Executive Summary
The DPDP Rules, 2025 create a new category of regulated intermediaries: Consent Managers. With registration opening November 2026 and requirements including ₹2 crore minimum net worth and India incorporation, the framework presents both opportunities and challenges. This article analyzes eligibility requirements, operational obligations, and the business case for becoming a Consent Manager.
Key Dates:
- Rules notified: November 13, 2025
- Rule 4 (Consent Managers) effective: November 13, 2026
- Registration window: 12 months to build eligibility
Requirements:
- ₹2 crore minimum net worth
- India-incorporated company
- Interoperable technical platform
- Fiduciary duties to Data Principals
Introduction
India's DPDP Act introduces an innovative concept: Consent Managers - registered intermediaries who enable individuals to manage their data consents across multiple Data Fiduciaries from a single platform.
Think of it as "UPI for personal data consent" - a unified interface for giving, managing, and withdrawing consent to data processing.
Section 1: Understanding Consent Managers
Definition (Section 2(g) DPDP Act)
"Consent Manager" means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.
Core Functions
| Function | Description |
|---|---|
| Consent Collection | Facilitate consent on behalf of Data Fiduciaries |
| Consent Management | Track consents across multiple entities |
| Consent Review | Enable Data Principals to see who has their consent |
| Consent Withdrawal | Single point for revoking consents |
| Interoperability | Connect across different Data Fiduciaries |
How It Works
Data Principal ←→ Consent Manager ←→ Multiple Data Fiduciaries
│
├─→ Bank
├─→ E-commerce site
├─→ Healthcare provider
├─→ Insurance company
└─→ Social media platform
Instead of managing consent separately with each entity, individuals use one Consent Manager interface.
Section 2: Registration Requirements
Eligibility Criteria (First Schedule, Part A)
The DPDP Rules 2025 establish strict eligibility requirements:
1. Incorporation Requirement
- Must be a company incorporated in India
- Foreign entities must establish Indian subsidiary
- LLPs, partnerships, proprietorships NOT eligible
2. Net Worth Requirement
- Minimum ₹2 crore net worth
- Inflation-adjusted annually
- Verified through audited financials
- Purpose: Ensure capacity for secure systems and insurance
3. Management Quality
- "Sound financial condition"
- "General character of management must be sound"
- Likely includes background checks on directors/KMPs
- Track record assessment
4. Technical Capability
- Interoperable platform
- Compliance with Board-specified standards
- Data protection assurance frameworks
- Secure infrastructure
Application Process
Step 1: Prepare Documentation
├─ Certificate of incorporation
├─ Audited financials (net worth proof)
├─ Director/KMP details
├─ Technical architecture documentation
└─ Compliance framework description
Step 2: Submit to Data Protection Board
Step 3: Board Review
├─ Document verification
├─ Technical assessment
├─ Management evaluation
└─ Site inspection (if required)
Step 4: Decision
├─ Approval → Registration + Public listing
└─ Rejection → Reasons provided
Section 3: Operational Obligations
Key Obligations (First Schedule, Part B)
1. Fiduciary Duty
- Act in Data Principal's interest
- Avoid conflicts of interest with Data Fiduciaries
- Cannot favor certain Data Fiduciaries
- Transparent fee structures
2. Data Handling
- Personal data must remain unreadable to Consent Manager
- Cannot access content of personal data
- Only manage consent metadata
- End-to-end encryption required
3. Record Retention
- Maintain consent records for 7 years
- From date of consent OR withdrawal (whichever later)
- Accessible for audit
- Secure storage
4. Conflict Avoidance
- Internal mechanisms to prevent conflicts
- Director/KMP interest disclosure
- Senior management independence
- Shareholder transparency
5. Platform Requirements
- Website AND/OR app required
- Primary means of Data Principal access
- Accessible interface
- Multi-language support recommended
6. No Subcontracting
- Cannot outsource core obligations
- Cannot assign duties to third parties
- Direct accountability maintained
7. Control Transfer Restrictions
- Sale, merger, acquisition requires Board approval
- Prevents uncontrolled ownership changes
- Protects Data Principal interests
Audit Requirements
- Maintain effective audit mechanisms
- Monitor technical and organizational controls
- Verify continued compliance with registration conditions
- Report audit outcomes to Board
Section 3A: Judicial Precedents on Consent, Fiduciary Duty, and Intermediary Obligations
Indian courts have developed principles on consent validity, fiduciary obligations, and intermediary responsibilities that inform the regulatory framework for Consent Managers.
1. Justice K.S. Puttaswamy v. Union of India (2017) - Informational Self-Determination
| Aspect | Details |
|---|---|
| Citation | Writ Petition (Civil) No. 494 of 2012 |
| Bench | Nine-Judge Constitution Bench |
| Date | 24-08-2017 |
Relevance to Consent Managers:
The Puttaswamy judgment established that informational privacy is a fundamental right, which includes the right to control how one's personal data is processed:
"Informational privacy is a facet of the right to privacy. It reflects an interest in preventing information about the self from being disseminated and controlling the extent of access to such information."
Key Principles:
- Individuals have a constitutional right to control their personal information
- Consent must be meaningful, not just formal
- Data subjects should have visibility into who processes their data
- Centralized consent management serves constitutional privacy interests
Consent Manager Relevance: The Consent Manager framework directly implements the "informational self-determination" principle by giving individuals a single point of control over their data consents.
2. Union of India v. Subhash Chandra Agrawal (2023) - Fiduciary Relationships
| Aspect | Details |
|---|---|
| Citation | W.P.(C) 4288/2012 |
| Court | High Court of Delhi |
| Judgment Importance | Land Mark Judgment |
| Date | 20-12-2023 |
Facts: The Central Information Commission ordered disclosure of legal opinions, raising questions about fiduciary relationships and confidentiality obligations.
Holding: The Delhi High Court clarified fiduciary obligations:
"A fiduciary relationship imposes duties of loyalty, confidentiality, and acting in the beneficiary's interest. When a party holds information in a fiduciary capacity, disclosure is restricted to protect the beneficiary's interests."
Key Principles:
- Fiduciary duty requires acting in the beneficiary's (not fiduciary's) interest
- Confidential information held in trust cannot be disclosed without consent
- The relationship creates legal obligations beyond mere contract
- Conflicts of interest must be avoided or disclosed
Consent Manager Relevance: Consent Managers have fiduciary duties to Data Principals (the beneficiaries). They must:
- Act in Data Principals' interests, not Data Fiduciaries'
- Maintain confidentiality of consent information
- Avoid conflicts of interest (no favoring certain Data Fiduciaries)
- Ensure transparency in operations
3. Lotus Pay Solutions v. Union of India (2022) - Regulatory Framework for Data Intermediaries
| Aspect | Details |
|---|---|
| Citation | W.P (C) 8215/2020 |
| Court | High Court of Delhi |
| Date | 15-09-2022 |
Facts: Payment aggregators challenged RBI's authority to impose net-worth requirements, authorization mandates, and escrow account obligations.
Holding: The Delhi High Court upheld regulatory authority over data intermediaries:
"Payment aggregators are 'designated payment systems' under the Payment and Settlement Systems Act. RBI's guidelines on authorization, net-worth, and escrow mandates are within statutory powers and serve public interest. Functional analysis, not formal label, determines regulatory coverage."
Key Principles:
- Intermediaries handling sensitive data/transactions subject to regulatory oversight
- Net-worth requirements ensure operational capacity and public protection
- Authorization/registration mandatory for designated intermediary functions
- Functional role (what you do) matters more than label (what you call yourself)
Consent Manager Relevance: Directly analogous to Consent Manager framework:
- ₹2 crore net-worth requirement parallels RBI's capital adequacy norms
- Registration with Data Protection Board parallels RBI authorization
- Fiduciary obligations parallel payment aggregator escrow requirements
- Functional definition prevents regulatory arbitrage
4. Dr. A.K. Belwal v. A.K. Bhardwaj (2010) - Intermediary Communications Protection
| Aspect | Details |
|---|---|
| Citation | W.P.(C) No. 10978 of 2005 |
| Court | High Court of Delhi |
| Date | 27-04-2010 |
Facts: A challenge was made to communications between counsel and client, seeking to expose the content of privileged communications.
Holding: The Delhi High Court protected intermediary communications:
"Communications between counsel and client are privileged. Third parties cannot challenge such communications in writ proceedings. The judgment reaffirms that privileged communications cannot be subjected to scrutiny at the instance of third parties."
Key Principles:
- Intermediary communications in fiduciary relationships are protected
- Third parties cannot demand disclosure of confidential communications
- The intermediary-beneficiary relationship creates legal immunity
- Courts protect the integrity of fiduciary channels
Consent Manager Relevance: Consent Managers' communications with Data Principals should enjoy similar protection:
- Consent records are confidential between Consent Manager and Data Principal
- Data Fiduciaries cannot demand access to internal consent management records
- Third parties cannot challenge consent decisions made through Consent Managers
- The channel itself is protected, not just the content
Summary: Judicial Framework for Consent Manager Operations
| Principle | Judicial Source | Consent Manager Application |
|---|---|---|
| Informational self-determination | Puttaswamy (2017) | Central consent control is constitutional right |
| Fiduciary duty to beneficiary | Subhash Agrawal (2023) | Must act in Data Principal's interest |
| Regulatory oversight valid | Lotus Pay (2022) | Net-worth, registration requirements lawful |
| Communications protected | Belwal (2010) | Consent records confidential |
Section 4: Business Model Analysis
Revenue Streams
1. Data Fiduciary Fees
- Per-consent transaction fees
- Monthly/annual subscription model
- Volume-based pricing tiers
2. Data Principal Premium Services
- Basic service: Free
- Premium features: Subscription
- Advanced analytics: Paid
- Priority support: Paid
3. Enterprise Solutions
- White-label consent management
- Integration services
- Compliance consulting
- Training and support
Cost Structure
| Cost Category | Estimated Annual (₹) |
|---|---|
| Technology infrastructure | 50 lakhs - 2 crore |
| Compliance and legal | 30-75 lakhs |
| Security and audits | 25-50 lakhs |
| Personnel | 1-2 crore |
| Insurance | 10-25 lakhs |
| Marketing and BD | 25-75 lakhs |
| Total Estimated | 2.4 - 6.25 crore |
Revenue Projections (Illustrative)
| Year | Data Fiduciary Clients | Transactions | Revenue (₹) |
|---|---|---|---|
| Year 1 | 50 | 1 million | 1 crore |
| Year 2 | 200 | 10 million | 5 crore |
| Year 3 | 500 | 50 million | 15 crore |
| Year 5 | 1,500 | 250 million | 50 crore |
Assumptions: ₹1 per transaction average, growing volumes
Break-Even Analysis
With:
- Initial investment: ₹5 crore
- Annual operating costs: ₹3 crore
- Revenue per transaction: ₹1
- Year 2 projections: 10 million transactions
Break-even achievable in Year 2-3 with successful market penetration.
Section 5: Market Opportunity
Addressable Market
Data Fiduciary Side:
- ~1 million registered companies in India
- ~10,000+ with significant personal data processing
- Banking, insurance, healthcare, e-commerce primary targets
Data Principal Side:
- 800+ million internet users in India
- Growing privacy awareness
- Preference for centralized control
- Digital-first younger demographics
Competitive Landscape
Potential Entrants:
- Account Aggregator-adjacent players (already have infrastructure)
- Fintech companies with consent experience
- Identity management startups
- Large IT services companies
- Telecom companies (customer reach)
Barriers to Entry:
- ₹2 crore net worth requirement
- Technical complexity
- Regulatory compliance burden
- Network effects once established
Strategic Considerations
First-Mover Advantages:
- Establish Data Fiduciary relationships
- Build Data Principal trust
- Set industry standards
- Capture market share before competitors
Late-Mover Advantages:
- Learn from early mistakes
- Benefit from market education
- Enter with better technology
- Compete on price/features
Section 6: Compliance Burden Assessment
Ongoing Compliance Requirements
| Requirement | Burden Level | Mitigation |
|---|---|---|
| Board reporting | Medium | Automate reporting |
| Audit mechanisms | High | Continuous compliance tools |
| Record retention | Medium | Cloud storage solutions |
| Security maintenance | High | Dedicated security team |
| Conflict management | Medium | Governance policies |
| Platform uptime | High | Redundant infrastructure |
Regulatory Risk Factors
1. Changing Standards
- Board may update compliance frameworks
- Technical specifications may evolve
- New obligations possible
2. Enforcement Uncertainty
- New regulator finding its footing
- Penalty interpretations unclear
- Inspection frequency unknown
3. Registration Revocation
- Continued eligibility required
- Net worth maintenance mandatory
- Any violation risks revocation
4. Liability Exposure
- Data breaches
- Service failures
- Regulatory penalties
- Civil claims from Data Principals
Insurance Considerations
Recommended coverages:
- Professional indemnity
- Cyber liability
- Directors and officers liability
- Business interruption
- Regulatory defense costs
Section 7: Opportunity vs. Burden Assessment
For Whom is This an Opportunity?
Strong Fit:
- Existing consent/identity management platforms
- Account Aggregator ecosystem participants
- Fintech companies with compliance infrastructure
- Large IT companies seeking new revenue streams
- Companies with existing Data Fiduciary relationships
Factors Favoring:
- Established technical capabilities
- Existing regulatory compliance experience
- Customer base in target sectors
- Capital availability
- Long-term strategic vision
For Whom is This a Burden?
Challenging For:
- Small startups without capital
- Companies without compliance expertise
- Entities seeking quick returns
- Those without technical platforms
- Companies with potential conflicts of interest
Warning Signs:
- Underestimating compliance costs
- Lacking technical depth
- No clear path to Data Fiduciary adoption
- Insufficient capital runway
- Management inexperience in regulated industries
Decision Framework
Should You Become a Consent Manager?
├─ Do you have ₹2+ crore net worth?
│ └─ No → Explore partnerships or wait
│
├─ Do you have existing consent/identity platform?
│ └─ No → Build vs. buy analysis needed
│
├─ Do you have regulatory compliance experience?
│ └─ No → Partner with compliance experts
│
├─ Can you sustain 3+ years without profit?
│ └─ No → Consider revenue-sharing models
│
├─ Do you have Data Fiduciary relationships?
│ └─ No → BD-heavy strategy required
│
└─ Strategic fit with core business?
└─ No → May be diversification distraction
Section 8: Practical Recommendations
For Aspiring Consent Managers
Now (Before November 2026):
- Assess eligibility gap
- Build capital to meet net worth
- Develop technical platform
- Engage compliance consultants
- Establish Data Fiduciary relationships
Application Phase:
- Complete documentation
- Submit early in window
- Engage with Board proactively
- Prepare for due diligence
- Plan launch upon approval
Post-Registration:
- Invest in marketing to Data Principals
- Build Data Fiduciary integration pipeline
- Focus on user experience
- Maintain compliance rigorously
- Monitor regulatory developments
For Data Fiduciaries
Consider:
- Early adoption may simplify consent management
- Competitive advantage in privacy-conscious markets
- Reduced direct compliance burden
- Interoperability benefits
Evaluate:
- Consent Manager selection criteria
- Integration requirements
- Liability allocation
- Cost-benefit analysis
For Data Principals
What to Expect:
- Centralized consent dashboard (from late 2026)
- Easier consent management across services
- Better visibility into who has your data
- Simpler consent withdrawal process
Cautions:
- Consent Manager is another data touchpoint
- Verify registration before use
- Understand their data handling
- Don't share more than necessary
Conclusion
Consent Managers under DPDP represent a significant innovation in privacy infrastructure. Whether they're an opportunity or burden depends entirely on the entrant's profile:
Opportunity for:
- Well-capitalized entities with technical platforms
- Existing players in identity/consent management
- Long-term strategic investors
- Companies with Data Fiduciary relationships
Burden for:
- Under-capitalized startups
- Entities without compliance experience
- Those seeking quick returns
- Companies without clear strategic fit
The 12-month window before Rule 4 takes effect provides time to assess, prepare, and decide. Those who enter should do so with eyes open to both the potential rewards and the significant compliance obligations.