How to Register as a Consent Manager Under the DPDP Act

What is the Consent Manager framework?

The Consent Manager framework is one of the most distinctive features of India's DPDP Act 2023. Modeled partly on the successful Account Aggregator framework in India's financial sector, Consent Managers serve as trusted intermediaries that empower data principals to manage their consent across multiple data fiduciaries from a single platform.

For individuals, this means no more logging into dozens of different websites to review or withdraw consent. For data fiduciaries, it means a standardized mechanism for collecting, recording, and honoring consent — reducing compliance risk and improving trust.

Who is eligible to register as a Consent Manager?

Before beginning the registration process, organizations must meet several foundational eligibility criteria:

Entity Type: Must be incorporated in India as a company under the Companies Act, 2013, or registered as a limited liability partnership. Sole proprietorships, trusts, and foreign entities without Indian incorporation are not eligible. Financial Requirements: Minimum net worth of Rs 2 crore, demonstrated through audited financial statements. This threshold may be reviewed and updated by the Data Protection Board. Technical Capability: Must demonstrate the ability to build, operate, and maintain a consent management platform that meets prescribed interoperability and security standards. Governance: Must have a qualified leadership team with demonstrated expertise in data protection, technology, or related domains. The board of directors (or equivalent) must include at least one member with data protection expertise. No Conflict of Interest: Must be able to demonstrate that it can act independently in the interest of data principals without undue influence from data fiduciaries.

What are the step-by-step registration requirements?

Step 1 — Prepare your entity structure

Ensure your company is incorporated in India with the appropriate legal structure. Review your Articles of Association to confirm that consent management is within your stated business objectives. If necessary, amend your corporate documents before applying.

Step 2 — Meet the financial threshold

Obtain an audited certificate from a qualified Chartered Accountant confirming your net worth of Rs 2 crore or above. This must reflect the most recent financial year. If you are a startup, consider raising the necessary capital before applying.

Step 3 — Build your technology platform

Develop or procure a consent management platform that meets the technical standards prescribed by the Data Protection Board. Key requirements include:

RESTful APIs for data fiduciary integration

A data principal-facing dashboard (web and mobile)

End-to-end encryption for consent records

Audit trail for all consent transactions

Multi-language support (English plus at least one Scheduled Language)

99.9% uptime SLA capability

Data residency within India

Step 4 — Develop compliance documentation

Prepare comprehensive documentation including a detailed business plan describing your consent management operations, a technology architecture document, a data protection and security policy, a business continuity and disaster recovery plan, a grievance redressal mechanism for data principals, and evidence of compliance testing.

Step 5 — Submit your application to the Data Protection Board

File your application with the Data Protection Board of India through the prescribed channel. Include all supporting documentation, financial certificates, technology architecture details, and evidence of capability.

Step 6 — Undergo Board review and assessment

The Data Protection Board will review your application, which may include requests for additional information, technical demonstrations of your platform, financial due diligence, and assessment of your operational readiness.

Step 7 — Receive registration and begin operations

Upon approval, you will receive your Consent Manager registration certificate. You may then begin onboarding data fiduciaries and offering consent management services to data principals.

What are the ongoing obligations after registration?

Registration is not a one-time event. Consent Managers must maintain continuous compliance:

Operational Standards: Maintain prescribed uptime, security standards, and interoperability. Regular technical audits may be required by the Board. Financial Compliance: Continue to meet the minimum net worth requirement. Submit annual audited financial statements to the Board. Record Keeping: Maintain detailed records of all consent transactions for the prescribed retention period. These records must be available for Board inspection. Data Principal Advocacy: Act in the best interest of data principals at all times. This includes providing transparent information about how consent data is managed and promptly processing consent withdrawal requests. Incident Reporting: Report any security incidents or breaches affecting consent records to the Data Protection Board without unreasonable delay. Periodic Renewal: Undergo registration renewal as prescribed, demonstrating continued compliance with all requirements.

How does Anumiti support the Consent Manager ecosystem?

Anumiti KAVACH is designed to work seamlessly with the emerging Consent Manager infrastructure. Whether you are a data fiduciary integrating with Consent Managers or an organization building a Consent Manager platform, KAVACH provides the technical foundation:

Pre-built integration APIs compatible with Consent Manager standards

Consent record management with full audit trails

Multi-language consent notice generation

Real-time consent status synchronization

Compliance reporting aligned with Data Protection Board requirements

Contact our team to learn how KAVACH can accelerate your Consent Manager strategy.