DPDP Consent Manager Registration: Who Needs It and How to Apply
Most companies do not need to register. Who does, the 13 November 2026 deadline, the Rs 2 crore net worth test, and what Sections 6(7) to 6(9) require.
On This Page
- What Sections 6(7), 6(8), and 6(9) Actually Say
- What Is a Consent Manager Under the DPDP Act?
- Consent Manager vs Consent Management Platform
- The November 2026 Deadline
- Eligibility Conditions for Consent Manager Registration
- 1. Indian Incorporation
- 2. Sufficient Technical, Operational, and Financial Capacity
- 3. Sound Financial Condition and Management
- 4. Minimum Net Worth of Rs 2 Crore
- 5. Adequate Business Volume, Capital Structure, and Earnings Prospects
- 6. Directors and KMP of Good Character
- 7. MOA and AOA Provisions
- 8. Operations in the Interest of Data Principals
- 9. Independent Certification
- Step-by-Step: The Registration Process
- Step 1: Prepare the Application
- Step 2: Submit to the Data Protection Board
- Step 3: Board Inquiry
- Step 4: Registration Decision
- Step 5: Ongoing Compliance
- Ongoing Obligations After Registration (Part B of First Schedule)
- Record-Keeping
- Independence and Conflict-of-Interest
- Interoperability
- Transparency and Accountability
- Who Should Consider Registering?
- How Data Fiduciaries Should Prepare for Consent Managers
- What Data Fiduciaries Should Do Now
- Common Mistakes to Avoid
- Timeline: What to Do Over the Next Five Months
- Assessing Your Readiness
The Digital Personal Data Protection Act, 2023 introduces a new category of regulated entity that did not exist under India’s previous data protection regime: the Consent Manager. Under Sections 6(7) to 6(9) of the Act and Rule 4 of the DPDP Rules 2025, any entity that wants to operate as a Consent Manager must register with the Data Protection Board of India before 13 November 2026.
The short answer: if your organisation collects consent from its own users for its own processing, you are a Data Fiduciary, not a Consent Manager, and registration does not apply to you. What you need is consent management software. Registration applies to the narrow set of entities that want to operate as cross-platform consent intermediaries. The rest of this article sets out both tracks.
What Sections 6(7), 6(8), and 6(9) Actually Say
Four provisions carry the entire Consent Manager regime. The definition sits in Section 2(g). The operative duties sit in Section 6.
- Section 2(g) defines the entity: a Consent Manager is “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”
- Section 6(7) creates the route for individuals: “The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.”
- Section 6(8) fixes accountability: “The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed.”
- Section 6(9) creates the registration mandate: “Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.”
The prescribed conditions referenced in Sections 6(8) and 6(9) arrived with the DPDP Rules 2025: Rule 4 and the First Schedule set the eligibility bar and the ongoing obligations covered below.
This article explains exactly who needs to register, the eligibility conditions, the registration process, ongoing obligations, and the critical difference between a statutory Consent Manager and a consent management software platform.
What Is a Consent Manager Under the DPDP Act?
Section 2(g) of the DPDP Act defines a Consent Manager as a person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to:
- Give consent to Data Fiduciaries through a unified interface
- Manage existing consents across multiple services
- Review what consents are active and what data is being processed
- Withdraw consent from one or more Data Fiduciaries simultaneously
The concept draws from NITI Aayog’s 2020 Data Empowerment and Protection Architecture (DEPA) framework and the Account Aggregator model already operational in India’s financial sector. A Consent Manager is a consent intermediary: it sits between Data Principals (individuals) and Data Fiduciaries (organisations processing data), giving individuals a single dashboard to control their data-sharing preferences across platforms.
Key statutory provision: Under Section 6(8), the Consent Manager is accountable to the Data Principal, not to any Data Fiduciary. This fiduciary duty to the individual is foundational to the entire regulatory design.
Consent Manager vs Consent Management Platform
This is where most organisations get confused. The DPDP Act uses “Consent Manager” as a specific legal term for a registered intermediary entity. It is not the same as a consent management platform (CMP), the software tools that Data Fiduciaries use to collect, store, and manage consent from their own users.
| Aspect | Consent Manager (DPDP Act) | Consent Management Platform (CMP) |
|---|---|---|
| Legal status | Registered entity under Section 6(9) | Software product / SaaS tool |
| Registration | Must register with DPB | No registration required |
| Accountable to | Data Principal (individual) | Data Fiduciary (client company) |
| Function | Cross-platform consent intermediary | Single-organisation consent collection and management |
| Net worth | Rs 2 crore minimum | No statutory requirement |
| Who uses it | Individuals managing consents across services | Companies managing consent from their own users |
| Examples | Account Aggregator-style entity | ConsentOS, OneTrust, CookieYes |
The distinction in plain terms: If your organisation is a Data Fiduciary looking for software to manage consent from your users, you need a consent management platform, not Consent Manager registration. If you want to build a cross-platform consent intermediary that individuals use to manage their consents across multiple services, you need DPB registration as a Consent Manager. The full Consent Manager vs CMP comparison works through the statutory provisions, the penalty exposure on each side of the line, and three decision scenarios.
The November 2026 Deadline
The DPDP Act and DPDP Rules 2025 are being implemented in phases. Consent Manager provisions fall under Phase II, effective 12 months from the notification date:
| Phase | Effective Date | What Comes into Force |
|---|---|---|
| Phase I | 13 November 2025 | Data Protection Board of India setup, institutional framework |
| Phase II | 13 November 2026 | Consent Manager registration mandatory; Section 6(9) and Rule 4 obligations in force |
| Phase III | TBD (expected May 2027) | Full DPDP enforcement, penalties up to Rs 250 crore per incident |
Any entity operating as a Consent Manager after 13 November 2026 without DPB registration will be in violation of Section 6(9). That violation falls in the residual penalty tier of the Act’s Schedule, up to Rs 50 crore per instance. Operating without registration is not a viable strategy.
Several large incumbents, including major IT services and telecom players, are preparing to pursue Consent Manager registration as neutral cross-sector intermediaries. For a Data Fiduciary, this does not change the obligation. It makes interoperability the requirement: your consent systems must be ready to exchange grant, review, and withdrawal signals with whichever registered Consent Managers your Data Principals choose to use.
Eligibility Conditions for Consent Manager Registration
Part A of the First Schedule to the DPDP Rules 2025 sets out nine conditions that an applicant must satisfy. The Board must be satisfied on all of them before granting registration.
1. Indian Incorporation
The applicant must be a company incorporated in India under the Companies Act, 2013. LLPs, partnerships, sole proprietorships, and foreign entities cannot apply. This effectively excludes global players like OneTrust from registering as Consent Managers in India unless they set up an Indian subsidiary.
2. Sufficient Technical, Operational, and Financial Capacity
The entity must demonstrate it can deliver on the Consent Manager mandate: building and maintaining an interoperable consent platform, handling high volumes of consent transactions, and sustaining operations over time.
3. Sound Financial Condition and Management
The Board will assess the overall financial health and governance quality of the applicant, including debt levels, revenue sustainability, and management track record.
4. Minimum Net Worth of Rs 2 Crore
This is the hard financial threshold. The requirement ensures Consent Managers have sufficient capital to sustain operations and meet obligations.
5. Adequate Business Volume, Capital Structure, and Earnings Prospects
The Board must be satisfied that the applicant’s projected business volume justifies its capital structure and that earnings prospects are sustainable. This prevents shell companies from registering purely to hold the licence.
6. Directors and KMP of Good Character
Directors, key managerial personnel (KMP), and senior management must be individuals with a general reputation and record of fairness and integrity. Background checks and character assessments form part of the application process.
7. MOA and AOA Provisions
The Memorandum of Association and Articles of Association must contain provisions:
- Requiring adherence to conflict-of-interest and fiduciary obligations (Items 9 and 10 of Part B)
- Ensuring policies and procedures for compliance are in place
- Stating that these provisions can only be amended with prior approval of the Board
8. Operations in the Interest of Data Principals
The applicant’s proposed operations must demonstrably serve the interests of Data Principals, not the commercial interests of the applicant or its affiliated Data Fiduciaries.
9. Independent Certification
The applicant must obtain independent certification confirming that:
- Its interoperable platform meets data protection standards and the assurance framework published by the Board
- It has implemented adequate safeguards for the personal data processed through its platform
Step-by-Step: The Registration Process
Rule 4 of the DPDP Rules 2025 outlines the registration procedure. For the full procedure with the eligibility checks, document list, and preparation sequence, see the dedicated guide on how to register as a Consent Manager.
Step 1: Prepare the Application
Compile all required particulars, information, and documents as specified by the Board on its website. This includes corporate documents, financial statements, technical specifications of your platform, independent certification reports, and details of directors and KMP.
Step 2: Submit to the Data Protection Board
File the application with the DPB in the form and manner published on the Board’s website. The Board’s online portal is expected to go live well before the November 2026 deadline.
Step 3: Board Inquiry
The Board may make such inquiry as it deems fit to verify fulfilment of the Part A conditions. This could include requesting additional documentation, conducting interviews, or commissioning independent assessments.
Step 4: Registration Decision
The Board will either:
- Register the applicant: notify the applicant, publish the Consent Manager’s particulars on its website, and issue the registration
- Reject the application: communicate the reasons for rejection to the applicant
Step 5: Ongoing Compliance
Registration is not a one-time exercise. Consent Managers must continuously meet Part A conditions and comply with Part B obligations. The Board can revoke registration if conditions are no longer met.
Ongoing Obligations After Registration (Part B of First Schedule)
Once registered, Consent Managers carry significant ongoing obligations.
Record-Keeping
- Maintain comprehensive records of all consent transactions for a minimum of seven years
- Consent records may not be accessed to read the underlying personal data. The Consent Manager manages the consent artefact; the underlying data remains with the Data Fiduciary.
Independence and Conflict-of-Interest
- Must operate independently of any Data Fiduciary
- Cannot have conflicts of interest with entities that determine the purpose and means of data processing
- This prevents a Data Fiduciary from controlling a Consent Manager and using it to steer consent in its favour
Interoperability
- The consent platform must be interoperable across multiple Data Fiduciaries and services
- This aligns with the DEPA vision of open, API-driven consent infrastructure
Transparency and Accountability
- Accountable to Data Principals at all times
- Must provide clear, accessible interfaces for consent management
- Must act in the interest of the Data Principal when mediating between the individual and Data Fiduciaries
Who Should Consider Registering?
Consent Manager registration is relevant for a narrow but strategically important set of entities:
- Account Aggregators already operating under RBI’s framework who want to extend into broader personal data consent management
- FinTech platforms building cross-platform consent infrastructure for banking, lending, or insurance
- HealthTech platforms enabling patients to manage consent across hospitals, diagnostic labs, and ABDM-integrated systems
- Identity and consent startups that specifically aim to be the individual’s consent dashboard across services
- Telecom or digital platform players looking to offer consent management as a value-added service to their user base
Who does not need to register: Most businesses, including banks, NBFCs, e-commerce platforms, SaaS companies, and hospitals, are Data Fiduciaries, not Consent Managers. They need consent management software to manage their own consent collection, not Consent Manager registration. Data Fiduciaries do not register with the Board for consent management purposes, though Significant Data Fiduciaries have separate obligations under Section 10.
How Data Fiduciaries Should Prepare for Consent Managers
Even if your organisation is not registering as a Consent Manager, you need to be ready for them. Once Consent Managers go live after November 2026, Data Principals will use them to:
- Grant consent to your organisation through the Consent Manager’s platform instead of, or in addition to, your own consent flow
- Withdraw consent remotely; your systems must honour withdrawal requests that arrive via Consent Manager APIs
- Review and audit what consents they have given you; your consent records must be accurate and up-to-date
What Data Fiduciaries Should Do Now
- Audit your consent architecture: Can your systems accept consent signals from third-party Consent Managers via APIs?
- Build interoperable consent APIs: Consent Managers will need standardised endpoints to grant, review, and withdraw consent on behalf of Data Principals.
- Map consent to processing purposes: Each consent must be tied to a specific, lawful processing purpose (Section 6 requires purpose-specific consent).
- Implement consent withdrawal workflows: When a Data Principal withdraws consent via a Consent Manager, your systems must cease processing within a reasonable timeframe.
- Maintain audit-ready consent records: Your records must match what the Consent Manager holds for the Data Principal. This intersects directly with your breach notification obligations. Accurate consent records are a prerequisite for an accurate breach scope assessment.
This is where a consent management platform like ConsentOS becomes essential. ConsentOS provides the infrastructure Data Fiduciaries need to capture purpose-specific consent, maintain audit trails, handle withdrawal requests, and prepare for Consent Manager interoperability, without requiring Data Fiduciaries to build this capability from scratch. See the feature-level comparison for how ConsentOS maps to each obligation.
Common Mistakes to Avoid
| Mistake | Why It Is Wrong | Correct Approach |
|---|---|---|
| Assuming your CMP tool makes you a “Consent Manager” | Consent Manager is a registered legal entity, not a software product | Use a CMP for internal consent management; register only if you want to operate as an intermediary |
| Waiting until November 2026 to start preparing | Registration requires independent certification, corporate document amendments, and Board approval; this takes months | Begin preparation by Q3 2026 at the latest |
| Registering as a Consent Manager while also acting as a Data Fiduciary | Conflict-of-interest provisions prohibit this | Maintain strict independence between your Consent Manager entity and any Data Fiduciary operations |
| Ignoring the Rs 2 crore net worth requirement | This is a hard eligibility criterion; the Board will reject applications below this threshold | Ensure net worth is met before applying; consider funding or capitalisation if needed |
| Not building interoperable APIs as a Data Fiduciary | Consent Managers will need to interface with your systems post-November 2026 | Start building consent APIs now; align with DEPA and Account Aggregator standards |
Timeline: What to Do Over the Next Five Months
| Month | For Consent Manager Applicants | For Data Fiduciaries |
|---|---|---|
| June 2026 | Finalise corporate structure; begin MOA and AOA amendments; engage independent certifier | Audit consent architecture; identify interoperability gaps |
| July 2026 | Complete technical platform development; undergo security and data protection audits | Begin building consent APIs; map all processing purposes |
| August 2026 | Obtain independent certification; prepare application documents; confirm Rs 2 Cr net worth | Test consent withdrawal workflows; align records with audit requirements |
| September 2026 | Submit registration application to DPB; begin Board inquiry process | Integrate with test Consent Manager environments if available |
| October–November 2026 | Respond to Board queries; obtain registration; publish on DPB website | Go live with Consent Manager-compatible consent infrastructure |
Assessing Your Readiness
Whether you are preparing a Consent Manager registration application or building the consent infrastructure your Data Fiduciary obligations require, the starting point is an accurate picture of where you stand today.
The free Compliance Gap Assessment scores your organisation against the DPDP Act’s obligations in under 10 minutes and returns a prioritised report you can use to direct your preparation. View ConsentOS pricing tiers for compliance infrastructure built specifically for the Data Fiduciary obligations that sit adjacent to the Consent Manager framework.
For the full DPDP compliance timeline, including how the November 2026 Consent Manager deadline fits alongside the Data Principal rights framework and the privacy notice requirements that interact with consent collection, see the related articles below.
Know where you stand on DPDP compliance
Run the free Compliance Vault Assessment for a gap report scored against your DPDP Act 2023 obligations, work through the 26-point compliance checklist, or model your penalty exposure.
Enforcement milestones, rule notifications, and deadline analysis.
One email when it matters, no more.
Resources
Continue Reading
Related DPDP Act 2023 guidance from the ConsentOS knowledge base.
How to Register as a Consent Manager Under the DPDP Act
Step-by-step guide to Consent Manager registration under the DPDP Act: eligibility, the Rs 2 crore net worth gate, documents, and the application process.
10 min read
Regulatory UpdatesDPDP Act 2023 Compliance Deadlines & Enforcement Dates (India)
Every DPDP Act date: Rules notified Nov 2025, Consent Manager registration Nov 2026, penalty enforcement May 2027. Plan your compliance timeline.
5 min read
Regulatory UpdatesSDF Classification: The November 2026 DPDP Deadline in India
MeitY proposed in January 2026 to compress the Significant Data Fiduciary compliance window from 18 months to 12 months. If gazetted, large-volume data processors face a November 2026 deadline, not May 2027. Here is what SDF status means and how to know if it applies to your organisation.
9 min read
Data Principal RightsDPDP Act 2023: All 8 Data Principal Rights with Templates (India)
Access, correction, erasure, grievance, and nominee rights under the DPDP Act 2023: the response deadlines a Data Fiduciary must meet, with ready-to-use request templates.
7 min read
Implementation GuidesDPDP Privacy Notice: 22 Languages & Mandatory Disclosures (India)
A DPDP Act 2023 privacy notice in all 22 Eighth Schedule languages: required disclosures, purpose, rights, grievance contact. Compliant template included.
11 min read