Consent manager registration under DPDP Act highlighting official start date 13 November 2026 for compliance readiness
    Table of contents
    What is a Consent Manager?Who Can Become a Consent Manager? (Eligibility & Conditions)Consent Manager Registration Date under DPDP ActExpected Consent Manager Registration Process & What to PrepareConsequences of Not Registering as a Consent ManagerConclusion

    May 12, 2026 | DPDP | 7 min read

    Listen to the content

    DPDP Act Consent Manager Registration: Date & Process

    India’s data protection framework is moving from policy to implementation.

    Under the Digital Personal Data Protection Act, 2023, Consent Managers will play a critical role in how user consent is collected, managed, and shared across platforms.

    One of the most important developments for businesses is this:

    Consent Manager registration is set to begin on 13 November 2026

    This date is not just a regulatory milestone — it signals when entities must be ready to operate within the DPDP ecosystem.

    In this blog, we briefly explain what a Consent Manager is, who can become one, the registration timeline, what the expected registration process may involve, and the consequences of non-compliance.

    A Consent Manager is a neutral intermediary that enables individuals (Data Principals) to give, withdraw, and manage their consent across different platforms in a transparent and interoperable manner.

    Unlike data fiduciaries, a Consent Manager does not access or process personal data and instead operates as a consent orchestration layer that facilitates secure communication of consent between users and businesses.

    To register as a Consent Manager, an entity must meet specific conditions under the DPDP framework.

    1. Must be an Indian entity

    The applicant must be a company incorporated in India, ensuring that it falls within Indian jurisdiction and regulatory oversight, which also means foreign entities would typically need to establish a local presence before applying.

    2. Minimum net worth requirement (₹2 crore)

    The entity must demonstrate a minimum net worth of ₹2 crore, indicating financial stability and ensuring that only serious and capable players with sufficient resources can undertake the responsibilities of managing consent at scale.

    3. Technical and operational capability

    The entity must have the technical infrastructure to securely manage consent artifacts, ensure interoperability with multiple systems, and maintain high standards of data security, making this requirement more technology-intensive than it may initially appear.

    4. Governance and compliance structure

    The organisation must be structured to operate transparently, avoid conflicts of interest, and act in a fiduciary capacity towards users, which may require formal governance mechanisms and clearly defined accountability structures.

    5. Ongoing compliance obligations

    Even after registration, the entity must continue to meet operational standards, remain compliant with evolving regulations, and be prepared for audits or regulatory checks, making this a continuous compliance responsibility rather than a one-time requirement.

    Consent Manager registration is set to begin on 13 November 2026.

    While this is the start of the registration window, businesses should not interpret it as the time to begin preparation.

    Given the financial threshold of ₹2 crore, the expected need for technical certifications such as ISO 27001 or SOC 2, and the likelihood of governance and documentation requirements, organisations that delay preparation may face challenges in meeting eligibility criteria in time.

    In practice, entities interested in becoming Consent Managers should begin aligning their financial, technical, and compliance structures well before this date to avoid bottlenecks once the application process opens.

    While the detailed step-by-step workflow is still evolving, the current framework provides a strong indication of how the registration process is expected to function and what entities should prepare in advance.

    Step-by-step timeline showing DPDP consent manager registration stages including application, review, approval and compliance

    1. Application to the Data Protection Board of India (DPBI)

    The registration process is expected to be fully digital, with applications submitted through the Data Protection Board of India portal or its designated digital interface, reflecting the broader digital-first approach of the DPDP framework. Although the exact interface and submission format are not yet publicly detailed, it is reasonable to expect a structured online application requiring comprehensive disclosures.

    2. Submission of eligibility and financial documents

    Applicants will likely need to submit proof of incorporation, audited financial statements, and documentation demonstrating a minimum net worth of ₹2 crore . While the exact list of documents may be formally notified closer to implementation, entities should assume that financial records will need to be recent, audited, and compliant with statutory standards.

    3. Technical and security validation

    Entities are expected to demonstrate robust technical capabilities, including secure system architecture, encryption protocols, and interoperability with other platforms, and may need to provide independent certifications such as ISO 27001 or SOC 2. Although not all certification requirements are explicitly mandated in public detail yet, preparing for such standards would be a prudent step.

    4. Governance and compliance alignment

    Applicants may need to ensure that their internal governance structures, including Memorandum and Articles of Association (MoA and AoA), reflect fiduciary responsibilities, conflict-of-interest safeguards, and compliance obligations. This could require legal review and restructuring for organisations that are not already aligned with these expectations.

    5. Review, inquiry and possible audit

    Once an application is submitted, the Board is expected to review the submission, seek clarifications where necessary, and potentially conduct audits of technical systems and governance practices. While no fixed approval timeline has been officially specified, the process may vary depending on the complexity of the applicant’s systems and readiness.

    6. Approval and listing

    Upon successful evaluation, the entity is likely to be approved and listed as a registered Consent Manager, enabling it to operate within the regulated ecosystem and provide consent management services in compliance with the DPDP framework.

    7. Ongoing obligations post-registration

    After registration, entities will be required to maintain compliance with operational standards, remain subject to audits, and ensure transparent and secure management of consent artifacts, reinforcing that this role involves continuous regulatory responsibility rather than a one-time approval.

    Under the Digital Personal Data Protection Act, 2023, failure to register as a Consent Manager while acting as one, or failure to comply with obligations, can result in significant regulatory action.

    Penalties may extend up to ₹50 crore per instance, depending on the nature and severity of non-compliance.

    In addition to financial penalties, the Data Protection Board of India (DPBI) has the authority to suspend or cancel registration, issue corrective directions, and impose operational restrictions.

    Beyond regulatory consequences, non-compliance can also lead to reputational risks and loss of trust, particularly in an ecosystem where transparency and accountability are central.

    Conclusion

    The introduction of Consent Managers under the Digital Personal Data Protection Act, 2023 marks a significant shift in how consent will be managed in India’s digital ecosystem.

    With registration set to begin on 13 November 2026, organisations must move beyond awareness and begin preparing for implementation. This is not merely a procedural requirement but a combination of financial readiness, technical capability, and governance alignment.

    Entities that start early will be better positioned to navigate the process smoothly, while those that delay may face operational and compliance challenges as the DPDP framework becomes fully functional.

    Key Takeaways

    • Consent Manager registration under the DPDP framework is set to begin on 13 November 2026
    • Only eligible Indian entities with ₹2 crore net worth can apply
    • The role is technology-intensive, requiring strong security and interoperability
    • Registration is expected to be fully digital via the DPBI platform
    • Preparation must begin early due to financial, technical, and governance requirements
    • Approval may involve review, clarification, and possible audits
    • Registration is not one-time — ongoing compliance obligations apply
    • Non-compliance can lead to penalties up to ₹50 crore and regulatory action

    Related Blog

    Assessment

    Liked the post? Share on:

    FacebookFacebookWhatsAppwhatsappLinkedInlinkedinXTwitter

    Send us a message

    Previous Blog

    Impact of DPDP Act on Indian Businesses

    Next Blog

    Impact of Data Breach in Banking Industry