Skip to main content

Q2 - How do Consent Managers earn revenue if their role must remain neutral?

Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), a Consent Manager acts as a neutral intermediary between individuals (Data Principals) and Data Fiduciaries. Its core responsibility is to facilitate, record, and manage consent in a transparent and interoperable manner — not to influence or monetise personal data directly.

Although Consent Managers must remain neutral and accountable to the Data Principal (Section 6(8)), they can still generate revenue through regulated, service-based business models that do not compromise neutrality, privacy, or independence.

1. Permitted Revenue Models

a. Subscription or Service Fees (B2B Model)
Consent Managers may charge Data Fiduciaries (e.g., companies, platforms, or service providers) for providing secure and standardised consent management APIs or dashboards.

  • These fees typically cover system integration, API maintenance, consent-log storage, and verification services.
  • Pricing models may include per-API-call costs, annual platform subscriptions, or enterprise licensing.

b. Platform-as-a-Service (PaaS) Model
They can operate as regulated technology platforms offering consent orchestration tools or compliance infrastructure.
Fiduciaries integrate these systems to simplify user consent collection and withdrawal, and pay for usage.

c. Certification and Compliance Services
Consent Managers may offer optional tools that help Data Fiduciaries verify compliance with the DPDPA (e.g., consent dashboards, analytics, or record-keeping automation).
These are ancillary services provided within the framework of neutrality.

d. Government or Industry Funding
Since Consent Managers play a public-interest role in protecting data rights, they may receive:

  • Government grants or incentives for promoting digital trust ecosystems; or
  • Industry consortium support for maintaining open interoperability standards (similar to India’s Account Aggregator framework).

2. Activities They Cannot Monetise

  • Consent Managers cannot sell, trade, or use personal data for marketing or profiling.
  • They cannot prioritise or discriminate between Data Fiduciaries based on commercial relationships.
  • They must ensure full transparency about their fee structures and maintain equal access for all registered Fiduciaries and Data Principals.

Violations of neutrality or misuse of personal data can result in investigation and penalties by the Data Protection Board of India under Section 27(1)(c) and Section 33(1).

Example

A Consent Manager provides a secure consent-management API to multiple e-commerce and fintech platforms.
Each platform pays an annual subscription fee for integration and API maintenance.
The Consent Manager does not access or monetise customer data — it only facilitates consent exchange and maintains audit logs in compliance with the DPDPA.

Referenced Provisions:

  • Section 2(g) – Definition of Consent Manager.
  • Section 6(7)–(9) – Duties, neutrality, and registration of Consent Managers.
  • Section 27(1)(c) – Inquiry by the Data Protection Board into breaches by a Consent Manager.
  • Section 33(1) – Monetary penalties for non-compliance.