Consent Managers under the DPDP Rules, explained

Most of the DPDP Act maps to ideas other privacy laws already had. Consent Managers do not. They are an Indian invention: registered intermediaries through which a person can give, manage, review, and withdraw consent across many services from a single dashboard. GDPR has nothing comparable.

If the model sounds familiar, it should. India already runs it for financial data: the Account Aggregator framework, where licensed intermediaries move consent for bank data sharing. Consent Managers generalize that pattern to all personal data.

What the law actually says

Section 6(7) to 6(9) of the Act sketch the role: a Data Principal may give, manage, review, or withdraw consent through a Consent Manager, who is accountable to the Data Principal and acts on their behalf. Every Consent Manager must be registered with the Data Protection Board.

The 2025 Rules fill in the operating conditions. The First Schedule sets registration requirements, including:

• An Indian company with a minimum net worth of ₹2 crore
• Interoperable platform standards, so consents move across services cleanly
• A fiduciary duty to the user: no conflicts of interest with the Data Fiduciaries they connect to
• No reading the personal data in transit; the consent flows through, the contents do not
• Record-keeping for consents given, denied, and withdrawn, available to the user

The dates

Registration opens on 14 November 2026, twelve months after the Rules were notified. Until then, no company can lawfully present itself as a registered Consent Manager, whatever its marketing says. The substantive consent obligations for businesses land six months later, on 13 May 2027. The full sequence is in the DPDP timeline.

What changes for your business

When the system goes live, a user may show up having granted or withdrawn consent through their Consent Manager rather than your banner. Your obligations as a Data Fiduciary do not shrink, they grow a channel:

1. You must honor consents and withdrawals arriving via a registered Consent Manager, same as ones from your own banner.
2. Your consent records need to capture which channel the consent came through.
3. Your withdrawal handling has to fire regardless of where the withdrawal happened: scripts stop, processors get told, data gets erased on schedule.

None of that replaces your own collection. The banner, the Section 6 consent mechanics, the notice, the receipts: those stay yours. A Consent Manager is an extra door into the same room, and the room has to be in order first.

Will small businesses have to integrate?

The Act does not force every Data Fiduciary to connect to every Consent Manager on day one, and interoperability standards are still being operationalized. Practically: watch the register from November 2026, and pick consent tooling that plans to speak the protocol so integration is a toggle rather than a rebuild. Skope is built to integrate with the framework the day it goes live.

Why this is good news, mostly

A working Consent Manager ecosystem moves trust from each website's banner to audited intermediaries, which helps small businesses most: you inherit credibility you did not have to build. The cost is operational discipline. Consent state now changes from outside your site, and systems that treat the banner as the single source of truth will drift. Tamper-evident records with channel attribution stop being nice-to-have.