The Digital Personal Data Protection (DPDP) regime in India establishes a structured mechanism for enabling Data Principals to exercise meaningful control over their personal data. At the centre of this framework lies the institution of the Consent Manager—a specialised, regulated entity entrusted with facilitating consent management, portability of consents, and transparency in data-sharing activities. Rule 4 of the DPDP Rules lays down a comprehensive set of conditions for registration, operational readiness, and ongoing obligations of Consent Managers. This article provides a detailed technical analysis of these requirements and their role in strengthening India’s data governance ecosystem.
A Consent Manager acts as a neutral intermediary that enables a Data Principal to give, manage, review, and withdraw consent for processing her personal data. Unlike Data Fiduciaries, the Consent Manager does not process personal data for its own purposes; instead, it operates an interoperable platform that ensures:
By design, a Consent Manager must act strictly in a fiduciary capacity, placing the interests of the Data Principal above all operational or commercial considerations.
The DPDP framework mandates rigorous eligibility criteria for any applicant seeking registration as a Consent Manager. These conditions ensure that only credible, financially sound, and technically competent organisations are allowed to operate such platforms.
(a) Corporate Form and Governance Structure
The applicant must be a company incorporated in India, ensuring regulatory oversight, accountability, and adherence to Indian corporate governance norms. Its directors, KMPs, and senior management must possess a reputation of fairness and integrity, eliminating entities with questionable track records.
(b) Technical, Operational, and Financial Capacity
Applicants must demonstrate sufficient capability—technical infrastructure, operational readiness, and financial strength—to meet the platform’s obligations and expected transaction volumes. A minimum net worth of ₹2 crore is required, ensuring financial resilience and continuity.
(c) Sound Management and Business Prospects
The financial condition, capital adequacy, and earning prospects of the applicant must be strong enough to sustain continuous operations.
(d) Mandatory Governance in Constitutional Documents
The Memorandum and Articles of Association must explicitly embed the obligations relating to:
Any amendment to these provisions requires prior approval of the Board, ensuring core governance principles remain intact.
(e) Independent Technology Certification
A critical requirement is an independent audit certifying that the Consent Manager’s platform:
These stringent prerequisites collectively ensure that Consent Managers operate with reliability, neutrality, and robust data protection architecture.
Rule 3 emphasises that Data Principals must have simple, consistent, and easily accessible mechanisms to:
The ease of withdrawing consent must be comparable to the ease with which consent was initially given. This prevents the creation of friction or obstacles that discourage users from withdrawing consent.
To facilitate these rights, the Notice must provide:
This ensures that the Data Principal does not have to search for contact information or navigate complex processes.
Rule 4 outlines a transparent and structured process for the registration of Consent Managers:
Step 1: Submission of Application
An entity meeting the conditions of Part A must apply to the Data Protection Board with required particulars and documentation as specified on the Board’s website.
Step 2: Enquiry and Verification by the Board
The Board conducts detailed scrutiny of the applicant’s compliance with eligibility conditions. This may include technical assessments, financial evaluation, and governance review.
Step 3: Approval or Rejection
Step 4: Post-Registration Oversight
The Board may review continued compliance, seek information, or direct corrective measures as needed. In cases of serious non-adherence, the Board may suspend or cancel registration, following due process.
Consent Managers have extensive obligations to ensure proper functioning of the consent ecosystem. These obligations encompass technical standards, operational safeguards, fiduciary duties, and governance norms.
4.1 Facilitation of Consent Lifecycle
The Consent Manager must enable Data Principals to:
The platform must also maintain accurate records of:
Records must be retained for at least seven years.
4.2 Data Minimisation and Non-Readability Requirement
The platform must ensure that any personal data being shared via the system is not readable by the Consent Manager. This is a critical privacy safeguard ensuring that Consent Managers function purely as encrypted conduits without accessing actual data content.
4.3 Platform Requirements and Security Safeguards
A Consent Manager must maintain a fully functional website or app as the primary channel through which Data Principals can interact. Additionally, it must deploy reasonable security safeguards to prevent personal data breaches.
4.4 Prohibition on Sub-contracting Core Functions
Consent Managers are prohibited from outsourcing or assigning any obligations under the Act. This ensures accountability and prevents dilution of responsibility.
4.5 Fiduciary Responsibilities
Consent Managers must act solely in the interest of Data Principals, free from:
4.6 Mandatory Transparency Disclosures
The platform must clearly disclose:
4.7 Audit and Compliance Requirements
Consent Managers must maintain effective audit mechanisms covering:
Audit results must be shared with the Board periodically.
4.8 Control and Ownership Restrictions
Any transfer of control—through sale, merger, or otherwise—requires prior Board approval, ensuring stability and transparency in consent management operations.
Conclusion
Consent Managers form a cornerstone of India’s DPDP implementation by enabling a transparent, interoperable, and citizen-centric consent ecosystem. Rule 4 ensures that only credible, technically capable, financially sound, and ethically governed entities handle this critical responsibility. With rigorous registration norms, robust operational obligations, and stringent oversight, the DPDP framework positions Consent Managers as trusted custodians of user autonomy and data governance.
For organisations and service providers seeking to participate in India’s digital privacy infrastructure, understanding and complying with Rule 4 is essential. As privacy expectations and regulatory oversight continue to expand, Consent Managers play an increasingly strategic role in ensuring that Data Principals remain firmly in control of their personal data.
Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article.