On this page · 10 sections
- What the DPDP consent manager actually is
- The compliance clock: three phases, two dates that matter
- The penalty schedule you are budgeting against
- Registration: what a consent manager must prove
- The engineering checklist for data fiduciaries
- India-specific considerations
- Sequencing the work against the deadline
- FAQ
- How eCorpIT can help
- References
Summary. India notified the Digital Personal Data Protection Rules, 2025 on 14 November 2025, and the law is now phased into force on a fixed clock. The Data Protection Board of India provisions started immediately; consent manager registration applies about 12 months out, around 13 November 2026; and the core obligations on consent, breach notice and Significant Data Fiduciaries take effect 18 months out, on 13 May 2027. A consent manager must be a company incorporated in India with a net worth of at least ₹2 crore, must keep consent records for 7 years, and must run data-blind so it cannot read the personal data it routes. The penalty for weak security that leads to a breach reaches ₹250 crore. This checklist tells SaaS and fintech teams what to build before the 2027 deadline.
If you run product or compliance at an Indian SaaS, fintech, e-commerce or healthcare-AI firm, the planning question changed in November 2025. The DPDP Act, 2023 finally has operative rules, a notified gazette date, and a staged timeline that maps to your sprints. The Ministry of Electronics and Information Technology (MeitY) built the consent manager on top of India's Data Empowerment and Protection Architecture (DEPA), the same design that produced the Account Aggregator network in finance. So the model is not new in spirit. What is new is a hard deadline and a penalty schedule with real teeth.
This is a build checklist, not a legal summary. Each section names the concrete artefact, control or interface your engineering and compliance teams have to ship, and when.
What the DPDP consent manager actually is
A consent manager is a registered intermediary that lets a person give, review, manage and withdraw consent through a single interoperable dashboard. The DPDP Rules, 2025 set out the registration conditions in Rule 4 and Schedule I, and the Board oversees the register. Consent given through one consent manager has to be readable and actionable by another platform, and a withdrawal has to propagate across the services that relied on that consent.
The defining technical constraint is that the consent manager operates data-blind. The rules require that the way personal data is made available is such that its content cannot be read by the consent manager itself. It moves consent artefacts and routing instructions, not the underlying records. That single requirement shapes the whole architecture: cryptographic handling, key custody, and a clean separation between the consent plane and the data plane.
On 6 June 2025 the National e-Governance Division under MeitY released a Business Requirement Document for consent management that breaks the platform into modules: collection, validation, withdrawal, dashboards, notifications, audit trails and grievance handling. Each module maps to a specific legal duty. Consent becomes a structured artefact with a unique consent ID, timestamps, purpose tags and an event log, exactly as the Account Aggregator framework already does for financial data.
The compliance clock: three phases, two dates that matter
The rules use a phased schedule rather than a single switch. The Board itself is already standing up; consent manager registration opens roughly a year after notification; and the substantive obligations land 18 months after notification. For a CTO, two dates govern the roadmap: November 2026 for anything that touches the consent manager register, and 13 May 2027 for everything else.
| Phase | Effective | What applies | Who it hits first |
|---|---|---|---|
| Phase I | On notification, mid-November 2025 | Data Protection Board of India set-up and definitions | The regulator itself |
| Phase II | About 12 months out, around 13 November 2026 | Consent manager registration and operation (Rule 4, Schedule I) | Firms building or using consent managers |
| Phase III | 18 months out, 13 May 2027 | Consent, notice, breach reporting, children's data, SDF duties | All data fiduciaries |
| Ongoing | From 13 May 2027 | Board adjudication and penalties active | Any non-compliant fiduciary |
The practical read is that you do not have until 2027 to start. The India Briefing timeline shows the consent manager pieces arriving first, and DPIA plus audit programmes for Significant Data Fiduciaries need lead time measured in quarters, not weeks.
Legal commentators read the staged dates the same way. Trilegal, analysing the notified rules, described the schedule as an 18-month runway to full compliance. Eighteen months sounds generous until you price in registration, re-architecture and an external audit.
The penalty schedule you are budgeting against
The Schedule to the DPDP Act sets maximum penalties by violation type, and the Board can stack separate penalties for distinct violations found in one inquiry. These are caps, not fixed fines; the Board weighs the nature of the fiduciary, the volume and sensitivity of data, and the harm caused. But the ceiling is what your risk committee will quote.
| Violation | Maximum penalty | Why SaaS and fintech should care |
|---|---|---|
| Failure to take reasonable security safeguards leading to a breach | ₹250 crore | Highest tier; covers most breach scenarios |
| Failure to notify the Board or data principals of a breach | ₹200 crore | Triggers your incident-response SLA |
| Non-compliance with children's data provisions | ₹200 crore | Hits edtech, gaming and consumer apps |
| Failure to meet additional SDF obligations | ₹150 crore | Applies once you are designated an SDF |
| Failure on consent, accuracy or erasure duties | ₹50 crore | The everyday operational tier |
| Breach of a data principal's duties | ₹10,000 | Falls on individuals, not firms |
Source for the schedule: the DPDP Act Schedule and analysis of the final rules. A single breach that also went unreported and involved children's data could, in principle, draw penalties from three tiers at once, which is how a "₹250 crore law" becomes a much larger exposure on paper.
Registration: what a consent manager must prove
If your firm plans to operate a consent manager, or to acquire or partner with one, Schedule I sets the bar. The conditions read like a fit-and-proper test borrowed from financial regulation, which fits the Account Aggregator lineage.
| Condition | Requirement | Build or governance implication |
|---|---|---|
| Incorporation | Company incorporated in India | India entity, India-resident directors |
| Net worth | At least ₹2 crore, inflation-adjusted | Capital and audited financials on file |
| Capacity | Technical, operational and financial capacity | Documented SRE, security and finance functions |
| Data-blind operation | Cannot read the personal data it routes | Consent plane separated from data plane |
| Conflict of interest | Cannot also be fiduciary or processor for the same principal | Corporate and contractual ring-fencing |
| Records | Consent audit trail retained for 7 years | Tamper-evident, queryable log store |
| Security | Encryption and audit-ready logging | AES-256 class encryption, key custody, SIEM |
The Board publishes registered consent managers on its website, and the registration framework under Rule 4 comes into force around 13 November 2026. Most SaaS and fintech firms will consume a registered consent manager rather than become one, the same way most lenders use an Account Aggregator instead of running their own.
The engineering checklist for data fiduciaries
Most readers are data fiduciaries, not consent managers. Your job is to make your product speak the consent manager protocol and to satisfy the notice, security and rights duties that bite on 13 May 2027. Work the list in this order.
1. Map your consent surface
Inventory every place you collect personal data: sign-up, KYC, cookies, SDK telemetry, support chat, marketing. For each, record the purpose, the legal basis and the data categories. You cannot wire a consent manager into a flow you have not mapped. This inventory also feeds your DPIA if you are designated a Significant Data Fiduciary.
2. Rebuild notice and consent as structured artefacts
Replace free-text consent checkboxes with machine-readable consent records carrying a unique ID, purpose tags, timestamps and an itemised notice. The Securiti analysis of the rules notes the notice must be clear, itemised and available in English and the Eighth Schedule languages. Purpose tags are what let consent travel between platforms.
3. Make withdrawal as easy as granting
The rules require withdrawal to be as simple as consent. Build an API and a user-facing control that revokes consent, propagates the revocation to downstream processors, and stops processing for that purpose. Log the event. A withdrawal that does not propagate is a ₹50 crore-tier failure waiting to be filed.
4. Wire up the consent manager interface
Treat the consent manager like a payment gateway: an external, regulated interface you integrate against. Because the design is API-driven and modelled on Account Aggregator specifications maintained by ReBIT, expect standardised schemas and consent artefacts. Build an adapter now against the published architecture so you are not blocked when registration opens.
5. Handle children's data with verifiable parental consent
If your service can be used by anyone under 18, Rule 10 requires verifiable parental consent and bars tracking or behavioural monitoring of children. Approved verification can integrate DigiLocker to confirm a parent's identity and the parent-child link. Edtech, gaming and consumer fintech teams should treat this as a distinct flow, not a checkbox.
6. Stand up breach detection and a 72-hour reflex
Breach notification to the Board and to affected principals is its own penalty tier. You need detection, a severity rubric, a notification template and a rehearsed runbook. This is where privacy-first AI architecture pays off, because systems designed to minimise and segregate data produce smaller, more reportable incidents.
7. Prepare for Significant Data Fiduciary duties
If the Central Government designates your firm an SDF based on data volume and risk, you owe an annual Data Protection Impact Assessment, an annual independent audit, and a report of significant observations to the Board. Select your DPIA methodology and audit scope now. The lead time for an external audit is the constraint that most teams underestimate.
India-specific considerations
Two India-specific realities shape the build. First, the Account Aggregator precedent means fintech teams already have a working mental model: cryptographically secure, traceable consent that moves without the intermediary retaining personal data. The DPDP consent manager generalises that pattern across sectors, and Reserve Bank Information Technology Private Limited (ReBIT) specifications are the likely template for technical standards.
Second, regulated fintech and healthcare firms sit under overlapping regimes. RBI directions, SEBI rules and sectoral data-localisation expectations do not disappear under DPDP; they layer on top. A lending app may answer to the RBI on data storage and to the Board on consent and breach notice at the same time. Teams shipping clinical AI under India's CDSCO and DPDP regime already manage this double duty, and the same discipline applies to fintech.
For multinationals, the practical cost is usually the migration of legacy consent state, not the new code. Mapping years of implied or bundled consent onto itemised, purpose-tagged artefacts is the slow part of the project.
Sequencing the work against the deadline
A workable order of operations, given the November 2026 and 13 May 2027 dates:
Through Q3 2026, finish the consent-surface inventory, the DPIA scoping and the notice rebuild. In Q4 2026, as the consent manager register opens, integrate against a registered consent manager and ship withdrawal propagation. Across the first half of 2027, run breach drills, complete an independent audit if you are an SDF, and freeze changes before 13 May 2027. Governance scaffolding such as enterprise AI agent governance layers helps here, because consent and purpose limitation have to hold even when autonomous systems act on the data.
Santosh Singh, senior vice-president for IT at DS Group, put the strategic case directly to The Tribune: "the industry must now invest in consent, making data protection a foundation for commerce and not a cost to it." The firms that treat consent as product infrastructure, not paperwork, will move fastest.
FAQ
How eCorpIT can help
eCorpIT is a Gurugram-based technology organisation with senior-led engineering teams that build privacy-first data platforms for SaaS, fintech and healthcare-AI firms. We map consent surfaces, design data-blind consent manager integrations, and stand up DPIA and breach-response programmes against the 13 May 2027 deadline. Founded in 2021 and assessed at CMMI Level 5, we pair compliance architecture with production engineering rather than treating them separately. To scope a DPDP readiness plan for your stack, contact our team.
References
_Last updated: 26 June 2026._
