India is witnessing a structural shift in how personal data is perceived, governed, and protected. With the Digital Personal Data Protection Act, 2023 (DPDP Act) coming into force, data privacy has moved from a niche compliance issue to a mainstream boardroom and public priority. Governments, enterprises, technology providers, and citizens are engaging more actively with questions of consent, accountability, and user rights.
Medical & Healthcare Law, Corporate Law, Publishing Law, IPR.
While this heightened awareness is both encouraging and necessary, it has also given rise to myths, half-truths, and informal claims of regulatory standing. In a rapidly evolving environment, decision-makers must distinguish clearly between what the law mandates and what ecosystem experimentation merely suggests, grounding compliance strategies in statutory reality rather than perception.
Much of this confusion stems from MeitY’s “Code for Consent” Innovation Challenge and the perception that “empanelled” or “MeitY-approved” consent managers now exist. I believe it is essential to separate what the law actually mandates from what ecosystem initiatives aim to enable. Compliance under DPDP is fundamentally about governance, accountability, and enforcement – not badges or participation in challenges.
What the DPDP Act Actually Says About Consent Managers
The DPDP Act, 2023 and Rules 2025, formally introduce the concept of a Consent Manager. Under the Act, a Consent Manager is defined as a person registered with the Data Protection Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
Importantly, the Act also makes two things clear:
- A Consent Manager is anenabler, not a transferee of responsibility
- TheData Fiduciary remains fully accountablefor lawful processing, purpose limitation, and compliance with consent conditions
In other words, even when a Consent Manager is used, liability does not shift away from the enterprise. Consent Managers facilitate consent signals ; they do not enforce business behaviour.
This design closely mirrors India’sAccount Aggregator (AA) framework, where licensed intermediaries securely transmit user-authorised data between entities, without owning or processing the data themselves. Similarly, DPDP Consent Managers are envisioned as neutral consent intermediaries, not compliance substitutes.
The Code for Consent Challenge: Reference Architecture, Not Regulation
MeitY, through NeGD, launched the Code for Consent Challenge to encourage open-source development of Consent Management Systems aligned with DPDP principles. The accompanying Business Requirement Document (BRD) outlined capabilities such as consent capture, audit trails, lifecycle management, and interoperability.
However, it is critical to understand what this initiative is and what it is not:
- Participation doesnotcreate a licensed or DPDP-recognized Consent Manager
- The BRD is anon-binding reference document, not a legal mandate
- Shortlisted entities areopen-source innovators, not approved regulatory entities
The challenge plays a valuable role in ecosystem innovation, much like early AA sandboxes. But for enterprises, it remains aguidance artefact, not a compliance shortcut.
Why Internal Consent Management Is Non-Negotiable
A dangerous misconception is emerging: that onboarding a Consent Manager — platform or vendor — somehow absolves an enterprise of internal compliance obligations. This is not true as per the DPDP Act, 2023.
Enterprises must still maintain internal systems that can:
- Translate consent into enforceable business rules
- Apply those rules across applications, workflows, and vendors
- Maintain audit-ready records of consent artefacts
- Handle offline, assisted, and exception-based customer journeys
Most consent-triggering events — marketing, servicing, claims, onboarding — occurinside enterprise systems, not at the consent layer. External Consent Managers can transmit signals, butenforcement lives within the organisation.
Internal consent management remains the backbone of DPDP compliance.
Debunking the “MeitY-Approved Consent Manager” Narrative:
- No Consent Managers are licensed or registered as of 14th Feb, 2026
- Registration can only begin after the Data Protection Board is constituted and operational
The entities associated with the Code for Consent challenge arenot approved Consent Managers under the Act. Enterprises should avoid mistaking ecosystem experimentation for regulatory endorsement.
Remember:
Consent Managers and open-source initiatives can play a constructive role in shaping the data protection ecosystem. However, they should be viewed as enabling mechanisms, not as substitutes for enterprise accountability. The DPDP Act is explicit in this regard: responsibility for lawful processing, governance, and enforcement always rests with the Data Fiduciary.
In a regulatory environment that is still evolving, clarity becomes as important as compliance itself. Enterprises that anchor their decisions in statutory reality rather than in perceived endorsements or ecosystem narratives will be better positioned to build resilient data governance frameworks and sustain trust in an increasingly privacy-conscious market.
–Authored by Adv. Sunder Rajan, Medical & Healthcare Law, Corporate Law, Publishing Law, IPR.
