Introduction to Consent Managers under India’s DPDPA
India’s Digital Personal Data Protection Act, 2023 (“DPDPA”), in conjunction with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), collectively known as the “DPDP Framework”, introduces the concept of consent managers. These entities have garnered less attention within the context of Global Capability Centres (GCCs) than they warrant. With full compliance obligations slated for enforcement by May 2027, and the registration for consent managers commencing in November 2026, GCCs that delay operational decisions risk facing time constraints in achieving compliance.
Role and Definition of Consent Managers
Section 2(g) of the DPDPA defines a consent manager as an intermediary registered with the Data Protection Board of India (“the Board”) to facilitate a data principal’s ability to give, manage, review, and withdraw consent through an easily accessible, transparent, and interoperable platform. A consent manager, when selected by the data principal, acts in a fiduciary capacity on behalf of the data principal. To qualify, entities must be incorporated in India, maintain a minimum net worth of INR 2 crore, and function independently of any data fiduciary, operating on a data-blind basis. This means they manage and record consent without accessing or monetizing the personal data involved. Registration with the Board and adherence to technical, operational, and governance standards prescribed by the DPDP Rules are mandatory.
Application of the DPDP Framework to GCCs
The DPDP framework governs the processing of all digital personal data within India, regardless of its origin, and extends to processing activities outside India related to offering goods or services to Indian data principals. For many GCCs, the applicability of this framework arises from their processing activities and underlying contractual relationships. Certain compliance obligations, notably those concerning consent managers, do not apply to Indian entities processing foreign data principals’ personal data under contracts with entities outside India. This exemption is significant as it prevents overlapping compliance obligations, such as those under the DPDPA and GDPR, for the same processing activities.
For instance, a GCC handling the personal data of employees in the UK, Germany, or the Netherlands under a foreign service agreement is exempt from the DPDP Framework’s consent compliance requirements for that activity. Thus, consent managers are not involved, and the data principals’ consent remains subject to their home jurisdiction’s data protection laws.
Challenges and Complexities
The exemption operates at the data principal’s level and the contractual basis of data processing, not at the entity level. This nuance poses challenges for GCCs processing foreign personal data under foreign contracts while simultaneously managing Indian personal data for their own operations or services to Indian customers. Such activities fall fully under the DPDP Framework, including the requirement to interface with consent managers when Indian data principals exercise their consent rights.
Most large GCCs do not segregate Indian and non-Indian personal data environments. Shared infrastructure across HR systems, identity management platforms, and other tools means a unified approach to consent management is necessary. As the consent provisions of the DPDPA come into effect, GCCs will need to conduct ongoing analyses to determine which operations are subject to the DPDP Framework.
Implications for GCC Compliance Strategies
GCCs processing data under the DPDP Framework must be technically prepared to receive and honour consent signals from any registered consent manager chosen by Indian data principals. The choice of consent manager lies with the data principal, not the GCC, necessitating an interoperable infrastructure capable of connecting with various consent managers.
For activities exempt under the foreign-principal carve-out, consent manager provisions do not apply, and foreign data principals’ rights are governed by their jurisdiction’s regulations, such as GDPR. For GCCs serving European parents, GDPR mechanisms and existing agreements remain the primary framework.
GCCs must prioritize identifying which processing operations involve Indian data principals to ensure compliance with the DPDP Framework. This involves assessing contractual bases for foreign-principal data processing, essential for developing a robust consent management compliance program. Delaying these efforts until closer to the May 2027 deadline may result in a compressed timeline, particularly when systemic changes are needed.
Conclusion
The consent manager framework represents a notable development in India’s data protection landscape and warrants increased attention from GCCs. While the foreign-principal carve-out offers relief, it also adds complexity to GCC operations. Compliance efforts should focus on accurately identifying applicable processing activities, building necessary infrastructure, and maintaining separation to allow the carve-out to function effectively.
About the authors: Siddhi Ghatlia is a Partner and Khusbu Jasani is a Principal Associate at ALMT Legal.
Disclaimer: The views expressed in this article are those of the authors and do not necessarily reflect those of Bar & Bench.
