By Col Binoj Koshy (at Linkedin).
- The Digital Personal Data Protection (DPDP) Act, 2023 (Act) and the draft Digital Personal Data Protection Rules, 2025 (Rules) mark a significant step in India’s journey toward a robust data protection framework. The DPDP Bill and Rules emphasize the importance of Consent in the processing of personal data. Consent Managers play a crucial role in upholding data privacy and ensuring that Data Principals have control over their personal data. Consent Manager ensures transparency and accountability in managing data principal consents. The Law also provides for a larger Role, Responsibilities, Accountability and Answerablity (to Government/ Regulators), for a Consent Manager, than that of a Data Protection Officer (DPO). Here are some key takeaways from an Indian perspective:
(a) Establishing a Comprehensive Framework: The Act and Rules provide a comprehensive framework for regulating digital personal data processing in India. They establish the core principles of data protection, including lawfulness, fairness, transparency, purpose limitation, and data minimization.
(b) Empowering Data Principals: The Act and Rules empower individuals (Data Principals) with greater control over their personal data. They provide Data Principals with rights to access, correct, erase, and transfer their data, as well as the right to nominate another individual to exercise their rights in the event of death or incapacity.
(c) Regulating Data Fiduciaries: The Act and Rules place obligations on entities (Data Fiduciaries) that determine the purpose and means of processing personal data. Data Fiduciaries must obtain consent from Data Principals before processing their data, ensure data security, and be accountable for data breaches.
(d) Establishing a Regulatory Body: The Act provides for establishing a Data Protection Board of India (Board) to oversee the implementation of the Act. The Board has the power to investigate complaints, issue directions, adjudicate and impose penalties.
(e) Balancing Growth and Innovation: The Act and Rules aim to balance data protection with the need to foster growth and innovation in the digital economy. They provide exemptions for certain legitimate uses of personal data, such as research, archiving, and providing services to the Data Principal.
Significance of the enactment of India DPDP from an International Perspective
- The DPDP Act and Rules signal India’s commitment to aligning with international data protection standards. The Act draws inspiration from frameworks like the GDPR, incorporating concepts such as the right to be forgotten and data protection impact assessments. This alignment can foster trust and facilitate cross-border data flows, benefiting India’s participation in the global digital economy.
Consent Manager and Data Protection Officer (DPO)
- The Indian Digital Personal Data Protection (DPDP) Bill [Digital Personal Data Protection Act, 2023 (Act)] and Rules [Digital Personal Data Protection Rules, 2025 (Rules)] introduce the concept of a Consent Manager. A Consent Manager is an entity registered with the Data Protection Board of India (Board) and acts as an intermediary between Data Principals and Data Fiduciaries, facilitating the management of consent for data processing, and accountable to the Data Principals as per the law.
- The ‘Act’ mentions of the Data Protection Officer (DPO) only once (1); while, in ‘Rules’ reference to DPO is made in about five (5) instances. Further the word ‘Consent Manager’ is mentioned about eleven (11) times in the ‘Act’, and about thirty-nine (39) times in the ‘Rules’.
-
- As specified in the ‘Act’, the Consent Manager shall directly be accountable to the Data Principal.
- Were as the ‘DPO’ will be specifically accountable to the Organization which she represents.
- The details of the Consent Manager will be public (to facilitate a Data Principle to exercise the provisions of the Act), and will also have to be published in the website. Additionally; Consent Manager, shall publish on its website or app, or both (as the case may be), —
-
- the details of the means using which a Data Principal may make a request for the exercise of such rights; and
- the particulars, if any, such as the username or other identifier of such a Data Principal, which may be required to identify her under its terms of service.
-
- Therefore, the Consent Manager will be a mandatory designation and the details of the person so designated will be intimated to the Board (shall be registered with the Board).
- Were as, the ‘DPO’ is not a mandatory designation, unless the organization is deemed to be a “Significant Data Fiduciary”. Further, the registration of the details of the DPO, with the Board, is thus not mandatory, unless otherwise the organization is designated as a “Significant Data Fiduciary”.
- Rule 9 states that every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the DPO, if applicable.
- This suggests that the appointment of a DPO is not mandatory under the Rules.
- The Rules also mention the DPO in Rule 12, concerning the additional obligations of Significant Data Fiduciaries. Rule 12 states that a Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.
- The Rules do not specify whether this person is the DPO or another individual.
- It is also clarified that the designation of a ‘DPO’ can be tenated by any other earmarked person (need not be a DPO by designation), in the case of any other Data Fiduciary. However, a designated individual as ‘DPO’ is mandated where the organization has been classified as a ‘Significant Data Fiduciary’.
Significance and Importance of Consent Managers
- A Consent Manager is a significant component of the DPDP Act and Rules. It is defined as a person registered with the Data Protection Board of India (Board) who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. The significance of the designation as per the Law:
(a) Streamlining Consent Management: Consent Managers simplify the process of obtaining, managing, and withdrawing consent for data processing. They provide a centralized platform where Data Principals can easily give, review, and modify their consent preferences.
(b) Empowering Data Principals: Consent Managers empower Data Principals by giving them greater control over their personal data. Through an accessible and transparent platform, Data Principals can make informed decisions about how their data is used and shared.
(c) Facilitating Compliance: Consent Managers assist Data Fiduciaries in complying with the DPDP Act and Rules. By managing consent preferences, Consent Managers help Data Fiduciaries ensure they process personal data lawfully and ethically.
(d) Promoting Transparency: Consent Managers promote transparency in data processing activities. They maintain records of consent, ensuring that Data Principals have access to information about how their data is being used.
(e) Building Trust: By simplifying consent management and empowering Data Principals, Consent Managers can help build trust between Data Principals and Data Fiduciaries. This trust is essential for fostering a healthy and ethical data ecosystem.
6. The DPDP Bill and Rules emphasize the importance of consent in the processing of personal data. Consent Managers play a crucial role in upholding data privacy and ensuring that Data Principals have control over their personal data. Consent Manager ensures transparency and accountability in managing data principal consents. Key Responsibilities of a Consent Manager as per the Law:
(a) Act in a fiduciary capacity toward the Data Principal: This means that the Consent Manager must always act in the best interests of the Data Principal and prioritize the protection of their personal data.
(b) Ensure the confidentiality of personal data: The Consent Manager must ensure that personal data or its sharing is done in a manner that prevents the Consent Manager from reading the contents of the data.
(c) Maintain a record of consent-related activities: This includes maintaining a record of consents given, denied, or withdrawn; notices related to consent requests; and sharing of personal data with third parties. These records must be maintained for at least seven years or longer if required by law.
(d) Avoid conflict of interest with Data Fiduciaries: The Consent Manager must have measures to ensure that no conflict of interest arises due to relationships with Data Fiduciaries. This includes avoiding directorship, financial interest, employment, or beneficial ownership in Data Fiduciaries.
(e) Transparency: The Consent Manager must publish information about its company, including details of its promoters, directors, key managerial personnel, and shareholding patterns, in an easily accessible manner on its website or app.
(f) Audits and Compliance: The Consent Manager must have effective audit mechanisms to ensure compliance with the Act and Rules. This includes reviewing and monitoring technical and organizational controls, systems, procedures, and safeguards.
Salient Difference between the “Data Protection Officer (DPO)” and “Consent Manager” in the DPDP of India
- The DPO and Consent Manager are two different roles within the DPDP framework, each with distinct responsibilities:
(a) Appointment: A DPO is appointed by the Data Fiduciary/Significant Data Fiduciary. In the contrary, a Consent Manager though appointed by the Data Fiduciary/Processor, yet be accountable to the Data Principal(s), and will have to be registered with the Data Protection Board of India. (Additionally, if a DPO is designated the name and details will be published for business contact on the website of the organization)
(b) Accountability: A DPO is accountable to the Data Fiduciary, while a Consent Manager is accountable to the Data Principal.
(c) Responsibilities: A DPO is responsible for advising the Data Fiduciary on compliance with the DPDP Act, while a Consent Manager is responsible for providing a platform for Data Principals to give, manage, review, and withdraw consent for data processing (and will interface with the Data Principal for all such aspects, as a single point of contact).
(d) Focus: The role of a DPO is focused on compliance and advising, while the role of a Consent Manager is focused on consent management and acting in a fiduciary capacity towards the Data Principal. The Consent Manager also be responsible to the Board concurrently.
8. In summary, the DPO and Consent Manager have distinct roles and responsibilities within the DPDP framework. The DPO is appointed by the Data Fiduciary and is responsible for advising on compliance with the DPDP Act. In contrast, the Consent Manager is registered with the Data Protection Board of India (Board) and is additionally, accountable to the Data Principal, providing a platform for managing consent and acting in a fiduciary capacity. (Note: The GDPR does not explicitly define a role like the Consent Manager)
Conclusion
- The role of a Consent Manager is a unique and important aspect of the Indian DPDP Act and Rules. It is a designated entity registered with the Board, acting as an intermediary between Data Principals and Data Fiduciaries to facilitate consent management for data processing. The Consent Manager is mandatory designation in an organization (be it Data Fiduciary or the Data Processor). In a country like India, with diverse demographics and varying levels of digital literacy, Consent Managers can play a crucial role in simplifying the understanding and management of consent for data processing. Hence, as per the law (once effective), will be user-friendly and citizen enabled to facilitate and exercise informed decisions about the data, so entrusted by the Data Principle. Also, that India has a large and complex data ecosystem, with a significant amount of sensitive personal data being processed, Consent Managers can help ensure that such data is processed lawfully and ethically by facilitating clear and unambiguous consent. Furthermore, Consent Managers can help build trust between Data Principals and Data Fiduciaries by promoting transparency and accountability in data processing. This trust is crucial for fostering a healthy and ethical data ecosystem in India.
- Comparison with Global Laws: While many data protection laws globally emphasize consent as a lawful basis for data processing, the concept of a designated Consent Manager is not as prevalent. Laws like the GDPR focus on the obligations of Data Controllers and Processors to obtain and manage consent directly from Data Principals.
- The introduction of Consent Managers in the Indian context can be seen as a proactive step toward simplifying consent management and empowering Data Principals in a complex and evolving digital landscape. It provides a unique approach to addressing the challenges of consent management in a country with diverse demographics and varying levels of digital literacy.