India Moves To Operationalise Consent Managers As DPDP Enforcement Era Begins
With the data-protection rules now notified, the government is rolling out the consent-manager framework that will let citizens grant, review and withdraw data permissions across services.
The NE Times Technology Desk
Commentary & Analysis ·

India's data-protection regime is shifting from theory to practice. With the rules under the Digital Personal Data Protection framework now notified, the government is moving to operationalise the consent-manager system, a cornerstone mechanism intended to give individuals real control over how their personal data is collected and used across the digital economy.
What a consent manager does
Consent managers are envisioned as interoperable platforms through which a person, described in the law as a data principal, can grant, review and withdraw permissions across multiple services from a single interface. Rather than navigating dozens of separate privacy settings, users would manage their consents in one place, with companies required to honour those choices.
Officials are expected to bring this framework into operation over the coming weeks, marking one of the most tangible consumer-facing elements of the new regime. It shifts the burden away from individuals deciphering dense privacy policies and toward a standardised, auditable system of permissions.
A phased enforcement timeline
The rules were notified in late 2025, and the government has set out staggered dates for different provisions to take effect through 2026 and into 2027. The period ahead is widely seen as the transition from preparatory compliance, where firms map their data and update notices, to active enforcement, where regulators can hold them accountable.
- Consent managers let users grant, review and withdraw data permissions in one place
- The framework is being operationalised in the months following rule notification
- Enforcement is phased, with provisions taking effect through 2026 and into 2027
- Penalties for serious security failures can run into hundreds of crores of rupees
- Special protections apply to children's data and other sensitive categories
The stakes for business
The penalties for non-compliance are steep, with fines for failing to implement reasonable security safeguards reaching into the hundreds of crores of rupees, and substantial sums attached to mishandling children's data or failing to report breaches. That has pushed companies, from large platforms to smaller startups, to invest in data mapping, consent flows and breach-response plans.
“The consent manager is where data protection stops being a policy document and becomes something an ordinary user can actually touch.”
— Technology and privacy lawyer
Much will depend on how usable the consent-manager interfaces turn out to be, and how rigorously the regulator enforces the rules once they bite. If implemented well, the framework could become a reference point for privacy regimes in other emerging economies; if it becomes box-ticking, the promise of genuine user control will remain unrealised.
The NE Times View
Notified rules and a consent-manager framework finally move data protection from statute to practice, years after the law was first promised. The NE Times View: the test is whether consent managers genuinely empower citizens or become a compliance ritual that buries real control in fine print. Enforcement with teeth, applied equally to the state and to Big Tech, will decide whether the DPDP era means anything.
This article is original commentary and analysis by The NE Times. Background facts were referenced from The Indian Express and the Press Trust of India.
You may also like to read

WhatsApp begins its shift from phone numbers to usernames, with India in the firing line
The messaging giant is rolling out optional handles that let people connect without sharing their number, a change that quietly rewrites how its largest market communicates.

CISF Airport Facial-Recognition Plan Puts Privacy at Centre of Debate
The CISF is working on a Delhi data fusion centre to link facial-recognition systems across major Indian airports, reviving questions over aviation security, surveillance and passenger privacy.

Infosys Says AI Will Amplify Its Services, Not Replace the Company
Infosys leadership says artificial intelligence will not displace the IT major but will demand new skills, learning and operating models, reframing India's services sector around reskilling and proven productivity.

CUET UG 2026 Results Out: Admissions Race Begins Across 250+ Universities
The NTA has declared CUET UG 2026 results, with 3,214 candidates scoring a 100 percentile in at least one subject, kicking off cut-offs and counselling at more than 250 universities nationwide.
More from this section
More
ISRO Fires Semi-Cryogenic Engine Power Head at 175 Tonnes in Landmark Hot Test
ISRO successfully ran its indigenous semi-cryogenic engine power head at 175 tonnes of thrust, clearing a key hurdle toward powering the LVM3 upgrade and the Next Generation Launch Vehicle.

India Tech Funding Climbs to $7.2 Billion in H1 2026 Even as Deal Count Slumps
Indian tech startups raised $7.2 billion in the first half of 2026, up 12 per cent year-on-year, but the number of funding rounds fell sharply as capital concentrated in a handful of mega-deals.

OnePlus N6 Headlines a Crowded End-June Gadget Calendar in India
The OnePlus N6, with its 8,000mAh battery and sub-Rs 25,000 price tag, leads a busy late-June run of smartphone launches in India spanning OnePlus, Oppo and Samsung.