All articles
Regulatory Update 7 min read 13 July 2026 Primitra

Consent Manager or Consent Platform? What Indian SMEs Actually Need Before November 2026

"Do we have to register as a DPDP consent manager?" Almost always, no. Here is the difference between a registered Consent Manager and the consent platform your SME actually needs before the 13 November 2026 deadline.

A question keeps coming up in our conversations with founders and operations heads: "Do we have to register as a DPDP consent manager?" Almost always, the answer is no. But the confusion is understandable, because the DPDP Rules, 2025 use the term "Consent Manager" for something very specific, and it sounds a lot like the consent tools most businesses are actually shopping for. Getting this wrong wastes money and, worse, leaves the real obligation unaddressed. With the consent manager registration window opening on 13 November 2026, now is a sensible time to clear it up.

The DPDP consent manager is a licensed intermediary, not a plugin

Under Rule 4 of the DPDP Rules, 2025, a Consent Manager is a registered entity that sits between individuals (data principals) and the many companies that hold their data. Think of it as a single dashboard where a person can give, review, and withdraw consent across every business they deal with, in one place. It is a regulated role, and the bar to play it is high.

To register with the Data Protection Board of India, a Consent Manager must be a company incorporated in India, maintain a minimum net worth of ₹2 crore, and operate independently of any data fiduciary, including affiliated group entities. It also has to work on a "data-blind" basis, meaning it records and manages consent artefacts but cannot itself read, use, or monetise the underlying personal data it moves around. Registration opens on 13 November 2026, twelve months after the Rules were notified on 13 November 2025.

Read those conditions again with your own company in mind. A ₹2 crore net worth floor, full independence from any data fiduciary, and a data-blind operating model describe a specialised fintech-style business, not a retailer, clinic, SaaS startup, or manufacturer collecting customer data. For the vast majority of Indian SMEs, becoming a registered Consent Manager was never the plan and never the requirement.

What you almost certainly need instead: a consent platform of your own

Here is the part that gets lost. The DPDP Rules do not force data fiduciaries to route consent through a registered Consent Manager. You are free to collect consent directly, provided you meet the Act''s standards for notice, consent, withdrawal, and record-keeping on your own.

That is where a Consent Management Platform (CMP) comes in. A CMP is software you deploy internally to capture consent, store it, log withdrawals, and keep an audit trail you can produce if the Board ever asks. It is a tool you own and control. A Consent Manager, by contrast, is a licensed third party. Same three words rearranged, completely different animals. When a vendor pitches you a "consent manager," ask plainly whether they mean registration-grade infrastructure or a CMP you install. Nine times out of ten it is the latter.

The consent standard is what actually binds you

Whichever route you take, the substance is the same, and it is worth being precise about it. Section 6 of the DPDP Act, 2023 says consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Silence, pre-ticked boxes, and "by continuing you agree" banners do not clear that bar.

Every consent request also has to be paired with a notice. Under the Act and the 2025 Rules, that notice must be a standalone document in clear, plain language, available in English or any language listed in the Eighth Schedule of the Constitution. It has to itemise exactly what personal data you are collecting and the specific purpose for each. Bundling ten purposes under one checkbox is out. So is asking for more than you need to deliver the service.

Withdrawal deserves special attention because teams routinely forget it. Making it easy for someone to say yes but hard to later say no is a common and expensive mistake. The Act requires that withdrawing consent be as easy as giving it, and once consent is pulled, you generally have to stop processing and delete the data unless another legal ground applies.

A short, practical checklist for the next few months

You do not need to wait for May 2027, when the core substantive obligations take full effect, to get moving. The groundwork is the same regardless of which consent tooling you land on.

Start by mapping where personal data enters your business: web forms, app sign-ups, WhatsApp enquiries, offline forms later digitised, payment flows, and every SaaS tool in between. You cannot design consent for data you have not located. Our DPDP compliance checklist walks through this inventory step by step.

Next, rewrite your notices so each one is standalone, plain, and itemised by purpose. Then fix the mechanics: a clear affirmative action to opt in, and an equally simple path to withdraw. Whether you build this into your product or buy a CMP, insist on an audit log, because "we got consent" means little if you cannot show when, for what, and how.

Appoint a Grievance Officer and publish their contact details prominently on your website and app. Every data fiduciary, regardless of size, needs one. And put signed data processing agreements in place with every vendor that touches personal data on your behalf, from your CRM to your payroll provider. If any of this feels like a lot to sequence, our DPDP Act compliance services and a scoped privacy impact assessment are built to get an SME through it in a matter of weeks.

Why this matters now

The penalties under the DPDP Act are not theoretical. Failure to maintain reasonable security safeguards can draw up to ₹250 crore, and failing to notify the Board or affected individuals of a breach can reach ₹200 crore. Consent is the front door to most of these obligations. Build it properly and much of the rest of your programme has a solid foundation. Confuse the registered Consent Manager role with the CMP you actually need, and you risk spending on the wrong thing while the real gap stays open.

The distinction is simple once you see it. Most Indian SMEs will never register as a Consent Manager. Nearly all of them need clean, provable consent, and the time to build that is before, not after, the deadlines arrive.

This article is general guidance for Indian businesses and not legal advice; your obligations depend on your specific facts. For a plain-English starting point, use our DPDP readiness checklist, or get in touch to talk through where your consent process stands today.

Get help implementing this

Turn this reading into a compliance plan.

Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.

Book a free 30-minute consultation