Publications

The Consent Manager Mirage: Why DPDPA’s Framework Will Fail on the Ground

An article titled “The Consent Manager Mirage: Why DPDPA’s Framework Will Fail on the Ground” authored by our Partner, Akshayy S Nanda, has been published by BW Legal.

When Parliament created the ‘Consent Manager’ framework under the Digital Personal Data Protection Act, 2023 (DPDPA), it was aiming for an elegant, citizen‑centric solution. The idea was simple: a neutral, trusted intermediary through which an individual could set privacy preferences once and have those choices automatically applied across all platforms, websites, and apps. In this vision, the Consent Manager would function as a single source for consent—an independent gatekeeper of autonomy in a data‑driven economy.

The concept is attractive; the implementation is unworkable. The framework, as designed, misjudges user behaviour, market incentives, and technical realities. It tries to fix a problem that is largely illusory, while leaving the real structural flaw in India’s data protection regime untouched.

Start with the supposed beneficiary: the Data Principal. In theory, she visits one Consent Manager, chooses “no third‑party sharing, no marketing and no profiling” and relies on that being honoured everywhere. In practice, her bank chooses Consent Manager A, her e‑commerce platform plugs into Consent Manager B, and her hospital ignores Consent Managers altogether and runs its own consent interface. Nothing in DPDPA compels convergence. Preferences set with A are invisible to B. Neither can reach providers that opt out of the ecosystem. Instead of centralisation, the individual now has multiple, uncoordinated dashboards, each reflecting only a slice of her digital life.

The situation is compounded by the fact that she never actually chooses her Consent Manager. That decision is taken by each Data Fiduciary, based on cost, integration effort, and commercial relationships. The framework assumes users will drive adoption through preference. In reality, users neither see the choice nor have the leverage to insist their app or platform switch providers. This fragmentation is not a design bug; it flows directly from the law. Data Fiduciaries are not required to integrate with any Consent Manager. They can fully comply with DPDPA while managing consent in‑house. The core promise of “a single point of control” collapses in the face of this optionality. 

The economics are equally unfavourable. Individuals will not pay out of pocket for a service they can approximate, imperfectly but sufficiently, by dealing directly with organisations. Data Fiduciaries will not fund an intermediary unless it clearly reduces cost or risk—which, as the rest of the framework reveals, it does not. Without a sustainable revenue model from any side, Consent Managers are commercially brittle by design.

For any entity contemplating registration as a Consent Manager, the hurdles are formidable. The DPDPA Rules demand Indian incorporation, minimum net worth, sound management, technical capacity, robust security, conflict‑of‑interest safeguards, record‑keeping, auditability, and fiduciary duties toward Data Principals. These conditions are entirely appropriate given the sensitivity of the role, but they also mean only well‑capitalised players can enter. Even those players then face the real challenge: integration at scale. To be meaningful, a Consent Manager cannot limit itself to a few marquee clients. It must connect to a broad cross‑section of the economy—banks, NBFCs, telecoms, e‑commerce, health‑tech, ed‑tech, logistics, government portals, and thousands of MSMEs. Each connection is not just an API; it is a bespoke engineering and governance project involving analysis of the Consent Manager’s specification, reshaping internal consent flows and data models, mapping business rules, testing and hardening the integration, and maintaining compatibility over time. Multiplied across thousands of Data Fiduciaries, many with modest or fragmented technology stacks, the integration burden becomes prohibitively expensive.

The situation worsens in the absence of mandatory interoperability standards. If three or four Consent Managers emerge, each with slightly different APIs, authentication methods, and data formats, any Data Fiduciary seeking broad coverage must support all of them. That is not a problem a few ambitious providers can solve by themselves. It requires sector‑wide coordination on standards that do not yet exist and may be politically or commercially difficult to agree. In other words, the very scale and diversity of India’s digital economy make the technical premise of the model extremely fragile.

For Data Fiduciaries, the calculation is brutally simple: does integrating with a Consent Manager reduce cost, risk, or complexity? DPDPA already mandates that every Data Fiduciary provide clear notices, obtain verifiable consent where required, allow withdrawal of consent, maintain records of lawful basis, ensure accuracy and security, erase data when purposes are no longer served, and respond to grievances and rights requests. They must therefore build internal machinery for consent and rights management—dashboards, logs, workflows, and technical hooks into their systems. A Consent Manager does not replace any of this. It merely introduces a second front‑end through which individuals can express their choices.

That duality creates operational and legal risk. If a customer opts in to marketing through the company’s app but later withdraws via a Consent Manager, the Data Fiduciary remains responsible for ensuring that withdrawal is reflected across every marketing list, analytics pipeline, and CRM system in time. If synchronization fails, enforcement action targets the Data Fiduciary, not the intermediary. The organization has delegated interface work but not liability. From a rational actor’s perspective, this is a losing proposition: all mandatory compliance infrastructure must still be built; integration with a Consent Manager introduces additional engineering, reconciliation, and monitoring work; and there is no corresponding safe harbour or liability shift. Given that participation is voluntary, the expected outcome is straightforward. Large, sophisticated organisations—most visible to regulators and best equipped to manage consents—will prefer robust in‑house systems they fully control. Some smaller entities may view Consent Managers as a shortcut, but their participation alone cannot deliver the system‑wide coverage that the concept presupposes.

The deeper problem is that the Consent Manager blueprint is misaligned with the real structural weakness of the DPDPA: its over‑reliance on consent. Unlike the GDPR, which recognizes several lawful bases (contract performance, legal obligation, vital interests, public task, legitimate interests, and consent), the DPDPA essentially offers only two: consent and a narrow set of “certain legitimate uses.” This forces organisations to route a wide variety of operational and low‑risk processing through consent mechanisms, even where other bases would be more appropriate and better aligned with risk and user expectations. 

No Consent Manager can widen the statutory definition of “legitimate uses,” create a new lawful basis for contract performance, or introduce a concept analogous to “legitimate interests.” Those are legislative choices. As long as the law remains narrowly consent‑centric, organisations will be forced into patterns of over‑collection and over‑notification that no intermediary can tidy up. The real reform imperative is to rebalance the lawful‑basis framework, not to build a complex national infrastructure for orchestrating consent withdrawals.

Ultimately, the Consent Manager model under DPDPA is a sophisticated answer to the wrong question. Data Principals can already exercise their rights directly with the organisations they deal with; those organisations are legally obliged to honour such requests. A new intermediary does not create rights; it only reshapes how they are invoked. Data Fiduciaries will remain responsible for their own compliance infrastructure and for the consequences of any mismatch between internal and external records. Consent Managers themselves face high fixed costs, uncertain revenue, voluntary participation by counterparties, and an inherently fragmented user experience. The most likely result is a landscape where Consent Managers exist more on paper and in conference presentations than in daily life: a handful of registered entities with limited coverage, sector‑specific pilots, and tenuous business models, delivering marginal practical benefit to individuals or to the broader data‑protection regime.

A more pragmatic path would be to tighten and enforce native consent and rights processes, actively discourage dark patterns, and, above all, modernize the DPDPA’s lawful‑basis architecture. In that more balanced system, specialized intermediaries might still have a role—but they would emerge organically where they create real, shared value, rather than being willed into existence by statute and then left to survive on hope.

Published On:

  • March 18, 2026

Counsel Involved:

DISCLAIMER AND CONFIRMATION

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Saraf and Partners is, therefore, constrained from providing any further information on this web page.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that The user wishes to gain more information about Saraf and Partners, its practice areas and its attorneys, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Saraf and Partners, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

Please Read & Accept our website's Privacy Policy & Terms of Use.

Agree Disagree

Scroll to Top