Consent Managers Under India’s Digital Personal Data Protection Act, 2023 (DPDP Act): Legal Framework, Obligations, Governance and Practical Implications

Abstract

The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces a dedicated institutional mechanism known as the Consent Manager, a unique governance innovation designed to facilitate informed, granular, and revocable consent for personal data processing. With the exponential rise of data-driven services, intermediaries that enable transparent, auditable, and standardised consent are indispensable. This article examines the statutory basis, operational responsibilities, accreditation, rights, and duties of Consent Managers under the DPDP Act. It further analyses their practical role in India’s evolving data protection ecosystem and how businesses must adapt their compliance architecture.

1. Introduction

India’s DPDP Act, 2023 marks a foundational shift in the country’s data governance landscape by centralising consent as a core legal basis for the processing of digital personal data. A key innovation under the Act is the creation of regulated intermediaries known as Consent Managers, who act as neutral, accountable entities enabling individuals (Data Principals) to manage consent in a transparent manner.

The concept of a Consent Manager aligns with global best practices in data governance—similar to data intermediaries under the EU Data Governance Act and consent brokers in Australia—yet uniquely tailored to India's digital ecosystem. Their role is integral to ensuring that consent under the DPDP Act is free, specific, informed, unconditional, and unambiguous.

2. Statutory Basis of Consent Managers

The DPDP Act recognises Consent Managers as a distinct category of regulated entities. The relevant statutory references include:

• Section 2(i): Defines a Consent Manager as a person registered with the Data Protection Board (DPB) who acts as a single point of contact for enabling Data Principals to give, manage, review, or withdraw consent through an accessible, transparent, and interoperable platform.
• Section 6(7): Provides that a Data Principal may give, withdraw, review, or manage consent through a Consent Manager.
• Section 22: Mandates registration and compliance obligations for Consent Managers, including accountability, grievance redressal and adherence to technical standards.

The Act envisions Consent Managers as trustworthy, neutral intermediaries who are technologically competent and legally accountable.

3. Functions of Consent Managers

Consent Managers play a multi-layered role in the data ecosystem:

3.1 Consent Facilitation

They enable:

• submission of consent requests by Data Fiduciaries,
• communication of consent to Data Principals,
• recording consent and ensuring its traceability,
• conveying Data Principals' decisions back to Data Fiduciaries.

3.2 Consent Withdrawal & Modification

The DPDP Act mandates withdrawal of consent to be:

• as easy as giving consent,
• effective immediately, unless otherwise prescribed,
• communicated simultaneously to all relevant parties.

Consent Managers must implement intuitive mechanisms to fulfil this obligation.

3.3 Transparency & Record Maintenance

Consent Managers maintain:

• logs of consents,
• logs of withdrawals,
• verifiable proof for audit and compliance,
• mechanisms to handle disputes and incorrect requests.

3.4 Interoperability

They must follow uniform technical standards to ensure seamless integration across platforms, ensuring equitable access regardless of service provider.

3.5 Grievance Redressal

Consent Managers must:

• appoint Grievance Officers,
• process complaints within prescribed timelines,
• coordinate with Data Protection Board if disputes arise.

4. Governance, Accreditation & Registration

Consent Managers must be registered with the Data Protection Board of India (DPB). Registration requires:

1. Compliance with technical, organisational, and security standards notified by the Central Government.
2. Demonstration of neutrality, i.e., they cannot privilege any particular Data Fiduciary.
3. Robust data security infrastructure, including encryption, access control, and breach management processes.
4. Interoperability Certification, ensuring compatibility with all DPDP-compliant systems.
5. Audit readiness, with mandatory periodic third-party audits.

Consent Managers function under a licensing regime where non-compliance may lead to penalties, suspension, or cancellation of registration.

5. Rights of Data Principals vis-à-vis Consent Managers

Data Principals have the right to:

• Submit consent through any Consent Manager of their choice.
• Withdraw consent via the same or another Consent Manager.
• Receive a clear, accessible record of their consent.
• Know the purpose, category, and risks associated with data processing.
• Access grievance redressal mechanisms in case of unauthorized consent processing.

The Consent Manager becomes the primary interface for asserting consent-based rights.

6. Obligations of Consent Managers

Consent Managers must adhere to:

6.1 Duty of Care

They must operate in the best interest of Data Principals and prevent misuse of personal data.

6.2 Data Security & Minimization

They may only process data necessary for facilitating consent and must avoid retaining data beyond required periods.

6.3 Accountability Framework

Consent Managers are directly accountable to the Data Protection Board, and indirectly to Data Fiduciaries and Data Principals.

6.4 High Standards of Transparency

They must publicly disclose:

• data handling practices,
• retention periods,
• security mechanisms,
• grievance redressal procedures.

7. Relationship Between Consent Managers & Data Fiduciaries

Consent Managers do not replace legal obligations of Data Fiduciaries. Instead, they:

• act as intermediaries for managing and recording consent,
• provide unified interfaces for Data Principal choice,
• ensure that Data Fiduciaries only process data after obtaining valid consent.

Data Fiduciaries remain responsible for:

• lawful processing,
• purpose limitation,
• security safeguards,
• data breach reporting,
• honoring withdrawal of consent.

8. Importance of Consent Managers in the Indian Digital Ecosystem

8.1 Solving Consent Fatigue

In an era of constant pop-ups and multi-service data sharing, Consent Managers simplify and centralise consent interactions.

8.2 Enhancing User Autonomy

By enabling easy withdrawal and review, they strengthen user control over data.

8.3 Ensuring Compliance at Scale

For large enterprises and digital platforms, Consent Managers become essential for:

• maintaining audit trails,
• obtaining uniform consent,
• demonstrating compliance to regulators.

8.4 Reducing Litigation Risk

Accurate consent documentation reduces disputes and liability.

9. Penalties Related to Consent Managers (DPDP Act)

Consent Managers can face penalties for:

• failure to implement reasonable security safeguards,
• breach of consent logs or unauthorised access,
• violation of neutrality obligations,
• non-compliance with DPB directives.

Penalties may extend into several hundred crores under the Act’s graded penalty mechanism.

10. Implementation Challenges & Future Directions

10.1 Lack of Technical Standards (Awaiting Government Notification)

Interoperability frameworks, certification requirements, and log formats are awaited.

10.2 Market Concentration Risks

Dominance by a few Consent Managers may reduce competition, requiring fair market oversight.

10.3 Consumer Awareness

Widespread literacy efforts will be needed for adoption.

10.4 Cross-Border Data Flows

Consent Managers must align with potential future rules on data transfers and localisation.

Conclusion

Consent Managers under the DPDP Act represent a transformative institutional mechanism to create transparency, reduce consent friction, and empower individuals. They sit at the intersection of technology, data governance, and regulatory compliance, strengthening India’s digital economy by making consent accessible, auditable, and enforceable. As India transitions toward full-scale implementation of the DPDP Act, the role of Consent Managers will become crucial for both individuals and Data Fiduciaries.

Frequently Asked Questions (FAQs)

1. What is a Consent Manager under the DPDP Act?

A Consent Manager is a registered entity that enables Data Principals to give, withdraw, or manage consent for their personal data through a transparent, interoperable platform.

2. Are Consent Managers mandatory under the DPDP Act?

No. Data Principals may use them, but they are not mandatory. Consent can also be directly given to Data Fiduciaries.

3. Who regulates Consent Managers?

The Data Protection Board of India (DPB) regulates and registers Consent Managers.

4. Can a Consent Manager access personal data?

They can only access data minimally required to process the consent request. They cannot access or store unrelated personal data.

5. Is consent given through a Consent Manager valid?

Yes. Consent given or withdrawn through a Consent Manager is legally binding and equivalent to consent given directly.

6. How are Consent Managers different from Data Fiduciaries?

• Consent Managers: handle consent management only.
• Data Fiduciaries: process personal data for business purposes and bear primary compliance obligations.

7. Can Consent Managers charge users?

Possibly, but not in ways that restrict access. Policies will be governed by future rules and licensing terms.

8. Can a Data Fiduciary become a Consent Manager?

Potentially yes, but only if they are registered, neutral, and do not create conflicts of interest.

9. What happens if a Consent Manager fails to notify consent withdrawal?

They may face heavy penalties and suspension of registration.

10. Are Consent Managers similar to Account Aggregators?

Conceptually yes—both are data intermediaries—but they operate under different laws and serve different sectors.