Schedule I: Consent Manager
Schedule I of the Draft Digital Personal Data Protection Rules, 2025 is devoted entirely to Consent Managers, an essential innovation of the DPDPA framework. The Schedule is divided into two parts:
- Part A – Conditions for Registration of a Consent Manager.
- Part B – Obligations of a Consent Manager after registration.
Together, they ensure that only competent, trustworthy, and secure entities can act as Consent Managers, and that once registered, they remain accountable to both Data Principals (individuals) and the Data Protection Board.
Part A – Conditions for Registration of a Consent Manager.
To qualify for registration, a Consent Manager must meet specific standards. These are meant to ensure technical robustness, financial stability, and organizational credibility.
Technical Capacity
A Consent Manager must demonstrate that it has the technological infrastructure to handle large-scale consent requests securely.
This includes systems for real-time consent capture, withdrawal, modification, and storage, all protected with encryption, access control, and audit trails.
If a crypto exchange wants to operate as a Consent Manager, it must be able to securely manage millions of consents related to KYC documents, ensuring that consent withdrawals are reflected immediately across partner platforms.
Financial Capacity
The entity must have the financial resources to operate sustainably. Consent Managers will be dealing with sensitive personal data at scale, so underfunded or unstable operators are not acceptable.
If a start-up fintech firm applies to become a Consent Manager, it must prove that it has enough capital and reserves to maintain uninterrupted services, even during technical crises.
Organizational Capacity
The entity must have qualified personnel, clear governance structures, and internal policies to handle compliance and grievances effectively.
A telecom operator wishing to register as a Consent Manager must show that it has a dedicated compliance team, a grievance redressal mechanism, and officers responsible for responding to queries from both users and the Board.
To qualify for registration, a Consent Manager must meet all three capacities — technical, financial, and organizational. Falling short on any one of these may disqualify the entity from registration.
Part B – Obligations of a Consent Manager after registration.
Once registered, a Consent Manager takes on legal obligations that ensure it remains reliable, independent, and user-centric.
Transparency and Accessibility
A Consent Manager must provide a simple, user-friendly interface through which Data Principals can manage their consents.
It should clearly display what data is being requested, who is requesting it, and for what purpose, in multiple languages where necessary.
A retail e-commerce giant seeking consent for marketing emails must channel the request through a Consent Manager’s platform, where a user can clearly see the option to accept or reject without confusion.
Neutrality and Independence
A Consent Manager must remain neutral, meaning it cannot prioritize or favor one Data Fiduciary (such as a particular bank or social media platform) over others. Its role is to serve the individual, not corporate interests.
If both ABC Bank and XYZ Insurance send consent requests, the Consent Manager must display them fairly to the user, without making one look more attractive or easier to accept.
Secure Record-Keeping
The Consent Manager must maintain verifiable records of when consent was given, modified, or withdrawn. These records must be available as proof during audits, disputes, or investigations.
If a stock broking company claims that an investor agreed to share portfolio data with a third-party analytics service, the Consent Manager’s records must confirm whether and when such consent was granted.
Grievance Redressal
The Consent Manager must provide a channel for Data Principals to raise complaints about consent handling, and these must be addressed promptly.
If Krishna withdraws his consent for receiving promotional SMS from a pharmaceutical chain but still receives them, he can complain to the Consent Manager. The Consent Manager is then obliged to investigate and act.
Compliance with the Board
The Consent Manager must cooperate fully with the Data Protection Board of India, including during audits or inquiries. It must provide data, system logs, and other evidence when demanded.
Security Safeguards
As Consent Managers handle highly sensitive personal data, they are required to implement robust security safeguards:
- Encryption
- Intrusion detection systems
- Employee access controls
- Regular security audits
If a hospital chain uses a Consent Manager to manage patient consents for sharing medical data with research labs, the Consent Manager must ensure the data cannot be intercepted or altered by attackers.
Consent Managers must remain transparent, neutral, secure, and accountable at all times. Any lapse in these obligations can result in loss of trust, penalties, or cancellation of registration.
Importance of Consent Managers
The idea of Consent Managers is unique to India’s data protection model. Instead of leaving individuals to struggle with dozens of different privacy settings across various platforms, a single Consent Manager can act as a trusted hub for all consent-related activities.
- For individuals, it means real control: one platform to check, grant, or withdraw consent across banks, insurers, e-commerce sites, healthcare providers, and more.
- For organizations, it creates standardization and accountability, ensuring that consents are captured and stored in a legally valid way.
- For regulators, it provides a clear audit trail, making enforcement much easier.