Introduction: The Rise of Consent-Based Governance in India
India's data protection landscape is being shaped by two important frameworks. The first is the Consent Manager system under the Digital Personal Data Protection Act (DPDPA) of 2023. The second is the Account Aggregator framework regulated by the Reserve Bank of India (RBI). While they operate under different legal regimes, both aim to give individuals control over their personal data through consent. Despite their distinct scopes, these systems are potentially complementary and represent a broader move towards user centric data governance.
Consent Manager: A Sector-Agnostic Framework under the DPDPA
The Consent Manager framework introduced by the DPDPA establishes a neutral intermediary regulated by the Data Protection Board of India (DPBI). Consent Managers help individuals exercise their rights over personal data. They are not supposed to collect, store, or process data themselves. Instead, they allow users to grant, monitor, and withdraw consent from organizations that collect and use personal data. Consent Managers are designed to work across industries such as healthcare, education, employment, digital services, etc. Their sector neutral design supports the development of a unified, scalable, and privacy focused consent infrastructure.
Account Aggregator: RBI's Specialized Financial Data Infrastructure
The Account Aggregator model, in contrast, focuses specifically on financial data. It is regulated by the RBI and involves licensed Non-Banking Financial Companies (NBFC) that act as intermediaries. Account Aggregators facilitate the safe and user approved sharing of financial data such as bank statements, insurance policies, investment details, etc. These transactions take place between Financial Information Providers such as banks and Financial Information Users such as lenders or wealth managers. The system requires that consent be clearly defined and limited by time and purpose. It uses encryption and standardized Application Programming Interfaces (APIs) to maintain high levels of data security and technical integrity.
Shared Values: Data Control and Transparency
Although the Consent Manager and Account Aggregator systems operate within different legal boundaries, they are built on the same foundation. Both aim to empower individuals with meaningful control over their data through informed, voluntary, and revocable consent. Neither system alters nor stores the data it helps transfer. Instead, both focus on making consent transactions clear, secure, and user friendly. These models shift control away from organizations and towards individuals, reinforcing the belief that people should have ultimate authority over their personal information.
Divergences in Scope, Regulation, and Maturity
The Consent Manager system is still in the early phases of development as, while it finds it places in the draft Rules, the notified version is awaited. While it promises to bring uniform consent standards across all sectors, the operational details and regulations are still being finalized by the DPBI. Its aim is to provide consent solutions for every kind of personal data, including health records, employment history, educational background, and consumer behaviour.
On the other hand, the Account Aggregator framework was launched in 2021 and is already operational. It has seen widespread adoption among banks, insurance companies, and fintech players. Its maturity and tested systems could provide useful lessons for the rollout of Consent Managers. The Account Aggregator ecosystem benefits from a well-defined structure and a strong base of financial sector compliance. The AA system's established governance, standardization, and compliance models provide a valuable operational reference point that could inform the broader implementation of the Consent Manager framework.
A significant distinction lies in the legal authorities governing the two systems. Consent Managers fall under the jurisdiction of the DPBI, as part of the DPDPA, which is a horizontal data protection law applicable across sectors. The Account Aggregator system, on the other hand, is regulated by the RBI under the framework of India's financial sector laws. This distinction has far-reaching implications for how each system is licensed, governed, and enforced, impacting technical protocols, data-sharing rules, and the regulatory oversight mechanisms employed.
Target Audiences and Use Cases Across Ecosystems
Consent Managers are designed for the general public interacting with a wide variety of services that collect personal data. They will be relevant to nearly every organization that processes user information whether to offer personalized content, fulfil service contracts, or manage internal HR functions. Account Aggregators, however, cater specifically to individuals and entities in the financial domain. Their users are those seeking to consolidate their financial data for purposes like loan applications, credit scoring, personal financial management, or tax filings.
Functioning of Consent Managers and Account Aggregators in tandem
Because both systems are grounded in the principle of user control through consent, there is a strong case for aligning them. One potential model is to treat Account Aggregators as financial sector specific Consent Managers under the broader umbrella of the DPDPA. This could simplify compliance for financial firms and prevent duplication of effort.
However, such integration brings up important regulatory questions. If the systems are aligned, which authority will regulate them? Will the RBI or the DPBI take the lead? A practical solution could involve joint governance. The RBI could continue overseeing financial activity, while the DPBI ensures compliance with privacy and consent norms.
Recognizing Different Risk Profiles
It is also important to recognize that Consent Managers are not supposed to access or handle personal data directly. Their only role is to facilitate consent between users and data processors. Due to the stringency of the role played by the Account Aggregator the same strict regulatory standards may not be appropriate. Any integration of the two systems must consider their different responsibilities and risk levels. Oversight of the roles and responsibilities should be tailored to match the actual exposure of each system. Regulations should be effective while allowing the roles and responsibilities to be conducted smoothly.
Towards a Federated Consent Infrastructure
Merging the Consent Manager and Account Aggregator frameworks could lead to the creation of a federated consent system for India. The tested technical protocols and security designs of the Account Aggregator model can guide the development of Consent Managers in other sectors. A unified approach would avoid fragmentation and allow users to manage their data through a consistent interface, regardless of whether the data is financial, medical, or personal.
Such integration could also accelerate the adoption of consent-based systems across industries. It would reduce operational costs for companies and improve transparency for users. By aligning technical and legal frameworks, India can build a consent infrastructure that protects privacy and encourages responsible innovation.
Conclusion: Building a Federated Consent Future
Consent Managers and Account Aggregators represent two important pillars in India's data protection journey. While they operate under different laws and serve different domains, their shared goal of empowering users through consent creates opportunities for convergence. Thoughtfully integrating these systems, while respecting their unique roles, can help India create a unified, secure, and citizen centric digital ecosystem. A harmonized consent architecture will support data dignity, simplify compliance, and unlock new possibilities for innovation in the digital economy. That supports India's growing digital economy and respects its commitment to data dignity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.