The Compliance & Identity,
Intelligence Hub

Under India’s DPDP framework, a Consent Manager is an entity registered with the Data Protection Board of India (DPB) that provides an accessible, transparent, and interoperable platform to help users give, manage, review, and withdraw consent.

In simple terms: it acts as a trusted consent layer that helps users control how their personal data is used—while giving organizations a cleaner, auditable way to operationalize consent management.

You generally need valid consent when you are processing personal data and your use case does not fall under a permitted ground or other legally allowed basis under the DPDP framework.

• New data collection: When you collect personal data for a stated purpose.
• Purpose change: If you start using the same data for a new purpose not covered earlier.
• Sharing with vendors or partners: If downstream processors will access or use the data.
• Marketing and profiling: Especially where users must have clear choice and easy withdrawal.

Best practice: always show a clear notice covering what data is being collected, why it is needed, and how long it will be used for—then collect granular consent and make withdrawal as easy as opt-in.

The Digital Personal Data Protection Rules, 2025 were notified in November 2025, but they do not all start at once.

The rollout follows a staggered commencement. Some provisions came into force immediately on publication, while others take effect later—such as certain obligations beginning one year or eighteen months after notification.

For organizations, the practical takeaway is simple: become production-ready now by mapping data flows, standardizing notices and consent records, setting up DSR workflows, and making audit logging a default part of operations.

The DPDP framework uses a penalty schedule where the Data Protection Board of India determines penalties based on the nature, severity, and impact of the contravention.

• Up to ₹250 crore for failure to implement reasonable security safeguards leading to a breach.
• Up to ₹200 crore for failing to report a personal data breach to the Board and affected users, where required.
• Up to ₹50 crore for certain other contraventions, depending on the facts and severity.

The practical takeaway: build strong security, clean consent governance, and audit-ready proof from day one.

The DPDP framework does not explicitly use the word “cookies”, but if cookies, trackers, or similar technologies can identify a person or enable profiling, they may amount to personal data processing in practice.

A safer approach—especially if you use analytics, advertising, or third-party scripts—is to:

• Show a clear, purpose-wise cookie or tracker notice.
• Collect granular choices for categories such as analytics, marketing, and personalization.
• Provide an easy way for users to withdraw or update their choices at any time.

If you only use strictly necessary cookies, such as session or authentication cookies, you can still disclose them transparently even if the journey is not gated behind an opt-in step.

OpenBlockAI helps organizations operationalize DPDP-ready consent management across digital and assisted journeys:

• Consent Notice & Capture: Fast, clear, purpose-based consent notices across web, app, API, QR, IVR, and partner-led flows.
• Preference Centre: A self-serve place for users to review, update, and withdraw consent.
• Consent Records & Audit Logs: Audit-ready consent records with exports for compliance, disputes, and internal review.
• Vendor Sync & Automation: Webhooks and consent checks so downstream systems and processors stay aligned with the latest consent status.
• DSR Workflows: Structured workflows for access, correction, deletion, and grievance-related consent requests.