Consent manager

From Justice Definitions Project

What is a 'consent manager'

A Consent Manager, under India’s Digital Personal Data Protection Act, 2023, (hereinafter referred to as DPDPA) is a person authorised by the government to help individuals manage how their personal data is collected, shared, and used by organizations. It acts as an intermediary between users and data processors, it enables people to give, refuse, or withdraw consent in a transparent and accessible manner.[1] The term 'consent manager' is researched upon due to its inclusion in statutory provisions. However, an analysis of global best practices and developments in other jurisdictions reveals the potential to view consent managers through the broader framework of consent management systems, as both operate within a similar domain. [2]

Before the enactment of the Digital Personal Data Protection Act (DPDPA), 2023, various regulators and state governments in India had already introduced consent-based data sharing systems across key sectors. The Reserve Bank of India’s Account Aggregator (AA) framework in finance, the Health Information Exchange and Consent Manager (HIE CM) under the Ayushman Bharat Digital Mission (ABDM) in healthcare, TRAI’s Digital Consent Acquisition platform and TCCCPR, 2018 in telecom, and Karnataka’s e-Sahamati model are notable examples. While differing in scope and implementation, these frameworks reflect a shared commitment to empowering individuals with control over their data through structured, verifiable consent mechanisms.

The concept of a consent management framework in India emerged through the Personal Data Protection Bill, 2019[3] and the Data Empowerment and Protection Architecture (DEPA) in 2020.[4] These frameworks aimed to separate consent flow from data flow and promoted a user-centric approach to consent, reducing the need for repeated approvals from individuals across different service providers. The idea was to introduce intermediaries, Consent Managers, who would streamline consent processes sector-wise while ensuring data authenticity and security from the user’s perspective.

Official Definition of 'consent manager'

'Consent manager' as defined in legislation(s)

According to Section 2(g)  of the DPDPA ,2023, “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

Legal provision(s) relating to 'consent manager'

Digital Personal Data Protection Act (DPDP Act), 2023
Role and Functions under the DPDP Act, 2023

Under Section 6(7), (8), and (9) a Consent Manager allows the Data Principal (individual) to give, manage, review, or withdraw their consent for processing personal data. The Consent Manager is accountable to the Data Principal and must act on their behalf according to prescribed obligations. Consent managers merely streamline the process, the responsibility for compliance with DPDP Act standards remains with the Data Fiduciary.

Reference is made to section 6(7) of the DPDP Act, which stipulates, "The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager." The use of "may" indicates that Data Principals have the option to provide consent directly to Data Fiduciaries or via a Consent Manager.  Every Consent Manager must be registered with the Data Protection Board and comply with specified technical, operational, financial, and other conditions.

Grievance Redressal Mechanism

As per Section 13, Data Principals have the right to grievance redressal from the Consent Manager regarding its duties related to personal data or the exercise of rights. The Consent Manager must respond within prescribed timelines, and the Data Principal must exhaust this grievance process before approaching the Data Protection Board.

Oversight by the Data Protection Board

Under Section 27, the Data Protection Board has the power to inquire into breaches by Consent Managers and impose penalties for violations of their obligations or registration conditions.

Rule-Making Power of the Central Government

Section 40 states that the Central Government to make rules detailing the accountability and obligations of Consent Managers (under Section 6(8)) and the procedures and conditions for their registration (under Section 6(9)).

Draft Digital Personal Data Protection (DPDP) Rules, 2025
Registration and Obligations of Consent Manager

Rule 4 establishes the regulatory framework for Consent Managers [entities that facilitate the management of consent between individuals (Data Principals) and organizations (Data Fiduciaries) processing personal data.]

Application for Registration

According to Rule 4(1), A person (must be a company incorporated in India) wishing to act as a Consent Manager must apply to the Data Protection Board of India by submitting the required details and documents.

To be eligible for registration, the applicant must:

  • Be a company incorporated in India.
  • Have sufficient technical, operational, and financial capacity.
  • Have sound financial conditions and management integrity.
  • Possess a minimum net worth of ₹2 crore.
  • Have an adequate business volume, capital structure, and earning potential.
  • Be run by individuals with a reputation for fairness and integrity.
  • Have MoA and AoA provisions committing to critical obligations (like avoiding conflicts of interest and transparency), and such provisions must be modifiable only with prior Board approval.
  • Be certified as having an interoperable platform consistent with data protection standards.
Evaluation and Registration

According to Rule 4(2): Upon receiving the application, the Board will:

  • Scrutinize the fulfilment of conditions in Schedule I, Part A.
  • If satisfied, register the applicant as a Consent Manager and publish its details on the Board’s website.
  • If not, reject the application and provide reasons to the applicant.
Obligations of the Consent Manager

According to Rule 4(3): Once registered, the Consent Manager must comply with a set of ongoing obligations listed in Schedule I, Part B.

Obligations from Schedule I, Part B:

  • Enable Data Principals to give, manage, review, or withdraw consent either directly or through intermediaries.
  • Ensure that shared data is unreadable to the Consent Manager.
  • Maintain a comprehensive record of consents, notices, and data sharing, accessible to Data Principals and retained for at least seven years.
  • Provide services via a website or app.
  • Avoid subcontracting or delegating core responsibilities.
  • Ensure reasonable data security safeguards.
  • Act in fiduciary capacity towards Data Principals.
  • Prevent conflicts of interest (directorships, financial interests, etc.).
  • Disclose ownership and governance structure transparently.
  • Implement audit mechanisms and report findings to the Board.
  • Seek prior approval for control transfers (sale, merger, etc.).
Monitoring and Enforcement

According to Rule 4(4)-(6),

  • If the Board finds that a Consent Manager is not complying, it must:
    • Give an opportunity to be heard.
    • Notify the Consent Manager of violations and direct corrective action.
  • If violations persist or are severe, the Board may:
    • Suspend or cancel registration (after hearing and recording reasons).
    • Issue additional directions to safeguard Data Principals’ interests.
  • The Board may also call upon the Consent Manager to furnish information for regulatory purposes

'Consent Manager' as defined in official government report(s)

The term “consent manager” has been discussed in the following reports:

NITI Ayog - Data Empowerment And Protection Architecture (Draft for Discussion),2019

According to this draft on Data Empowerment and Protection Architecture released by Niti Ayog, the purpose of consent manager  is to manage a data principal’s consent for data sharing through an accessible, transparent and interoperable platform.. In the future they could also help individuals and small businesses protect and enforce their data rights. In practice, Consent Managers in India operate by maintaining consent logs that define how personal data can be shared between data sources and authorized users. Importantly, they are data blind, meaning they facilitate data-sharing transactions without accessing, storing, or analysing the actual data. All consent authorisations are centralised within the individual’s account, while the data itself flows directly between the source and the intended recipient. This  system supports account portability, which would allow individuals to switch between Consent Manager services with ease, and ensure  minimal dependency on a single service provider.[5]

Loksabha- Joint Committee on the Personal Data Protection Bill 2019[6]

According to Recommendation number 17[7] of this report released by the Loksabha, consent manager is defined as as “ a data fiduciary which enables a data principal to give, withdraw. review and manage his consent through an accessible, transparent and interoperable platform.”

Clause 21(1) permits Data Principals to submit requests for exercising their rights either directly to the Data Fiduciary or through a Consent Manager, thereby formally recognizing the role of Consent Managers as intermediaries.[8]

Existing consent management frameworks

India has been actively experimenting with sector-specific consent management frameworks well before the enactment of the Digital Personal Data Protection Act (DPDPA), 2023. These frameworks, though varied in scope and design, reflect a common goal: empowering individuals with greater control over their data while facilitating secure, transparent, and accountable data exchange.

Reserve Bank of India’s Account Aggregator (AA) framework (2016)

India has already adopted similar frameworks in various sectors. In banking, the Reserve Bank of India’s Account Aggregator (AA)[9] model enables secure, consent-based sharing of financial data between Financial Information Providers (FIPs) and Financial Information Users (FIUs) through licensed NBFC-Account Aggregators regulated by the Reserve Bank of India. It facilitates encrypted, user-authorized data flows using standardized APIs, ensuring that individuals retain granular control over the access and use of their financial information.

National Digital Health Mission (2022)

In healthcare, the National Digital Health Mission[10] and the Draft Health Data Management Policy[11] define Consent Managers as digital systems that secure patient consent for access and exchange of personal health data. The Health Information Exchange and Consent Manager (HIE-CM)[12] under the Ayushman Bharat Digital Mission (ABDM) is a central component of India’s effort to build a secure, consent-based digital health ecosystem. It acts as a digital consent manager specifically for the healthcare sector. This ensures that personal health information is shared only with the explicit, informed, and time-bound consent of the patient. The HIE CM facilitates data exchange between Health Information Providers (HIPs) like hospitals and Health Information Users (HIUs) such as doctors or insurers, without storing or accessing the data itself. Instead, it functions as a data-blind intermediary, collecting, validating, and enforcing patient consent based on standardized protocols. This system empowers individuals with control over their health data and promotes interoperability across the digital health infrastructure.

Functionally, the HIE CM mirrors the role of a Consent Manager as defined under the Digital Personal Data Protection Act (DPDPA), 2023, acting on behalf of the data principal (in this case, the patient) to manage their consent preferences in a secure and transparent manner. It supports granular consent, allowing users to specify what data can be shared, for what purpose, and for how long. The implementation of the HIE CM demonstrates how sector-specific consent managers can operate within a federated data system, serving as a live example of user-centric data governance. By aligning with the broader framework proposed under the DPDPA, the HIE CM helps lay the groundwork for interoperable and rights-based consent management across sectors in India.

Telecom Regulatory Authority of India's Digital Consent Acquisition (2018)

The telecom sector, under TRAI’s 2018 regulations, has implemented the Digital Consent Acquisition (DCA) Platform for managing consumer consent related to promotional calls and messages. This system uses a common short code (127XXX) and a digital ledger to ensure transparency and verifiability of consent across access providers.[13]

While these sectoral frameworks share the core element of consent, their scope and objectives vary. For instance, Account Aggregators facilitate a broader exchange of financial data beyond personal data processing, unlike the DPDPA’s focus on managing consent specifically for personal data. Hence, although functionally similar, not all models deal exclusively with personal data or serve the same regulatory goals.

Telecom Commercial Communications Customer Preference Regulations (2018)

The Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018,[14] introduced by the Telecom Regulatory Authority of India (TRAI), was one of the earliest structured attempts in India to implement a robust consent management system in the digital space. Aimed at curbing unsolicited commercial communication, it mandates that telemarketers obtain explicit, informed, and verifiable consent from consumers before sending promotional messages or calls. To enforce this, the regulation uses Distributed Ledger Technology (DLT), ensuring that all consents are immutable, traceable, and auditable.

It gives users the right to revoke consent at any time, placing control over personal communication squarely in their hands. Importantly, telemarketers and entities involved in processing consent are data-blind intermediaries, as they facilitate the consent mechanism without accessing or exploiting the actual communication content or personal data. In this way, the TCCCPR, 2018, lays the foundational principles of consent management such as user autonomy, transparency, and accountability, which later informed broader data protection initiatives like the Consent Manager framework under the Digital Personal Data Protection Act (DPDPA), 2023.[15] Building on these efforts, the digital consent pilot has been launched to bring the framework to life, offering a practical glimpse into how it is expected to operate in everyday, real-world scenarios.

Karnataka e-Sahamati

Karnataka’s e-Sahamati[16] is a digital consent framework designed to facilitate secure and transparent data sharing between individuals and service providers. It functions by allowing data principals (individuals) to grant or revoke consent for access to their personal data through a standardized, technology-driven platform. Built in line with the Account Aggregator model, e-Sahamati enables consent to be granular, time-bound, and purpose-specific. This ensures that data sharing happens only with the individual's explicit approval. By acting as a bridge between data fiduciaries (such as banks or telecom companies) and users, the system empowers citizens with control over their data while enabling smoother, faster delivery of services across sectors.

International Experience

India’s Consent Manager framework under the Digital Personal Data Protection Act (DPDPA), 2023, introduces a centralized, regulated approach to consent management that stands in contrast to global models like the EU’s General Data Protection Regulation (GDPR)[17] and California’s Consumer Privacy Act (CCPA).[18] While GDPR and CCPA place the responsibility of managing consent directly on businesses, often through unregulated consent management platforms (CMPs), India’s DPDPA establishes Consent Managers as registered intermediaries who facilitate consent handling between data principals and data fiduciaries. This shift from market-led solutions to a state-regulated trust framework reflects India’s intent to ensure transparency.

One of the defining features of the Indian model is the regulatory rigor imposed on Consent Managers. They are required to be registered with the Data Protection Board (DPB) and demonstrate adequate financial, operational, and technical capacity. Also, they are subject to ongoing regulatory audits and oversight, ensuring accountability and minimizing the risk of misuse. This is a marked departure from GDPR and CCPA, where CMPs function merely as service providers to businesses without any legal obligation to register or comply with standardized governance benchmarks.

Another significant innovation in the DPDPA is its mandate for interoperability and cross-sectoral integration. Consent Managers must provide a standardized, interoperable platform capable of managing consent seamlessly across diverse domains such as finance, healthcare, e-commerce, and social media. This holistic approach is modeled on India’s Account Aggregator (AA) system, which enables users to control access to their financial data across institutions through a single interface. Unlike the DPDPA, neither the GDPR nor the CCPA imposes a legal requirement for such interoperability. While some GDPR-compliant CMPs permit limited consent preference sharing, they lack a unified, legally enforceable infrastructure.

International models similar to consent managers

Interactive Advertising Bureau(IAB) Europe: Transparency & Consent Framework (TCF)

IAB Europe’s Transparency & Consent Framework (TCF),[19] most recently updated in 2023, is a widely adopted standard in the digital advertising industry. It legally recognizes Consent Management Platforms (CMPs) as independent entities rather than just software tools. These CMPs act as intermediaries between three key stakeholders: publishers (websites), end users (data subjects), and vendors (such as ad tech providers). Their core functions include ensuring user transparency, collecting and managing user consent and objections, transmitting consent signals to relevant parties, and helping establish the legal basis for data processing. To maintain accountability, CMPs must comply with IAB’s strict audit mechanisms, serious violations can lead to suspension. Notably, CMPs do not make decisions about how data is used; they simply manage and relay consent signals.

UK: Information Commissioner’s Office (ICO)

The UK does not enforce a formal framework for CMPs but promotes the use of internal tools that enhance user autonomy and transparency. The Information Commissioner’s Office (ICO)[20] encourages data fiduciaries (organizations) to implement privacy dashboards and similar mechanisms that allow users to review, modify, or revoke their consent preferences at any time. This model decentralizes consent management by placing responsibility within each organization rather than relying on third-party CMPs.

Germany: Telecommunications and Telemedia Data Protection Act (TTDSG) and Personal Information Management Services (PIMS)

Germany’s approach to consent management was significantly strengthened with the enactment of the TTDSG in 2021.[21] This law introduced PIMS[22], centralized platforms that enable users to manage their cookie preferences and data-sharing settings across multiple websites. Websites can access these user-defined settings, which enhances user control and simplifies the consent process.

France: Commission Nationale de l’Informatique et des Libertés CNIL’s General Data Protection Regulation (GDPR)-Compliant Cookie Consent Rules

France’s data protection authority, the CNIL,[23] mandates strict compliance with the GDPR in matters of cookie consent. The CNIL requires that consent must be explicit, fully informed, and freely given. Pre-checked boxes or vague language are not allowed. Users must be able to easily revoke their consent, and websites must provide clear and accessible consent logs.

Brazil: Lei Geral de Proteção de Dados (LGPD)

In Brazil, the Autoridade Nacional de Proteção de Dados (ANPD) oversees consent management under the Lei Geral de Proteção de Dados (LGPD), which positions consent as one of the primary legal bases for processing personal data. The LGPD requires that consent be explicit, informed, and freely given, and individuals must be able to revoke it as easily as it was granted. The ANPD provides regulatory guidance on best practices for obtaining and managing consent, monitors compliance, and holds the authority to investigate violations and impose sanctions. This framework emphasizes user autonomy and aims to ensure that data subjects maintain meaningful control over how their personal data is collected and used.

Japan: Act on the Protection of Personal Information (APPI)

In Japan, the Personal Information Protection Commission (PPC) governs consent-related issues under the Act on the Protection of Personal Information (APPI). Unlike Brazil’s consent-centric approach, Japan’s model relies more on the principles of purpose limitation and prior notification to data subjects. Consent is not required for most general data processing activities unless the data involves sensitive personal information or is being transferred overseas. In such cases, the PPC mandates clear, informed consent and provides detailed guidance to ensure compliance. The PPC also conducts audits, issues administrative orders, and promotes accountability through a framework that balances regulatory oversight with business flexibility.

Research that engages with “Consent Manager”

An overview of the research that has been conducted on the concept of consent manager within the Indian Justice context, by non-government bodies like Academic Institutions, Research Organisations, CSOs, think tanks and other such bodies.

The Future of Data Protection in India: A Roadmap for Regulators (DSCI Naascom)

This research report by DSCI titled - The Future of Data Protection in India: A Roadmap for Regulators extensively discusses the concept of consent managers within the broader framework of India’s evolving data protection landscape, emphasizing their potential role across industries beyond the current sectoral models. It analyzes  global best practices and recommends practical operational guardrails for consent managers under the DPDPA.[24]

The recommendations aim to refine the regulatory framework for personal data breach reporting under the DPDPA. First, it is suggested that personal data breaches be clearly distinguished from unauthorized processing to avoid confusion and double penalties. The Central Government and the Data Protection Board should adopt this separation both in rule-making and adjudication. Second, a risk-based approach should be used in breach reporting, focusing only on breaches that pose a significant risk to individuals. This would allow data fiduciaries to allocate resources more efficiently and ensure that penalties are proportionate to the actual harm caused. Best practices from jurisdictions like Singapore, Brazil, and the EU should be referred to for clear procedures, including breach thresholds, notification timelines, and content requirements.

Furthermore, the report proposes a phased reporting mechanism to reduce the compliance burden, allowing initial notification followed by complete information as it becomes available, similar to frameworks under the GDPR, ANPD in Brazil, and PPC in Japan. Lastly, harmonizing sectoral regulations is emphasized to avoid overlaps and compliance confusion. Since industries like finance and healthcare are already governed by sector-specific cybersecurity and privacy standards, the DPDPA should adopt an approach like that of South Korea, Singapore, or the EU by issuing sector-specific guidelines or ensuring consistency among regulatory frameworks. This will support better compliance and reduce legal uncertainties for data fiduciaries operating across multiple regulatory regimes.

Privacy and Data Protection in India (Nishith Desai Associates)

The report released by Nishith Desai Associates titled - Privacy and Data Protection in India explores consent management as a critical element of data protection. It elaborates on consent managers as intermediaries facilitating data principal empowerment and compliance under Indian law. It builds on official texts by offering comparative insights from international regulatory regimes, stressing the need for clear definitions and accountability mechanisms for consent managers.[25]

Managing Consent Under India's New Data Protection Law (S&R Associates)

This research released by S&R Associates, titled- Managing Consent Under India's New Data Protection Law, builds on the operational and legal implications of implementing consent managers under the DPDP Act, 2023. It explores their accountability mechanisms, interoperability challenges, and potential linkage with internal CMPs. The analysis also anticipates regulatory gaps and future rulemaking around consent coordination and compliance responsibilities.[26]

Consent Managers for NBFCs Implementation Challenges and Other Issues (Vinod Kothari Consultants Pvt. Ltd.)

The report by Subhojit Shome and Archisman Bhattacharjee, titled Consent Managers for NBFCs Implementation Challenges examines the role, implementation challenges, and legal uncertainties surrounding Consent Managers under the Digital Personal Data Protection Act 2023, particularly in the context of NBFCs (Non-Banking Financial Companies). While the Act introduces Consent Managers to help individuals manage their data consents, onboarding them is not mandatory. An important concern is the ambiguous relationship between Data Fiduciaries and Consent Managers, interpreted as principal to principal rather than agent based. This raises accountability questions. Although Consent Managers can enhance transparency and enforce meaningful consent, issues like overlapping regulatory requirements from the RBI, identity verification hurdles, lack of clarity on umbrella consents, and communication gaps complicate implementation. The report urges the government to frame clear operational rules for Consent Managers, suggesting they could become public infrastructure like ONDC if their role is properly defined and regulated.[27]

Critical Analysis Of The Proposed Digital Personal Data Protection (DPDP) Rule 2025 Regime In India (Dhir & Dhir Associates)

The report titled Critical Analysis Of The Proposed Digital Personal Data Protection (DPDP) Rule 2025 Regime In India, released by Dhir & Dhir, addresses the evolution and implementation of India’s data protection regime, beginning with the judicial recognition of privacy as a fundamental right in K.S. Puttaswamy v. Union of India and culminating in the enactment of the Digital Personal Data Protection Act, 2023. It reviews the progression from the Justice B.N. Srikrishna Committee's recommendations to various legislative drafts and highlights the government's ongoing efforts to operationalize the law, particularly through the release of the draft Digital Personal Data Protection Rules in 2025. The report examines key rules relating to definitions, consent mechanisms, fiduciary obligations, data breaches, grievance redress, and cross-border transfers, noting several areas that require clarification and refinement.

The report suggests expanding definitional clarity, especially around terms like data processors and anonymized data, and recommends adopting structured model formats for notices, consent withdrawal, and breach reporting. It calls for the introduction of a shared responsibility model for data intermediaries, stricter safeguards for sensitive data, and clearer standards for verifying consent in the case of minors and persons with disabilities. It also proposes tiered compliance frameworks for entities of varying sizes, stronger data retention protocols, clear appellate remedies for consent managers, and alignment with global best practices for cross-border data transfers. Overall, the report aims to ensure that the rules uphold individual rights while enabling practical and effective implementation by stakeholders.[28]

Challenges

The following challenges[29] can be anticipated:

1. Ambiguity in Legal Status and Role Clarity

The DPDPA defines Consent Managers broadly as a "person" registered with the Data Protection Board, but fails to clarify whether this includes individuals, firms, digital platforms, or institutions. This lack of precision leads to legal ambiguity, making it unclear what entities can qualify as CMs and how they are to be governed. The respective responsibilities of CMs and Data Fiduciaries, especially in handling disputes and ensuring consent is honored, are not clearly separated. This can lead to blame-shifting and gaps in accountability. A joint responsibility or co-regulatory framework may be necessary to ensure users' rights are protected effectively.

2. Lack of Operational and Regulatory Framework

The Act provides minimal guidance on how CMs should function. Aspects like their responsibilities, consent withdrawal procedures, and compliance expectations are left undefined. The DPDPA mandates CM registration but lacks clarity on the governance mechanisms that will regulate their operations. Unlike the RBI’s detailed oversight of Account Aggregators, there is no mention of licensing standards, data security requirements, or audit obligations for CMs. This could undermine the credibility of the CM ecosystem. If consent management is not effectively integrated with internal compliance and data handling systems, there’s a risk that data may be processed in ways inconsistent with user consent. This discrepancy could lead to privacy violations and liability for all parties involved.

3. Inadequate Grievance and Communication Mechanisms

Although Section 6(8) mandates that CMs act in the best interest of Data Principals and address grievances, there is no structured process or regulatory standard for how complaints should be handled. This weakens the accountability mechanism. Two-way communication between Data Principals, Consent Managers, and Data Fiduciaries is critical, especially when a user withdraws consent or requests data deletion. However, there is no requirement for real-time feedback or explanations (e.g., when data can’t be deleted due to legal obligations).

4. Centralization Risks and User Autonomy

The current framework hints at a centralized model of managing consent through a single platform or entity. Centralization introduces significant risks, such as creating attractive targets for cyberattacks, increasing the potential for mass data breaches, and concentrating power in the hands of a few players. International privacy authorities and academic literature strongly caution against centralized storage, instead advocating decentralized systems for better security, performance, and resilience. Without a user-centric interface or clearly defined standards for switching service providers, the CM system could limit individual control over data. If users face barriers in withdrawing consent or changing providers, it could erode trust and hinder the intended purpose of empowering Data Principals.

5. Conflicts of Interest and Accountability Gap

If CMs also offer allied services or rely financially on Data Fiduciaries, their neutrality could be compromised. Without safeguards, CMs might prioritize the interests of paying entities over those of Data Principals. This can lead to reduced trust in the consent framework. The absence of clearly defined duties, oversight mechanisms, and enforceable accountability standards for CMs creates gaps that could be exploited or lead to inconsistencies in implementation.

Way Ahead

The DPDPA 2023 introduces a centralized, cross-sector consent manager model accountable to data principals, unlike global practices where consent management is typically sector-specific or internally handled. This raises concerns about conflicts with existing frameworks such as RBI’s Account Aggregator, ABDM’s Health Information Exchange, TRAI’s telecom proposals, and Karnataka’s e-Sahamati. To prevent overlap, the legislation should avoid rigid technical mandates and allow sectoral regulators to create context-specific guidelines. If a unified model is intended, delegated legislation must clearly define consent managers as distinct legal entities to ensure clarity and regulatory consistency. Acknowledging real-world industry practices, such as Germany’s Personal Information Management Services or Brazil’s consent tools, and permitting contractual accountability to data fiduciaries can better align with operational realities. Drawing from global standards like IAB’s Transparency and Consent Framework, the UK ICO’s guidance, and CNIL’s cookie rules, the DPDPA should establish technical standards that promote interoperability, user control, and effective compliance.

Related terms

Consent Managers as proposed under the Digital Personal Data Protection Act (DPDPA) are conceptually similar to Consent Management Platforms (CMPs) widely recognized globally, which collect, manage, and relay user consent across services. In the Indian sectoral context, terms like Account Aggregators (in banking and finance) and Health Information Exchange Managers (in health data ecosystems like ABDM) serve as analogous entities that facilitate controlled data sharing with user consent, functioning as intermediaries between data principals and service providers.

Reference

  1. LEXOLOGY, https://www.lexology.com/library/detail.aspx?g=bd52c6d6-880b-483a-a1c8-7e36eeed3669 (last visited Jun.16, 2025).
  2. CONCUR, https://blog.concur.live/business-requirement-document-for-consent-management-under-the-dpdp-act-2023/ , (last visited Jul. 13,2025)
  3. Personal Data Protection Bill, 2019, No. 373, Acts of Parliament, 2019(India).
  4.  Anna Roy, Niti Aayog, Govt. of India  “Draft Data Empowerment and Protection Architecture”(2020), 5-15, available at: https://www.niti.gov.in/sites/default/files/2023-03/Data-Empowerment-and-Protection-Architecture-A-Secure-Consent-Based.pdf 
  5. Supra at 3
  6. P.P. Chaudhary,  Loksabha, Govt. of India, “Report of the Joint Committee on the Personal Data Protection Bill 2019 ”(2021), available at: https://drive.google.com/file/d/1emcAB8HjE2oCC_DI6zR5YPnPQ5iwwwCT/view?ref=static.internetfreedom.in
  7. Id. at 52
  8. Id. at 83
  9. DEPARTMENT OF FINANCIAL SERVICES, https://financialservices.gov.in/beta/en/account-aggregator-framework,(last visited Jun.16, 2025).
  10. MAKE IN INDIA, https://www.makeinindia.com/national-digital-health-mission, (last visited Jun.16, 2025).
  11. NASSCOM COMMUNITY, https://community.nasscom.in/index.php/communities/policy-advocacy/call-inputs-draft-health-data-management-policy-20,  (last visited Jun.16, 2025).
  12. MINISTRY OF HEALTH AND FAMILY WELFARE, https://mohfw.gov.in/?q=pressrelease-87,  (last visited Jun.16, 2025).
  13. Telecom Regulatory Authority of India (TRAI),Govt of India,  Direction regarding implementation of Digital Consent Acquisition (DCA) under TCCCPR 2018, available at: https://www.trai.gov.in/sites/default/files/2024-08/PR_No.50of2023.pdf ; TRAI, Direction under section 13, read with sub-clauses (i) and (v) or clause (b) or sub-section (1) or section 11, or the Telecom Regulatory Authority or India Act, 1997 (24 of 1997) regarding implementation of Digital Consent Acquisition under Telecom Commercial Communications Customer Preference Regulations, 2018 (6 of 2018), available at: https://www.trai.gov.in/direction-under-section-13-read-sub-clause-i-and-v-clause-b-sub-section-1-section-11-telecom-1
  14. TRAI, https://trai.gov.in/tcccpr, (last visited Jun. 21, 2025).
  15. AZB Partners, https://www.azbpartners.com/bank/trai-notifies-the-telecom-commercial-communication-customer-preference-regulation-2018/ ,(last visited Jun. 21, 2025).
  16. Karnataka e-Sahamathi Framework,  https://esahamathi.karnataka.gov.in/ (last visited Jun. 21, 2025).
  17. EUROPEAN COMMISSION,https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en (last visited Jun. 21, 2025).
  18. STATE OF CALIFORNIA- OFFICE OF ATTORNEY GENERAL,https://oag.ca.gov/privacy/ccpa
  19. IAB(Interactive Advertising Bureau), Transparency & Consent Framework (TCF) Policies, available at: https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/ (last visited Jun. 21, 2025).
  20. INFORMATION COMMISSIONER’S OFFICE , https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-beinformed/what-methods-can-we-use-to-provide-privacy-information/#how3 (last visited Jun. 21, 2025).
  21. SCIENCE DIRECT, https://www.sciencedirect.com/science/article/pii/S1752928X24000362, (last visited Jun. 21, 2025); Telecommunications-Telemedia Data Protection Act, https://www.gesetze-im-internet.de/ttdsg/TTDSG.pdf
  22. BLOG E-PRIVACY, https://blog.eprivacy.eu/?p=2230, (last visited Jul. 15,2025)
  23. SECURE PRIVACY, https://secureprivacy.ai/blog/cnil-cookie-guidelines, (last visited Jun. 22, 2025).
  24. DSCI , “The Future of Data Protection in India: A Roadmap for Regulators, Part 1” 42-62.  available at: https://www.dsci.in/files/content/knowledge-centre/2023/Part%20I%20-%20The%20Future%20of%20Data%20Protection%20in%20India%20Report%202023.pdf (last visited Jun. 21, 2025).
  25. Nishith Desai Associates, “Privacy and Data Protection in India”, https://nishithdesai.com/fileadmin/user_upload/pdfs/Research_Papers/Privacy-and-Data-Protection-in-India.pdf (last visited Jun. 21, 2025).
  26. S&R Associates,https://www.snrlaw.in/wp-content/uploads/2023/09/SR-Data-Yes-Means-Yes-Managing-Consent-Under-Indias-New-Data-Protection-Law.pdf (last visited Jun. 21, 2025).
  27. Subhojit Shome & Archisman Bhattacharjee, (Vinod Kothari Consultants Private Limited) Consent Managers for NBFCs: Implementation Challenges and Other Issues, 05/07/24, available at:https://vinodkothari.com/wp-content/uploads/2024/07/Consent-Managers-for-NBFCs-1.pdf
  28. MONDAQ, https://www.mondaq.com/india/privacy-protection/1609914/critical-analysis-of-the-proposed-digital-personal-data-protection-dpdp-rule-2025-regime-in-india , (last visited Jul. 15,2025)
  29. Anandaday Misshra, Amlegals, “Suggestions Part 1 to Meity on Consent Manager” 2-8. available at: https:/dep/dpo-india.com/Resources/privacy_laws_in_India/Suggestions-MEITY-Consent-Manager-Draft-DPDP-Rules,2025.pdf