Consent Manager Integration
Plain English Translation
Under Section 6(7), the Act introduces a specialized entity called a Consent Manager. This is a registered third-party platform that enables a Data Principal to give, manage, review, and withdraw consent through a single accessible dashboard. Unlike a standard internal consent tool, a consent manager DPDP entity is accountable directly to the user, not the company. Organizations must technically integrate with these platforms to accept signals, treating them as a valid DPDP consent platform for managing user rights.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Monitor the release of technical standards for Consent Managers.
- Maintain a manual process to handle consent withdrawal requests forwarded by intermediaries.
Required Actions (scaleup)
- Implement webhooks to receive real-time consent updates from the consent management system DPDP.
- Automate the suppression of data processing upon receipt of a withdrawal signal.
Required Actions (enterprise)
- Full API integration with the ecosystem of registered consent managers.
- Real-time reconciliation of consent states between the Consent Manager and internal databases.
- Automated audit reporting on the latency and accuracy of processing external consent signals.
A Consent Manager is a tool registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
Section 6(9) requires every Consent Manager to be registered with the Board subject to prescribed technical, operational, and financial conditions. Rule 4 specifies they must be an Indian company with a net worth of at least INR 20 million.
Under Section 6(8), the Consent Manager is accountable to the Data Principal and acts on their behalf. Obligations include avoiding conflict of interest, not sub-contracting key duties, and acting in a fiduciary capacity.
Consent Managers interact with Data Fiduciaries through an interoperable platform. Section 2(g) mandates this interoperability to allow seamless management of consent across different services.
The platform must be accessible, transparent, and interoperable (Section 2(g)). Detailed technical standards regarding data security and protocol integration are prescribed by the Board.
Yes, organizations can build internal systems, but the specific role of a Consent Manager defined in Section 2(g) refers to a registered third-party intermediary. Internal tools are for direct compliance by the Fiduciary.
Consent Managers primarily access data related to consent preferences (grant/withdraw) and necessary notices. They are obligated to ensure the contents of personal data are not readable while sharing data between parties.
Ensure the platform is registered with the Data Protection Board as per Section 6(9) and meets the financial and operational criteria set out in the rules, such as being a fit and proper person.
"The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager."
"The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
