DPDP Act Phase 2 Compliance 2026: Consent Manager Framework and Business Obligations

India's Digital Personal Data Protection Act 2023 and the DPDP Rules finalised in November 2025 are being implemented in phases, with 2026 serving as the critical year for businesses to prepare their compliance infrastructure. Phase 2 of the implementation, scheduled for November 13, 2026, introduces the Consent Manager Framework, a key mechanism through which individuals will exercise control over their personal data. Businesses operating as Data Fiduciaries must understand their obligations now and begin implementation to meet the compliance timeline.

The Three-Phase Implementation Timeline

The DPDP Act is being rolled out in three stages. Phase 1, which commenced on November 13, 2025, established the Data Protection Board of India as the adjudicatory body for complaints and enforcement. Phase 2, effective November 13, 2026, activates the Consent Manager Framework, requiring registered intermediaries to facilitate consent management between Data Principals and Data Fiduciaries. Phase 3, with a deadline of May 13, 2027, mandates full compliance with all provisions of the Act and Rules, including the complete set of obligations applicable to Data Fiduciaries and Significant Data Fiduciaries.

What Are Consent Managers Under the DPDP Rules

Consent Managers are entities registered with the Data Protection Board that act as intermediaries enabling Data Principals to manage, review, and withdraw their consent across multiple Data Fiduciaries through a single accessible platform. Rather than requiring individuals to navigate separate privacy settings for each service they use, Consent Managers provide a unified dashboard. They must be incorporated as companies in India with a minimum net worth of Rs 2 crore and must maintain interoperability standards prescribed by the Board. Consent Managers cannot process personal data for their own purposes and must maintain strict neutrality between Data Principals and Data Fiduciaries.

Key Compliance Obligations for Businesses in 2026

Businesses must create clear, itemised notices separate from their standard terms of service that explain what personal data is being collected and for what specific purpose. Where processing is consent-based, notices must include a dedicated communication mechanism allowing Data Principals to withdraw consent, exercise their rights, or submit grievances. Data Fiduciaries must appoint a Data Protection Officer, implement reasonable security safeguards appropriate to the nature and volume of data processed, and establish mechanisms for responding to data principal rights requests within the prescribed timelines. Breach notification obligations require reporting to the Data Protection Board and all affected individuals promptly, with a detailed report to the Board within 72 hours of becoming aware of a breach.

Penalties for Non-Compliance

The DPDP Act provides for graded monetary penalties of up to Rs 250 crore per contravention, depending on the type and severity of the violation. Failure to implement reasonable security safeguards leading to a data breach, non-compliance with breach notification obligations, and processing data beyond the specified purpose without consent are among the most heavily penalised contraventions. The Data Protection Board has the power to conduct inquiries, issue directions, and impose penalties. Unlike the EU's GDPR, the DPDP Act does not provide for criminal liability, but the financial penalties are substantial enough to demand serious corporate attention.

Practical Takeaways for Businesses

Businesses should treat 2026 as their primary planning and implementation year. Key actions include conducting a data mapping exercise to understand what personal data is collected, stored, and processed across the organisation; revising privacy notices to meet the itemised, purpose-specific format required by the Rules; establishing a grievance redressal mechanism with prescribed response timelines; evaluating whether existing cybersecurity measures constitute reasonable security safeguards; and preparing breach response protocols including Board notification templates. Companies processing large volumes of data or handling sensitive categories should also assess whether they will be classified as Significant Data Fiduciaries, which carries additional obligations including data protection impact assessments and periodic audits.