On November 13, 2025, India’s Ministry of Electronics and Information Technology (MeitY) published the Digital Personal Data Protection (DPDP) Rules, 2025 – putting a strict operational clock in place for every company that collects personal data in India.
Full compliance – including consent, privacy notice and security obligations, is required by May 13, 2027, according to Legistify’s DPDPA compliance analysis. That makes 2026 the critical build year.
DPDPA consent management is at the centre of that obligation. It covers the entire lifecycle of user consent: how it is requested, recorded, updated, communicated to processors and responded to when withdrawn. It is not a cookie banner. It is a layered operational framework that touches multiple systems and vendor relationships.
This guide breaks down what the law demands, where the operational complexity lies and how the new Consent Manager framework reshapes the picture for Data Fiduciaries.
What DPDPA requires from consent
Under Section 6 of the DPDPA, consent from a Data Principal must be free, specific, informed, unconditional and unambiguous – expressed through a clear affirmative action.
Rule 3 of the DPDP Rules, 2025 sets a higher bar for consent notices. Ardent Privacy’s analysis of the Rules notes that generic, post-facto or bundled notices will not meet regulatory expectations. A valid notice must name the categories of personal data being collected and the exact purpose for processing – delivered before or at the point of collection, as required under Section 5.
Three core obligations follow directly from this:
- Separate consent per purpose: marketing, analytics and service delivery cannot share a single consent record
- Plain language notices: notices that obscure choice through legal or technical phrasing are not compliant
- Withdrawal at any time: Section 6(4) gives every Data Principal the right to withdraw consent without penalty, at any point
When a Data Principal withdraws consent, Section 8(7) applies immediately. The Data Fiduciary must delete the personal data and make sure every downstream Data Processor does the same. This is an active system requirement, not a background cleanup task.
5 core requirements for DPDPA consent management
Translating legal obligations into your systems, requires taking care of five specific requirements. Firms that map these against their current systems will be able to easily surface the gaps.
Granular consent notices
Each processing purpose requires its own separate consent record. Marketing, analytics and service delivery cannot be consolidated into a single consent form, regardless of how the existing privacy policy is structured.
Pre-collection delivery
Consent must reach the Data Principal before or at the point of data collection. Collecting consent after the fact does not satisfy Rule 3.
Simple withdrawal mechanisms
The DPDPA requires that withdrawing consent is as easy as giving it. Buried opt-outs and multi-step settings flows create clear compliance exposure.
Downstream propagation
Withdrawal notification must reach every Data Processor handling that individual’s data. Processing must stop at every point in the chain, not just at the Data Fiduciary level.
Audit-ready consent records
Organisations must maintain logs capturing when consent was given, what it covered, when it was updated and when it was withdrawn. These records are the evidence layer for any Data Protection Board inquiry.
The Consent Manager framework and what it changes
Section 2(g) of the DPDPA defines a Consent Manager as a person registered with the Data Protection Board who acts as a single point of contact for Data Principals -enabling them to give, manage, review and withdraw consent through an accessible, transparent platform.
A Consent Manager is not an internal consent tool built and managed by a Data Fiduciary. It is an independent mediator, accountable directly to the Data Principal. Conflict-of-interest rules prohibit Consent Managers from holding financial or directorial ties with the Data Fiduciaries they serve.
Consent Manager provisions become effective one year after the DPDP Rules were notified – by November 13, 2026. For organisations with large or multi-sector user bases, building a consent system that can interface with registered Consent Managers is an important decision. The planning window is now, not after the framework activates.
Conclusion
DPDPA consent management is technically demanding and cuts across every system that collects or processes personal data. Meeting the May 2027 deadline requires addressing consent notice design, withdrawal flows, Data Processor obligations and audit logging-with enough lead time to test and iterate.
CyberNX provides end-to-end DPDPA consulting support: from consent architecture and notice design to Data Protection Impact Assessments and ongoing compliance programme management. To build your DPDPA consent management framework on solid ground, connect with our experts.
DPDPA Consent Management FAQs
What is DPDPA consent management?
DPDPA consent management refers to the legal and operational obligations Data Fiduciaries must meet around user consent under the Digital Personal Data Protection Act, 2023. It covers how consent is collected, recorded, managed and responded to – including handling withdrawal requests and making sure that downstream Data Processors comply.
What makes consent valid under the DPDPA?
Under Section 6, valid consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action. Bundled permissions, pre-ticked boxes and implied opt-ins do not qualify. Each processing purpose requires its own separate consent record.
What happens when a Data Principal withdraws consent?
Under Section 6(4), a Data Principal can withdraw consent at any time and without penalty. On withdrawal, Section 8(7) requires the Data Fiduciary to delete the personal data and ensure every downstream Data Processor stops processing and erases it as well.
What is the DPDPA consent compliance deadline?
Full DPDPA compliance – including all consent obligations – is due by May 13, 2027. Consent Manager provisions become operational separately, on November 13, 2026-12 months after the DPDP Rules, 2025 were notified by MeitY.




