The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Procedural Guide

Consent Manager Registration

A comprehensive guide on the registration, qualification requirements, and operational obligations of Consent Managers under Section 6 of DPDPA 2023 and the DPDP Rules 2025.

Statutory Foundation

Section 6 of DPDPA 2023 establishes the framework for Consent Managers as registered entities that enable Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.

Rule 5 of DPDP Rules 2025 prescribes the eligibility criteria, registration procedure, capital requirements, and operational standards for Consent Managers.

Role of a Consent Manager

A Consent Manager is a registered intermediary that provides a single point of contact for Data Principals to manage their consent across multiple Data Fiduciaries. The Consent Manager acts as the Data Principal's agent and is accountable to the Data Principal.

Functions

• Manage consent on behalf of Data Principals
• Maintain consent artefacts and audit trails
• Enable consent withdrawal and modification
• Provide consent dashboard to Data Principals

Accountability

• Acts as agent of the Data Principal
• Accountable to Data Principal for actions
• Subject to Board oversight and audit
• Must maintain prescribed standards

Eligibility Criteria

Incorporation in India

The applicant must be a company incorporated under the Companies Act, 2013, with its registered office in India.

Minimum Net Worth

The applicant must demonstrate minimum net worth as prescribed by the Rules, ensuring financial stability to discharge obligations.

Technical Infrastructure

The applicant must possess adequate technical infrastructure to provide an accessible, transparent, and interoperable consent management platform.

Interoperability Standards

The platform must comply with interoperability standards notified by the Central Government to ensure seamless integration with Data Fiduciary systems.

Data Security

The applicant must implement reasonable security safeguards and obtain appropriate certifications as prescribed.

No Conflict of Interest

The applicant must not have any material conflict of interest that would compromise the independence of consent management services.

Registration Procedure

Preliminary Assessment

Conduct internal assessment of eligibility criteria. Engage legal counsel to verify compliance with all statutory requirements. Identify gaps and develop remediation plan.

Infrastructure Development

Develop or acquire consent management platform meeting prescribed technical standards. Implement security safeguards and obtain necessary certifications.

Documentation Preparation

Prepare all required documents including certificate of incorporation, financial statements, technical specifications, security audit reports, and policies.

Application Submission

Submit registration application to the Data Protection Board through the designated portal in the prescribed form along with supporting documents and fees.

Board Review

The Data Protection Board shall examine the application, may seek clarifications or additional information, and may conduct inspection of technical infrastructure.

Registration Grant

Upon satisfaction of requirements, the Board shall grant registration and issue certificate. Registration shall be valid for the period prescribed and subject to renewal.

Commencement of Operations

Upon registration, the Consent Manager may commence operations. The registration number must be prominently displayed on all communications and the platform.

Operational Obligations

Maintain accessible and user friendly interface for Data Principals

Ensure platform availability and reliability to prescribed standards

Maintain complete and accurate records of all consent transactions

Implement audit trails for all consent activities

Respond to Data Principal requests within prescribed timelines

Submit periodic compliance reports to the Data Protection Board

Cooperate with Board inspections and audits

Notify the Board of any material changes to operations or infrastructure

Maintain confidentiality of Data Principal information

Not use consent data for any purpose other than consent management

Compliance Timeline

Key Dates

DPDP Rules Notification: 13th November 2025

Consent Manager Registration Deadline: 13th November 2026 (12 months from Rules notification)

Entities intending to operate as Consent Managers must complete registration with the Data Protection Board within the prescribed timeline. Operating without registration after the deadline constitutes a violation of the Act.

Required Documentation

Certificate of Incorporation

Memorandum and Articles of Association

Audited Financial Statements (3 years)

Net Worth Certificate from Statutory Auditor

Technical Architecture Documentation

Information Security Audit Report

Data Processing Policies

Business Continuity Plan

Conflict of Interest Declaration

Board Resolution authorising application

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. Registration requirements may be further specified by the Data Protection Board. Prospective applicants should engage qualified legal counsel and monitor official notifications.