Burgeon Law - Ketan Mukhija, Saurabh Arora 
The Viewpoint

Consent Managers under the Digital Personal Data Protection Act: A Game Changer or Compliance Burden?

Consent Managers empowers individuals and strengthens India’s data protection regime but its strict regulatory requirements, unclear financial model, and voluntary adoption framework pose significant challenges.

Ketan Mukhija, Saurabh Arora

The rapid growth of e-commerce and the resulting permanent shift in how people purchase goods and services have led to a dramatic increase in the volume of online data transfers. As a result, for e-commerce transactions to remain commercially viable, businesses must ensure the seamless and efficient movement of large amounts of data. However, this surge in data exchanges also brings significant privacy concerns, particularly regarding sensitive information such as financial, medical, and personal data shared across various apps, social media platforms, and e-commerce sites.

Given these developments, data privacy has become an even more pressing issue in today’s landscape. A wide range of concerns must be addressed, including obtaining consent before data collection, maintaining the integrity of processing practices, ensuring the legality of data transfers (including cross-border transfers), ensuring proper and legitimate use of data, establishing grievance redress mechanisms, and ensuring data is deleted when no longer needed or upon request.

The Digital Personal Data Protection Act, 2023 (“DPDPA”) marks a transformative shift in India’s data privacy framework, emphasizing user empowerment, transparency, and accountability. Among its key provisions, the introduction of Consent Managers stands out as a significant innovation, designed to provide individuals (Data Principals) with greater control over their personal data while helping businesses (Data Fiduciaries) navigate compliance obligations efficiently.

Importance of Consent

Consent is fundamental in safeguarding the rights of individuals whose personal data is being processed referred to as Data Principals. Under the DPDPA, several measures have been introduced to address the complexities surrounding the management of consent from Data Principals.

In this article, we will explore the provisions outlined in the DPDPA that aim to strengthen consent management processes. These measures are designed to ensure that individuals have clear, informed, and explicit control over the collection, use, and sharing of their personal data. By addressing these challenges, the DPDPA aims to enhance transparency and accountability, ensuring that consent is obtained in a manner that respects individuals’ privacy and legal rights. We will examine the key provisions of the DPDPA and Draft DPDP Rules, 2025 that address the need for obtaining, managing, and revoking consent, as well as the legal implications for organizations that fail to comply with these requirements.

Emergence of "Consent Managers"

To safeguard personal data and uphold individual autonomy, the DPDPA, has introduced the concept of a Consent Manager. This carefully considered legislative measure facilitates the interaction between Consent Managers, Data Principals (individuals who share their personal data), and Data Fiduciaries (entities that collect and process this data). The primary role of Consent Managers is to oversee and manage the consent of Data Principals in a digital environment.

NITI Aayog, in a 2020 paper titled ‘Data Empowerment and Protection Architecture’ (“DEPA”) discussed the importance of Consent Manager. In a nutshell, it stated that the role of Consent Manager enables individuals to securely access and share their data with third-party institutions through a new type of private Consent Manager.  These managers allow users to provide granular, revocable, and auditable consent for every piece of data shared, using standard APIs. This replaces outdated, cumbersome methods like physical notarization and screen scraping, while fostering a competitive ecosystem of Consent Managers who can innovate and experiment with different business models. DEPA combines public digital infrastructure with private innovation, empowering individuals with more control over their data.

Understanding Consent Managers under the DPDPA

Definition and Purpose

As per the DPDPA, a Consent Manager is “person registered with the Data Protection Board of India (“DPB”), who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform."

Under the DPDPA, Consent Managers must: (a) obtain registration from the DPB; (b) comply with prescribed technical, operational, financial, and other conditions; and (c) be accountable to Data Principals. The specific responsibilities of Consent Managers will be outlined in the rules issued under the DPDA.

The use of Consent Managers provides advantages for both Data Fiduciaries and Data Principals. For Data Fiduciaries, Consent Managers simplify compliance with consent-related legal requirements, making it easier to manage and document user consent in line with regulatory obligations. For Data Principals, Consent Managers offer a streamlined and efficient way to grant, modify, and revoke consent, empowering them with greater control over how their personal data is shared. This enhanced efficiency in managing consent also leads to faster, more secure, and smoother data flows, reducing the complexities and risks associated with data exchanges.

Additionally, Consent Managers play a crucial role in helping Data Principals exercise their right to grievance redressal. With a more structured and transparent process in place, individuals can more easily address any issues related to their consent, ensuring that their concerns are handled efficiently and effectively. This creates a more accountable system that not only protects individuals’ data rights but also enhances their overall experience with data-sharing practices.

Challenges and Compliances Burden

The concept of Consent Managers aligns with global data privacy best practices, but its implementation presents challenges that are key to ensuring transparency, security, and compliance with data protection laws.

Conflict of Interest Regulations 

The DPDPA imposes strict rules to maintain the independence of Consent Managers, including restrictions on personnel holding positions in Data Fiduciaries, mandatory disclosure of financial interests for major shareholders, and board approval for ownership changes. While these measures build trust, they can discourage digital platforms from setting up systems due to compliance complexity and slower business decisions.

Record-Keeping and Audits

Consent Managers must retain detailed transaction logs for at least seven years to ensure accountability and legal protection. While this enhances transparency and aids in compliance, the long-term data retention raises operational costs, particularly for smaller businesses, and introduces cybersecurity risks if not well-protected.

Unclear Business Model 

Consent Managers lack a clear revenue model, raising concerns over who will bear the costs - businesses, users, or the government. Without a sustainable business model, Consent Managers may struggle to gain industry adoption, affecting service quality and long-term viability.

Voluntary vs. Mandatory Adoption

Currently, Data Fiduciaries can manage user consent independently, making the role of Consent Managers optional. If this remains voluntary, many companies may avoid them, reducing their effectiveness. For Consent Managers to succeed, they need regulatory support, flexible compliance measures, and a business model that balances privacy protection with industry participation.

Future Outlook: A Balancing Act between Privacy and Practicality

The introduction of Consent Managers represents a significant shift in India’s data protection landscape, aligning with global trends that prioritize user autonomy and accountability in data processing. The success of this framework will depend on regulatory flexibility, financial sustainability, and widespread industry adoption.

Rooted in the fundamental right to privacy under Article 21 of the Constitution of India, the DPDPA aims to establish a structured approach to data processing while preserving individual control over personal information. The introduction of Consent Managers also mirrors global movements toward user-centric data governance, as seen in frameworks like:

  • The European Union’s General Data Protection Regulation, which mandates explicit and informed consent for data processing.

  • India’s Account Aggregator framework, which allows users to securely control the sharing of their financial data.

Through the implementation of Consent Managers, the Indian government seeks to strike a balance between fostering digital innovation and ensuring robust privacy protection, offering individuals a transparent, standardized, and user-friendly mechanism to manage their data-sharing preferences.

To ensure Consent Managers are effective privacy tools, the following refinements are needed:

Regulatory Flexibility

  • Relax Conflict-of-Interest Rules: Easing restrictions on conflicts of interest will encourage more industry participation without compromising independence.

  • Clear Monetization Models: Consent Managers need a sustainable revenue model, whether through subscriptions, transaction fees, or government support.    

Incentives for Adoption

  • Tax Benefits and Compliance Relief: Offering tax incentives or compliance relaxations for businesses adopting Consent Managers can encourage voluntary integration.

  • Government Support: Grants or subsidies for startups and smaller enterprises will ease the financial burden of compliance.

Industry Collaboration and Pilot Programs

  • Pilot Programs: Sector-specific pilots can help refine the regulatory framework and improve interoperability before full implementation.

  • Leverage Account Aggregator Insights: Applying lessons from India’s Account Aggregator model can enhance security, data portability, and standardization for Consent Managers.

Conclusion

The introduction of Consent Managers is a bold step towards empowering individuals and strengthening India’s data protection regime. However, its strict regulatory requirements, unclear financial model, and voluntary adoption framework pose significant challenges.

For Consent Managers to succeed, policymakers must strike a balance ensuring robust user protection without overburdening businesses. Fine-tuning the DPDPA framework will be essential to making Consent Managers a practical, scalable, and effective solution rather than an onerous regulatory obligation.

About the author: Ketan Mukhija is a Senior Partner and Saurabh Arora is a Principal Associate at Burgeon Law.

Disclaimer: The opinions expressed in this article are those of the authors. The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.

Also Read

When lawyering becomes criminal: The Supreme Court's chance to protect the defenders of rule of law

'Intention' and the dynamics of caste abuse in the Atrocities Act

Don't burden yourself with loan for foreign LL.M: CJI BR Gavai to law graduates

Swiss Army Knife maker gets urgent relief from Bombay HC against unauthorised listings on Amazon

Kanwar Yatra: Plea in Supreme Court against UP govt mandate for QR codes at eateries to reveal owner name

SCROLL FOR NEXT