Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

I Accept
Blog default background
Blog
Corporate Law

Digital Personal Data Protection Act, 2023: What Consent Managers Mean for India’s Digital Economy

Authors:
Jeevana Vuppu
March 29, 2026
5 min read
Share this post
Copied!

Introduction

The notification of the Digital Personal Data Protection Rules, 2025 (“Rules”) on November 13, 2025, was accompanied by a government notification prescribing a timeline for the staggered implementation of the Digital Personal Data Protection Act, 2023 (“Act”) (together, the “DPDP Framework”). While several provisions relating to security safeguards, retention standards and grievance redressal have attracted immediate attention, the introduction of the Consent Manager framework requires particular attention. The Rules operationalise the Consent Manager framework in November 2026, creating a one-year window before a new, centralised consent mechanism becomes part of India’s digital infrastructure.

The Consent Manager Framework

A Consent Manager, as envisaged under the DPDP Framework, is an entity registered with the Data Protection Board of India, that provides a unified platform for Data Principals to review, provide, and withdraw consent to Data Fiduciaries, with respect to their personal data.[1] The framework is characterised by two features:

(a) First, Consent Managers are required to operate in an interoperable manner[2], which implies that individuals should be able to rely on a single Consent Manager to manage instructions across multiple platforms and services, irrespective of the sector or business model;

(b) Second, Consent Managers must remain ‘data-blind’, i.e., they are prohibited from interpreting or processing the personal data to which the consent relates.[3] Their function is restricted to conveying consent-related decisions, and they do not interpret or process the underlying personal data.

This architecture differs from most data protection regimes across the globe. In jurisdictions such as the EU, Singapore and Brazil, have not adopted such a centrally regulated consent intermediary system and continue to rely on individual data controllers or fiduciaries to manage consent directly.

Likely Market Participants as Consent Managers

While the DPDP Framework does not prescribe sectoral eligibility criteria for entities seeking registration as Consent Managers, it may be noted that certain categories of entities are more likely to take on this role since they already operate consent-based data sharing infrastructure on a large scale. One such example is Reserve Bank of India regulated account aggregators, whose framework already allows individuals to safely share their financial data between banks, lenders, and other financial institutions, based on explicit and revocable consent. They may therefore be considered a natural starting point for consent management platforms, particularly in the financial sector. Similarly, large e-commerce platforms, digital platforms, and fintech companies may also be well placed to act as Consent Managers, as they handle large volumes of data for user authentication and marketing permissions. Their existing technical infrastructure and compliance systems may make it easier for them to operate consent management platforms on a large scale.

Organisations that already act as intermediaries between individuals and multiple service providers, particularly in sectors such as finance, healthcare, telecommunications or digital commerce, may be better suited to operate as sector specific Consent Managers.

Operational Implications for Businesses

The operational implications of the DPDP Framework on businesses in India are substantial. Once Consent Managers begin to function as intermediaries, consent will no longer be collected solely inside each organisation’s own platforms. A considerable portion of consent related decisions will be routed externally through a standardised platform that will transmit consent related data to multiple Data Fiduciaries simultaneously. This operational change becomes particularly significant in cross-border data transfers, where consent collection and processing must comply with the data protection laws of more than one jurisdiction.

Cross-Border Data Transfer Implications

The use of Consent Managers may add a new layer to how organisations manage cross-border transfers of personal data. Under the DPDP Framework, personal data may generally be processed only with the consent of the Data Principal or for certain specified ‘legitimate uses’, such as compliance with law, employment purposes, or responding to emergencies[4]. In contrast, frameworks such as the EU General Data Protection Regulation permits processing on several additional grounds, including the performance of a contract[5] or the legitimate interests[6] of the controller. As a result, companies operating across different jurisdictions may encounter differences in the legal basis on which processing is undertaken.

These differences become particularly relevant where consent is given or managed through a Consent Manager and shared with multiple Data Fiduciaries located outside India. In such cases, organisations must ensure that any further processing of that data is done on the basis of consent or another permitted ‘legitimate use’ under the DPDP Framework. This may create practical challenges in cross-border transfers, because organisations in other jurisdictions may rely on different legal bases for processing personal data under their domestic laws, such as contractual necessity or legitimate interests. In this context, Consent Managers may act as the point through which consent signals originating from India are transmitted to multiple Data Fiduciaries outside India. Organizations receiving such consent must ensure that their processing remains consistent with the consent or legitimate use requirements under the DPDP Framework.

Conclusion

The Consent Manager framework represents one of the most innovative elements of India’s data protection law. If the system is implemented effectively, it has the potential to enhance transparency, promote user agency and create greater consistency in the manner in which consent is administered across platforms. Entities that already operate consent-based data sharing infrastructure at a large scale, such as Account Aggregators, large digital platforms and fintech intermediaries, may be better positioned to take on the role of Consent Managers, as their existing technical systems and regulatory experience allows them to integrate consent management functions more effectively.

At the same time, the introduction of Consent Managers may have broader implications for organisations that operate across jurisdictions. Where consent signals originating in India are transmitted to organizations outside India, they must ensure that subsequent processing of such data remains consistent with the consent or legitimate use requirements under the DPDP Framework. This may require organizations to revisit how consent is obtained and transmitted in a cross-border environment.

References

[1] Para 1, First Schedule, Part B, Digital Personal Data Protection Rules, 2025
[2] Para 9(a), First Schedule, Part A, Digital Personal Data Protection Rules, 2025
[3] Para 2, First Schedule, Part B, Digital Personal Data Protection Rules, 2025
[4] Section 4, Digital Personal Data Protection Act, 2023
[5] Regulation (EU) 2016/679, art. 6(1)(b), 2016 O.J. (L 119) 1 (EU)
[6] Regulation (EU) 2016/679, art. 6(1)(f), 2016 O.J. (L 119) 1 (EU)

No items found.

Footnotes

Share this post
Copied!

Latest posts

Corporate Law
March 29, 2026
Digital Personal Data Protection Act, 2023: What Consent Managers Mean for India’s Digital Economy
Read more
Arrow Right
Real Estate
March 28, 2026
Alienation of Property in SEZ Notified Areas: Legal Framework and Practical Difficulties
Read more
Arrow Right
Corporate Law
March 27, 2026
Breaking The Deadlock: Effective Exit Mechanisms in Shareholder Agreements
Read more
Arrow Right
Real Estate
March 25, 2026
An Analysis of Protected Tenancy Under the Telangana Tenancy and Agricultural Lands Act, 1950
Read more
Arrow Right
Real Estate
March 25, 2026
An Analysis of Transferable Development Rights in Telangana
Read more
Arrow Right
Real Estate
March 25, 2026
Applicability of Section 80 of the Telangana Endowments Act, 1987 to property held by Section 8 Companies
Read more
Arrow Right
View All Blogs
Arrow Right