Introduction
Consent, as we note, is the primary basis for processing personal data under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) released for public consultation earlier this year. The DPDP Act also introduces a unique and innovative method of managing consents by Data Principals (or Data Subjects, as referred to in global context) i.e. by appointing a consent manager for this purpose – guardians of the consent. The Draft Rules clarify that consent manager can only be a body corporate which shall be registered with the Data Protection Board ("DPB") and would be required to meet certain criteria in terms of net worth and trustworthiness.
Role of Consent Managers in India's Data Privacy Framework
Consent Managers are poised to assume an essential and reliable position in India's data privacy framework as per the DPDP Act and the Draft Rules. Consent Managers will serve as a conduit between Data Principals and Data Fiduciaries, simplifying the process for Data Principals to provide, oversee, or retract their consent regarding the usage of their personal data. The consent management system will likely be a user-friendly and secure platform/tool that provides greater autonomy to individuals to keep a track of consent choices they have given over time and revisit the choices made.
For any organization aspiring to function as a Consent Manager, registration process entails adhering to a set of explicit standards detailed in Part A of the First Schedule1. Its constitutional documents (i.e. Memorandum and Articles of Association) must clearly indicate its dedication to data protection. The DPB will evaluate whether the applicant possesses the appropriate technical framework, operational capability, and financial viability to fulfil its obligations and also scrutinize the general character, reputation and record of fairness and integrity of the management of organization. It is vital that these entities not only possess the necessary infrastructure but also embody the right values and intentions.
Upon receiving approval, Consent Managers are obligated to adhere to a defined set of responsibilities, as delineated in Part B of the First Schedule. These responsibilities encompass ensuring that individuals can easily and securely grant or revoke their consent, with the process being clear and user friendly. The objective is to establish a system where individuals do not feel overwhelmed or perplexed about the handling of their data.
DPB maintain a strict oversight of the operations of Consent Managers. Should any issues arise or if a Consent Manager fails to fulfil its obligations, the Board may intervene first by providing an opportunity to rectify the situation, and if necessary, suspend or revoke the organization's registration. This regulatory supervision is sought to preserve public confidence and guarantees that Data Principals are safeguarded.
Additionally, the company must demonstrate that its platform adheres to the standards established by the Board, is independently verified, and meets the rigorous requirements set for safeguarding individuals' personal data.
Key Duties and Operational Guidelines for Registered Consent Managers
Registered Consent Managers are obligated to facilitate Data Principals in effectively providing, managing, reviewing, and retracting consent for data processing2. They must ensure that personal data is processed securely, keeping it inaccessible to unauthorized entities. Consent Managers are required to maintain detailed records of all consent activities, including consent given, rejected, or withdrawn, along with associated notifications and data sharing actions. They must provide Data Principals with access to these records in a machine-readable format upon request. Developing and maintaining a website or application to enable Data Principals to access these services is essential. Consent Managers cannot subcontract or assign their responsibilities to third parties without prior Board approval. They must implement robust security measures to prevent personal data breaches and act in a fiduciary capacity concerning Data Principals' data. Avoiding conflicts of interest with Data Fiduciaries, including those related to promoters and key management personnel, is critical. Detailed information about the company's promoters, directors, key management personnel, and significant shareholders must be published on the Consent Manager's website or app. They are also required to establish effective audit mechanisms to review and ensure compliance with technical and organizational controls, continually meeting registration criteria and obligations. Any transfer of control, sale, or merger of the company must have prior Board approval and adhere to specified conditions.
The Consent Manager functions primarily as a neutral intermediary, acting as a log keeper for user consent without accessing or processing the personal data itself. Its role is to facilitate the collection, management, and recording of consent preferences from users, ensuring that organizations comply with data protection regulations by remaining "blind" to the actual data being processed.
Consent Management System
The National e-Governance Division of the Ministry of Electronics and Information Technology (MeitY) has, in June 2025, published a Business Requirement Document for Consent Management under the DPDP Act, 2023 (Business Requirement Document) which is a blueprint outlining the framework for Consent Management System (CMS)3. This brings in further clarity to the model of the consent managers and details how CMS framework will be beneficial to Data Principals in not just giving consent but maintaining the entire lifecycle of consent including the revocation. Consent Manager is required to maintain a precise and comprehensive record that would include logs of consent granted, denied, modified or revoked along with the metadata containing user ID, timestamp, purpose ID and language preference. These records, along with any associated notifications and data sharing activities, must be retained for a specified duration. The blueprint further requires the CMS to have an ability to separate optional purpose from the mandatory ones and to list all consents in a granular manner ensuring explicit and affirmative action by the Data Principals.
Another added feature of a CMS will be its ability to produce user dash boards displaying a complete history of active, expired and withdrawn consents and allowing users to download consent history in secure format, raise grievances and track response.
The CMS is also poised to be a useful tool for Data Fiduciaries since it will create consent artefact of valid submission, send out an acknowledgement notification to the Data Principals with real-time synchronization for both Data Fiduciaries and Data Principals with logs of all actions recorded for regulatory compliance, provide alerts on consent updates, withdrawals on real time basis. The CMS Business Requirement Document does present practical solution for Data Fiduciaries. However, this will not in any way lighten the compliance burden of the Data Fiduciaries under the DPDP Act. Data Fiduciaries will still be required to comply with all obligations including issuing notices in multi-language support form, ensure accessibility standards, accurately map all data collection activities to their respective purposes and provide Data Principal access to the consent interface.
Avoiding Dark Patterns in Consents
While an advance CMS will likely assist in managing consent, it is imperative that Data Fiduciaries tread with caution, review their current consent processes and languages carefully to ensure that the consent for processing personal data remains free, specific, informed, unambiguous, explicit and affirmatively expressed even after the DPDP Act is brought into force. Bundled consents should be avoided in all cases even though the purposes may be closely associated with each other.
The 2023 Guidelines for the Prevention and Regulation of Dark Patterns, published by the Central Consumer Protection Authority (CCPA) in India4 (Guidelines), intend to protect consumers by banning misleading user interface and experience (UI/UX) tactics that manipulate user decisions or diminish their autonomy. The Guidelines enlists about thirteen behaviours as examples that are dark patterns intended to deceiving consumers by obscuring essential information, bundling choices or generating confusing choices. Effectively, these Guidelines are likely to be taken into consideration to identify any dark pattern adopted to obtain consent and may lead to adjudication that renders the consent under the DPDP Act invalid and thereby making Data Fiduciary liable for non-compliance under the DPDP Act with potential fine up to INR five hundred thousand (INR fifty crores) and also providing the Data Principal a remedy under the Consumer Protection Act, 2019.
Pilot Project for Digital Consent
For tackling of complaints of fake consents received by it, the Telecom Regulatory Authority of India (TRAI), has launched a pilot project for digital consent management in collaboration with the Reserve Bank of India (RBI) and select banks5 (Pilot). It is an initiative that addresses the growing issue of spam complaints where businesses claim to have consumer consent for commercial communications, often collected through unverifiable or deceptive means. This Pilot, running under a Regulatory Sandbox framework, will validate the operational, technical, and regulatory aspects of the enhanced Consent Registration Function (CRF) and lay the foundation for sector-wise scaling of the digital consent ecosystem. CRF refers to acquiring consent digitally by the entities and registering them in a secure and interoperable digital consent registry maintained by the Telecom Service Providers (TSPs) for easy verification of consents while commercial communication is made to the consumers. However, for successful operation of this consent registration framework, onboarding of entities sending commercial communications is a necessary requirement. Since the press note does not directly refer to the consent under DPDP Act, it is yet to be seen whether this pilot project will subsequently be used to address privacy concerns and merge the rollout with CMS framework as per the Business Requirement Document issued by MietY.
The Pilot has prioritized the banking sector due to financial fraud risks and marks the first phase of a national rollout aimed at ensuring transparent, secure, and consumer-centric commercial communications. Through this, TRAI, which will be an appellate authority under the DPDP Act, has reaffirmed its commitment to protecting consumer interests and fostering trust in legitimate business communications.
Conclusion
The DPDP Act and the Draft Rules represent a pivotal moment in India's approach to privacy governance. As we see the rise of CMS as a tech-based solution to both businesses and individuals in protection of personal data and consent management, and the regulatory authorities initiating pilot projects for a transparent, secure and consumer-centric commercial commercials, we can see India readying itself for launching new era of digital privacy, thus safeguarding individual rights in an increasingly complex digital landscape.
Footnotes
1. https://www.dpdpa.in/dpdpa_rules_2025/dpdpa_draft_rules_english_.pdf
2. https://dpdpa.com/schedule/schedule1.html
4. The Guidelines for Prevention and Regulation of Dark Patterns, 2023.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
