Consent Manager — Definition & Legal Meaning in India

Also known as: Consent Management Platform · CMP · Registered Consent Manager

Legal Glossary Cyber Law consent manager DPDP Act 2023 Section 6
Statute: Digital Personal Data Protection Act, 2023, Section 6(6)-(8)
New Law: ,
Landmark Case: K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
4 min read

Consent Manager is a registered entity that acts as a single point of contact for data principals to give, manage, review, and withdraw consent to data fiduciaries, serving as an intermediary that enables individuals to exercise control over how their personal data is processed across multiple platforms and services. Under Indian law, Consent Managers must be registered with the Data Protection Board of India under Section 6(6) of the Digital Personal Data Protection Act, 2023, and must meet prescribed technical, operational, and financial conditions under the DPDP Rules, 2025.

The Digital Personal Data Protection Act, 2023 establishes the consent manager framework:

Section 6(6): Every Data Principal shall have the right to give, manage, review and withdraw her consent to the Data Fiduciary through a Consent Manager.

Section 6(7): Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed and shall be accountable to the Data Principal and shall act on behalf of the Data Principal in such manner and subject to such obligations as may be prescribed.

Section 6(8): Every Consent Manager referred to in sub-section (7) shall be interoperable across various Data Fiduciaries and have the ability to give, manage, review and withdraw consent across any Data Fiduciary.

The DPDP Rules, 2025 prescribe detailed registration requirements:

  • The Consent Manager must be a company incorporated in India with a minimum net worth as prescribed
  • It must demonstrate technical capability for interoperable consent management across multiple data fiduciaries
  • Registration with the Data Protection Board opens from 13 November 2026
  • The Consent Manager must maintain a transparent, accessible, and interoperable platform for data principals
  • It must not process personal data for any purpose other than consent management

How courts have interpreted this term

The Consent Manager concept is new — introduced by the DPDP Act, 2023 and operationalised by the DPDP Rules, 2025. As the registration timeline (November 2026) has not yet arrived and no Consent Managers are yet operational, there is no direct judicial interpretation of this specific concept.

However, the broader principle of consent-based data processing that underpins the Consent Manager framework has been addressed:

K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]

The Supreme Court held that informed consent is a foundational element of data protection. The Court observed that any data protection regime must ensure that consent is meaningful, not merely a formality — individuals must have genuine control over how their data is processed. The Consent Manager framework directly implements this judicial requirement by providing a practical mechanism for managing consent across multiple platforms.

K.S. Puttaswamy v. Union of India (Aadhaar) [(2019) 1 SCC 1]

The Supreme Court struck down Section 57 of the Aadhaar Act, which permitted private entities to use Aadhaar authentication. The Court's emphasis on limiting data processing to purposes for which consent was specifically obtained informed the design of the consent framework under the DPDP Act, including the role of Consent Managers as intermediaries ensuring purpose-specific consent management.

Why this matters

The Consent Manager is one of the most innovative features of India's data protection framework. In a digital economy where an average user interacts with dozens of apps and platforms — each processing personal data under separate consent — managing consent individually is practically impossible. Consent Managers are designed to solve this problem by providing a centralised dashboard through which users can view all their consent relationships and exercise their rights.

For data principals, Consent Managers will function like a "consent wallet" — a single interface to see which data fiduciaries hold their data, for what purpose, and with the ability to withdraw consent with a single action. This is particularly important given that most current consent mechanisms (click-wrap agreements, cookie banners) are designed to maximise consent rather than inform the user.

For data fiduciaries, the interoperability requirement means their systems must be capable of receiving and processing consent signals from registered Consent Managers. This requires API integration and real-time consent verification capabilities. Data fiduciaries cannot refuse to accept consent given or withdrawn through a registered Consent Manager.

For businesses interested in becoming Consent Managers, this represents a new market opportunity. The India Stack experience (with UPI, Account Aggregators, and DigiLocker) suggests that consent management infrastructure could become a significant digital services category. The Account Aggregator framework under the RBI — which enables consent-based financial data sharing — provides a working model for how Consent Managers might operate.

Parent framework:

Related concepts:

Related institution:

Frequently asked questions

Registration for Consent Managers with the Data Protection Board opens on 13 November 2026. After registration, Consent Managers will need to build interoperable systems, integrate with data fiduciaries, and launch consumer-facing platforms. Operational Consent Managers are expected to be available by 2027.

No. Data principals have the right to use a Consent Manager but are not required to do so. Individuals can continue to give, manage, and withdraw consent directly with data fiduciaries. Consent Managers are an optional facilitation mechanism designed to make consent management easier.

Cookie consent tools (banners) operate within a single website or app and manage consent for that specific platform only. A Consent Manager under the DPDP Act is a registered, interoperable entity that manages consent across all data fiduciaries — functioning as a centralised consent dashboard for all of a data principal's consent relationships. It is a significantly broader and more regulated concept.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Digital Personal Data Protection Act, 2023 Data Principal Data Fiduciary Consent (Data Protection) Data Protection Board
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.