Schedule I: PART A — Conditions for Registration of a Consent Manager
FIRST SCHEDULE [See rule 4] PART A — Conditions for Registration of a Consent Manager (click to expand)
-
The applicant is a company incorporated in India.
-
The applicant has sufficient capacity, including technical, operational and financial capacity, to fulfil its obligations as a Consent Manager.
-
The financial condition and the general character of management of the applicant are sound.
-
The net worth of the applicant is not less than two crore rupees.
-
The volume of business likely to be available to and the capital structure and earning prospects of the applicant are adequate.
-
The directors, key managerial personnel and senior management of the applicant company are individuals with a general reputation and record of fairness and integrity.
-
The memorandum of association and articles of association of the applicant company contain provisions requiring that the obligations under items 9 and 10 of Part B are adhered to, that policies and procedures are in place to ensure such adherence, and that such provisions may be amended only with the previous approval of the Board.
-
The operations proposed to be undertaken by the applicant are in the interests of Data Principals.
-
It is independently certified that—
(a) the interoperable platform of the applicant to enable the Data Principal to give, manage, review and withdraw her consent is consistent with such data protection standards and assurance framework as may be published by the Board on its website from time to time; and
(b) appropriate technical and organisational measures are in place to ensure adherence to such standards and framework and effective observance of the obligations under item 11 of Part B.
1. The applicant must be a company incorporated in India
This ensures jurisdictional accountability — only companies governed by Indian law can operate as Consent Managers. It allows the Data Protection Board of India (DPBI) to enforce compliance and oversight directly under Indian regulations.
A fintech startup registered under the Companies Act, 2013 in Bengaluru may apply to become a Consent Manager. However, a foreign company or offshore entity cannot be directly registered — it must be incorporated in India.
2. The applicant must have sufficient technical, operational, and financial capacity
The company must demonstrate it has the infrastructure, expertise, and financial resources to securely manage and process consent requests at scale. This includes:
- Robust IT infrastructure for authentication, encryption, and data management.
- Skilled staff in cybersecurity, compliance, and legal operations.
- Sustainable financial health to maintain services long-term.
The DPBI may review infrastructure capacity (servers, APIs, uptime metrics) and compliance certifications such as ISO 27001 or SOC-2 to verify capability.
3. The financial condition and management integrity must be sound
The company’s balance sheet, governance structure, and leadership background must reflect financial stability and good ethical standing. The government wants to ensure that consent managers are not shell companies, bankrupt entities, or run by individuals with questionable records.
A company with pending fraud litigation or unstable finances would likely fail this criterion. Similarly, companies under insolvency proceedings cannot qualify.
4. The net worth must be at least ₹2 crore
This rule sets a minimum capital requirement to ensure only financially strong and credible players operate as Consent Managers. A higher net worth threshold ensures operational continuity, consumer trust, and the ability to absorb risks such as data breaches or infrastructure upgrades.
Net worth = Total Assets – Total Liabilities (as per books of accounts).
The threshold ensures the company can afford secure infrastructure, compliance audits, and liability coverage.
5. The business volume, capital structure, and earning prospects must be adequate
The applicant must have a sustainable business model and long-term viability. The DPBI evaluates whether the company can maintain services without compromising privacy obligations for commercial reasons.
A newly formed company projecting revenue only from data brokerage or ad targeting would not be considered appropriate.
However, a data-governance service provider with recurring institutional clients could qualify.
6. The management must have a reputation for fairness and integrity
The directors, key managerial personnel (KMPs), and senior managers should be individuals with a clean professional track record and a reputation for ethical behavior. This prevents entities led by persons previously involved in data-misuse or compliance violations from being approved.
7. Corporate documents must include adherence clauses
The Memorandum and Articles of Association (MoA & AoA) of the company must contain clauses ensuring:
- Compliance with obligations listed in Part B (items 9 & 10) — mainly conflict-of-interest prevention.
- Policies and procedures to enforce such compliance.
- Amendments to these clauses require prior Board approval.
This ensures privacy obligations are embedded into the company’s core governance, not added as optional policies.
Before changing its business scope or governance clauses, a Consent Manager must first obtain written approval from the DPBI, ensuring transparency and accountability.
8. Operations must serve the interests of Data Principals
Every activity of a Consent Manager must prioritise user benefit — not profit or data monetisation. The Consent Manager acts in a fiduciary capacity, meaning it must act in the best interest of the individual.
DPDPA Section 4 and Rule 6 reinforce this fiduciary duty — Consent Managers must enable privacy rights, not commercial exploitation.
9. Independent certification of technology and compliance
A third-party auditor must verify that:
(a) The company’s consent platform is interoperable and follows data protection standards published by the DPBI.
(b) Adequate technical and organisational controls (like encryption, authentication, monitoring) are implemented.
This certification ensures consistent security and interoperability among different Consent Managers.
A Consent Manager’s system must allow users to manage consents from multiple data fiduciaries (like banks or hospitals) through a single interface — similar to how UPI works across banks.