Rule 4 DPDP Rules 2025

Registration and obligations of Consent Manager


(1) A person who fulfils the conditions for registration of Consent Managers set out in Part A of First Schedule may apply to the Board for registration as a Consent Manager by furnishing such particulars and such other information and documents as the Board may publish in this behalf on its website.
(2) On receipt of such application, the Board may make such inquiry as it may deem fit to satisfy itself regarding fulfilment of the conditions set out in Part A of First Schedule, and if it—
(a) is satisfied, register the applicant as a Consent Manager, under intimation to the applicant, and publish on its website the particulars of such Consent Manager; or
(b) is not satisfied, reject the application and communicate the reasons for the rejection to the applicant.
(3) The Consent Manager shall have obligations as specified in Part B of First Schedule.
(4) If the Board is of the opinion that a Consent Manager is not adhering to the conditions and obligations under this rule, it may, after giving an opportunity of being heard, inform the Consent Manager of such non-adherence and direct the Consent Manager to take measures to ensure adherence.
(5) The Board may, if it is satisfied that it is necessary so to do in the interests of Data Principals, after giving the Consent Manager an opportunity of being heard, by order, for reasons to be recorded in writing,—
(a) suspend or cancel the registration of such Consent Manager; and
(b) give such directions as it may deem fit to that Consent Manager, to protect the interests of the Data Principals.
(6) The Board may, for the purposes of this rule, require the Consent Manager to furnish such information as the Board may call for.

Rule 5 →
DPDPA
Table of contents


Report error

Legal Interpretation: Registration and Obligations of Consent Managers

The role of Consent Managers in the data protection ecosystem is pivotal, as they act as intermediaries enabling individuals (Data Principals) to exercise control over their personal data. Rule 4, as outlined in the draft framework, establishes the registration requirements, responsibilities, and compliance measures for Consent Managers. Let’s break this down into digestible parts:

1. Eligibility and Application Process for Registration

To become a Consent Manager, an entity must first meet the eligibility conditions specified in Part A of the First Schedule. These conditions likely include qualifications related to technical competence, operational capabilities, and adherence to privacy standards. The registration process involves:

  • Submission of Application: Interested entities must provide the necessary particulars, documents, and information as outlined by the Data Protection Board on its official website.
  • Inquiry by the Board: The Board, in its capacity as a regulatory authority, conducts a thorough examination to verify compliance with the prescribed eligibility criteria.

Here, transparency in the application process ensures that only those entities capable of upholding the principles of privacy and security are granted registration. This safeguards the trust placed by individuals in Consent Managers.

2. Decision by the Board

Upon reviewing an application, the Board has two options:

  • Approval: If the applicant satisfies all conditions, the Board registers the entity as a Consent Manager, informs the applicant, and publishes the details publicly on its website. This public disclosure enhances transparency and provides Data Principals with a reliable directory of authorized Consent Managers.
  • Rejection: If the application falls short of meeting the criteria, the Board communicates the reasons for rejection to the applicant. This provision aligns with principles of fairness and provides applicants an opportunity to rectify deficiencies.

3. Obligations of Consent Managers

Once registered, Consent Managers must adhere to the obligations detailed in Part B of the First Schedule. While the exact obligations are not specified here, they likely include:

  • Ensuring secure management of user consents for data processing.
  • Providing user-friendly tools for granting, managing, and withdrawing consent.
  • Maintaining accurate logs and records of consent-related activities.
  • Acting in a manner that prioritizes the interests and rights of Data Principals.

These obligations reinforce the principle that Consent Managers are custodians of trust, acting as enablers of informed decision-making for individuals.

4. Monitoring and Compliance by the Board

The framework provides mechanisms for monitoring compliance. If the Board identifies non-adherence to conditions or obligations:

  • It notifies the Consent Manager of the violation.
  • It provides an opportunity for the Consent Manager to present its case.
  • It directs corrective actions to ensure compliance.

This phased approach reflects the Board’s emphasis on remediation over punitive measures, allowing Consent Managers to align with regulatory expectations before facing penalties.

5. Suspension or Cancellation of Registration

In cases where non-compliance persists or the Board deems it necessary to protect the interests of Data Principals, it can:

  • Suspend or cancel registration: This ensures that entities failing to meet their obligations cannot continue to operate, thus protecting individuals from potential harm.
  • Issue protective directions: These may include interim measures to safeguard the interests of affected Data Principals.

Importantly, the rule mandates that any such actions must be preceded by:

  • A fair hearing for the Consent Manager.
  • Written documentation of reasons for the decision.

This ensures accountability and prevents arbitrary exercise of power by the Board.

6. Furnishing Information to the Board

To facilitate oversight, the Board has the authority to request any information it deems necessary from Consent Managers. This provision strengthens the Board’s regulatory capabilities, enabling it to respond swiftly to concerns about non-compliance.

Broader Implications

The framework for Consent Managers reflects the core principles of the Digital Personal Data Protection Act—accountability, transparency, and user empowerment. By establishing stringent criteria for registration and robust mechanisms for monitoring compliance, the Rules ensure that Consent Managers serve as trusted intermediaries in the data ecosystem.

This rule also demonstrates a balance between enabling innovation and protecting individual rights. While fostering a structured process for registration, it simultaneously provides safeguards to ensure Data Principals’ interests remain paramount. In essence, Consent Managers bridge the gap between Data Fiduciaries and Data Principals, fostering trust and compliance in the digital age.

© 2025 Advocate (Dr.) Prashant Mali