DPDP Consent Manager Framework: What Indian Businesses Must Prepare for Before November 2026

India's data protection regime is entering a critical transition period. The Digital Personal Data Protection Act 2023, along with the Data Protection Rules 2025 notified in November 2025, establishes a two-phase implementation roadmap. Phase 1, already underway, focuses on core notice and consent obligations and breach reporting requirements. Phase 2, commencing in November 2026, introduces the Consent Manager framework, a novel intermediary institution that will mediate data collection and consent management. Every organization handling personal data of Indian residents must understand what Consent Managers are, why they are needed, and what operational changes will be required. The transition will reshape how Indian businesses obtain, manage, and document customer consent.

Phase 1 Obligations: Notice, Consent, and Breach Notification

The DPDP Act and Rules currently in force establish baseline data protection obligations that all organizations must implement immediately. Data Fiduciaries (organizations collecting personal data) must provide notice to Data Principals (individuals) before or at the time of data collection. The notice must specify the purpose of collection, categories of data being collected, the Data Fiduciary's identity and contact information, the duration for which data will be retained, and the individual's rights (right of access, correction, deletion, portability, and grievance redressal). Consent must be obtained from the individual before processing their data, and the consent must be freely given, specific, informed, and documented. Organizations cannot collect blanket consent; each purpose requires separate documented consent. Data Breaches must be reported to the Data Protection Board within 72 hours of discovery, and affected individuals must be notified without undue delay. While Phase 1 obligations are foundational, many Indian companies are still grappling with compliance. Small and medium enterprises, in particular, lack dedicated data protection infrastructure. Nevertheless, the clock is ticking toward Phase 2's more comprehensive framework.

What Are Consent Managers? The Intermediary Model

A Consent Manager, as envisioned in the DPDP Rules, is a specialized intermediary institution authorized to manage consent on behalf of Data Fiduciaries and Data Principals. Rather than each organization directly obtaining and managing consent from individuals, the consent process flows through a Consent Manager. An individual visiting a website or using an app encounters a consent interface provided by the Consent Manager, not by the individual company. The Consent Manager securely records the individual's consent preferences, communicates these preferences to Data Fiduciaries, and maintains an auditable record of all consent transactions. This model is inspired by global frameworks like the European Union's approach to data intermediaries and represents a shift from direct bilateral data relationships to regulated intermediation. The Consent Manager assumes fiduciary obligations toward both the Data Principal and the Data Fiduciary, creating accountability at a system level. For Data Principals, a Consent Manager provides a centralized dashboard to review, modify, and withdraw consent across multiple organizations. For Data Fiduciaries, engaging a Consent Manager delegates the technical and operational complexity of consent management to a regulated specialist.

Consent Manager Registration: Requirements and Eligibility

The DPDP Rules establish strict eligibility criteria for entities seeking to operate as Consent Managers. A Consent Manager must be an Indian company registered under the Companies Act 2013. It must have a minimum net worth of Rs 2 crore, ensuring financial stability and solvency. It must register with the Data Protection Board, the regulatory authority established under the DPDP Act, and undergo detailed scrutiny of its governance, technical infrastructure, security protocols, and complaint handling mechanisms. The Board will issue Consent Manager licenses following this assessment. Licensed Consent Managers are treated as regulated intermediaries and subject to ongoing oversight. They cannot be casual technology platforms; they are essential infrastructure for India's data protection ecosystem. Only a limited number of Consent Managers are expected to be authorized initially, creating a consolidation of this function. Large tech companies, fintech platforms, and new specialized startups are expected to be among the first applicants. The registration process is expected to open in November 2026, though the Data Protection Board is likely to issue detailed guidance on applications in advance.

Operational Changes for Data Fiduciaries

Looking Ahead: Full Compliance and Strategic Preparation

The final deadline for comprehensive DPDP compliance is May 2027, providing organizations with roughly 14 months from the November 2026 Consent Manager launch to complete full integration. However, strategic preparation must begin immediately. Organizations should audit their current data practices, document the purposes for which they collect personal data, map data flows, and assess gaps against the DPDP requirements. They should identify potential Consent Manager partners and begin preliminary discussions. Legal and compliance teams should monitor Data Protection Board notifications, which will provide implementation guidance as the November 2026 milestone approaches. The DPDP framework represents a maturation of India's data protection aspirations. Unlike earlier privacy frameworks which were often aspirational, the DPDP Act is operational and enforceable. The Consent Manager model, while novel, reflects global trends toward intermediary-based governance of data flows. Organizations that prepare proactively will navigate the transition smoothly. Those that defer preparation until late 2026 will face compressed timelines and increased risk of compliance failures.