Skip to main content

Candour Legal – Best Lawyers in Ahmedabad | Law firm in Ahmedabad

DPDP Consent Managers: A November 2026 Deadline, But No Regulator Yet

India’s Digital Personal Data Protection Rules, 2025 set 14 November 2026 as the date the DPDP Consent Manager framework takes legal effect, opening registration for the intermediaries meant to give every Indian a single dashboard to grant, review, and withdraw consent across data fiduciaries. The provision has drawn a wave of compliance checklists from consent-management vendors, but comparatively little scrutiny of two structural problems sitting underneath the deadline. First, the Data Protection Board of India, the body Consent Managers must register with, had not appointed its Chairperson or Members as of mid-2026. Second, the framework is set to operate alongside an existing, RBI-regulated Account Aggregator ecosystem that already manages consent for roughly 2.12 billion financial accounts, with no settled rule on how the two regimes interact. For compliance teams in banking, healthcare, and e-commerce, the live question is no longer what a Consent Manager is; that ground is well covered. It is whether the institutional plumbing will be ready when the clock runs out, and what to build in the meantime.

Key Takeaways

  • The DPDP Consent Manager framework, notified through the DPDP Rules, 2025 (Gazette Notification G.S.R. 846(E), dated 13 November 2025), takes effect on 14 November 2026.
  • Consent Managers must be companies incorporated in India with a minimum net worth of ₹2 crore, must act in a fiduciary capacity, must keep routed personal data unreadable to themselves, and must retain consent records for at least seven years.
  • The Data Protection Board of India, which registers and supervises Consent Managers, had not appointed its Chairperson or Members as of mid-2026; a search-cum-selection process chaired by the Cabinet Secretary was still underway.
  • The RBI’s Account Aggregator framework already performs consent management at population scale for the financial sector (over 600 regulated entities and more than 140 million fulfilled consent requests), and its relationship with the new Consent Manager regime remains formally unresolved.
  • Full DPDP enforcement, including financial penalties of up to ₹250 crore for significant violations, begins 14 May 2027, giving data fiduciaries a narrowing but workable window to prepare.

What the DPDP Consent Manager Regime Actually Requires

Section 2(g) read with Section 6(7) of the Digital Personal Data Protection Act, 2023 defines a Consent Manager as a person registered with the Data Protection Board who acts as a single point of contact enabling a Data Principal to give, manage, review, and withdraw consent through an interoperable platform. The First Schedule to the DPDP Rules, 2025 turns that one-line definition into a fairly demanding licensing regime. An applicant must be a company incorporated in India, hold a minimum net worth of ₹2 crore, demonstrate technical and operational capacity, and satisfy fit-and-proper standards for its directors and key managerial personnel. Once registered, a Consent Manager must route personal data without ever being able to read it, a design constraint modelled on the “data-blind” pipe used in the financial sector’s Account Aggregator system, and must maintain machine-readable consent logs for a minimum of seven years, subject to encryption, access controls, and incident-response obligations that mirror what regulators expect of significant data fiduciaries themselves. This is closer to a licensed financial intermediary than a software feature. Treating it as a checkbox item on a privacy-policy update understates what is being asked of prospective applicants.

A Deadline Running Ahead of Its Regulator

The registration obligation runs to a Board that, on the timeline currently public, is not yet in a position to receive applications. The DPDP Rules, 2025 activated the Data Protection Board of India on paper from 14 November 2025, but as of April and May 2026 the Chairperson and Members envisaged under the Act had not been appointed. A search-cum-selection committee chaired by the Cabinet Secretary, with the Secretaries of Legal Affairs and MeitY and two independent experts, was still evaluating candidates for the Chairperson’s post, with a parallel committee working through Member appointments. The Board is the entity empowered to register Consent Managers, prescribe the technical and assurance standards their platforms must meet, investigate breaches, and impose penalties. None of that is a formality it can complete without sitting members. Six months out from the November 2026 deadline, the practical risk is not that the deadline moves; the government has shown no public inclination to revise it. The risk is that the compliance runway for applicants compresses into whatever window is left once the Board is actually staffed and its standards are published.

The Account Aggregator Overlap Nobody Has Fully Resolved

The financial sector has operated a working version of this idea since 2016, through the RBI’s Master Directions on Non-Banking Financial Company – Account Aggregators. Seventeen NBFC-Account Aggregators hold operational licences today. More than 600 regulated entities across banking, securities, insurance, and pensions participate in the network, and by December 2024 the ecosystem had fulfilled over 140 million consent requests covering roughly 60 percent of the country’s financial accounts. Industry body Sahamati has argued that the cleanest path is for the Board to deem existing, licensed Account Aggregators as sector-specific Consent Managers rather than requiring parallel registration, and MeitY has clarified that integration with a Consent Manager is not mandatory for data fiduciaries in the first place. What remains unresolved is where an aggrieved Data Principal’s appeal should lie when both an RBI-regulated Account Aggregator and the Board have overlapping jurisdiction, and whether the Board will adopt the technical specifications already built by Reserve Bank Information Technology Pvt Ltd for financial data or set its own standard. Judicial precedent on regulatory overlap has tended to favour the sectoral regulator, which would point toward RBI primacy for financial consent even after the Board is operational. That reading has not been tested, and the Rules do not settle it expressly.

Sector Stakes: Banking, Healthcare, and E-Commerce

For banking and fintech, the open question is whether existing NBFC-Account Aggregators should apply for Consent Manager status now or wait for the Board to clarify a deeming provision — a decision with real cost implications given the ₹2 crore net worth and governance conditions attached to registration. For healthcare, the National Health Authority’s Health Locker initiative is building a parallel, sector-specific consent architecture for medical records still in sandbox, which raises the same standard-setting tension seen in finance: sensitive health data carries a higher consent bar under the DPDP Rules, and providers will need to track whether the Health Locker framework is eventually folded into the Board’s Consent Manager regime or left to run alongside it. For e-commerce and platform businesses, the DPDP Rules’ insistence on purpose-specific, itemised consent sits awkwardly against the bundled marketing and personalisation consent flows most Indian platforms currently use, a friction Candour Legal has previously flagged in the context of the IT Rules’ interaction with DPDP retention requirements. That tension does not disappear simply because the Consent Manager layer is optional rather than mandatory.

Gatekeeper or Empowerment Layer? The Competing View

A fair criticism of the framework, raised in early legal commentary on the Rules, is that a ₹2 crore net-worth threshold plus fit-and-proper governance conditions is a meaningful barrier for a genuinely independent, consumer-first consent-tech startup, while it is a rounding error for an established bank, platform, or existing Account Aggregator looking to stand up an in-house Consent Manager subsidiary. On this reading, the framework risks concentrating consent infrastructure in the hands of the same large fiduciaries it is meant to check, rather than creating a neutral layer that shifts leverage toward the Data Principal. The Account Aggregator experience cuts against the strongest version of that concern; seventeen operational NBFC-AAs of varying scale suggest the model is not inherently a large-player monopoly. But the criticism gains force from a different direction. Because MeitY has confirmed that data fiduciaries need not integrate with any Consent Manager at all, large platforms with the leverage to ignore third-party consent dashboards may simply decline to connect, leaving interoperability as a feature available mainly to fiduciaries who already wanted to offer it.

What Data Fiduciaries Should Do Before November 2026

Compliance teams do not need to wait for the Board to be staffed before doing the groundwork. Data fiduciaries should map current consent-capture flows against the purpose-specific, itemised standard the Rules require, rather than relying on omnibus policy acceptance. Regulated financial entities operating or affiliated with an NBFC-Account Aggregator should decide their integration posture now, since a deeming resolution from the Board, if it comes, will still require the underlying technical readiness Sahamati and ReBIT have already specified. Businesses considering a Consent Manager subsidiary should budget for the ₹2 crore net-worth and governance conditions as a real capital and compliance-architecture commitment, not a documentation exercise. All fiduciaries should track two things over the next few months: the appointment of the Board’s Chairperson and Members, and any technical standard the Board publishes under the First Schedule, since both will determine how much runway actually remains once formal registration opens.

Looking Ahead

The 14 November 2026 date for Consent Managers and the 14 May 2027 date for full DPDP enforcement are both statutory, but neither removes the practical dependency on a functioning Board. Whether that timeline holds will depend on how quickly the search-cum-selection process concludes and how much of the First Schedule’s technical detail the Board chooses to borrow from the Account Aggregator ecosystem rather than build afresh. Compliance teams that treat the next few months as a live drafting window, rather than a wait for final rules, will be better placed regardless of which way those two questions resolve.

Frequently Asked Questions

What is a Consent Manager under the DPDP Act?
A Consent Manager is an entity registered with the Data Protection Board of India that gives a Data Principal a single, interoperable platform to give, manage, review, and withdraw consent for how their personal data is processed by different data fiduciaries, without the Consent Manager itself being able to read the underlying data.

When do the DPDP Consent Manager rules come into force?
The Consent Manager provisions of the DPDP Rules, 2025 take effect on 14 November 2026, twelve months after the Rules were notified on 13 November 2025. The remaining substantive provisions of the DPDP Act, including enforcement and penalties, come into force on 14 May 2027.

Is the Data Protection Board of India functioning yet?
Not fully. The Board was constituted on paper from 14 November 2025, but as of mid-2026 its Chairperson and Members had not been appointed, with a Cabinet Secretary-led search-cum-selection committee still evaluating candidates.

How does the RBI’s Account Aggregator framework relate to DPDP Consent Managers?
Both perform consent-management functions, but under different regulators. The RBI’s Account Aggregator system, in place since 2016, already manages consent for financial data at scale, and industry stakeholders have proposed that the Data Protection Board deem existing Account Aggregators as sector-specific Consent Managers rather than requiring separate registration, though this has not yet been formally settled.

This analysis was prepared by the Candour Legal team. Candour Legal is a full-service Indian law firm with offices in Ahmedabad and Mumbai, focused on technology and data protection law, banking and financial regulation, and regulatory compliance. The firm publishes analytical commentary on developments in Indian law at candourlegal.com.

Further reading on Candour Legal

By Candour Legal Team | 3 July 2026

BEFORE YOU GO

Get a free 15-minute case assessment

Tell us what’s going on and a Candour Legal advocate will call you back — no charge, no obligation.

Schedule my free assessment Call now
☎ Call 💬 WhatsApp Book Consultation

BEFORE YOU GO

Get a free 15-minute case assessment

Tell us what's going on and a Candour Legal advocate will call you back — no charge, no obligation.

Schedule my free assessment Call now