of managing consent settings separately on each app or website, a user could manage all consents through one Consent Manager platform. Consent Managers must register with the Data Protection Board of India (DPBI) from November 2026 and must be India-incorporated companies with a minimum net worth of ₹2 crore.
No — using a Consent Manager is optional, not mandatory, for Data Fiduciaries. They can implement their own consent mechanisms directly in compliance with Act Section 6 and Rule 3. Consent Managers are an optional interoperability layer for users who want centralised consent management. However, if a Data Principal requests to exercise rights through a Consent Manager, the Data Fiduciary must honour those requests.
Not directly. Rule 4 requires Consent Managers to be companies incorporated in India. Foreign companies operating consent management platforms would need to incorporate an Indian subsidiary to register as a Consent Manager. This India-incorporation requirement is a significant regulatory barrier for international players.
Rule 4 is effective from 13 November 2026 (Phase 2 of the DPDP Rules commencement). Consent Manager registration opens from this date. Businesses that want to operate as Consent Managers must be ready to register by November 2026.

Key Rules & Provisions

Minimum net worth: ₹2 crore — India-incorporated companies only.

Foreign consent management platforms (OneTrust, TrustArc, etc.) cannot directly register.

Consent Manager accountable to Data Principal — not to Data Fiduciary.

Interoperability requirement — technical protocols to be specified by DPBI.

Log maintenance mandatory — period and format to be specified by DPBI.