NE Times
Technology

India Moves To Operationalise Consent Managers As DPDP Enforcement Era Begins

With the data-protection rules now notified, the government is rolling out the consent-manager framework that will let citizens grant, review and withdraw data permissions across services.

The NE Times Technology Desk

Commentary & Analysis ·

3 min read
Illustration of a smartphone screen showing data consent toggles and privacy permission controls.
Illustration of a smartphone screen showing data consent toggles and privacy permission controls. · Picture: The NE Times

India's data-protection regime is shifting from theory to practice. With the rules under the Digital Personal Data Protection framework now notified, the government is moving to operationalise the consent-manager system, a cornerstone mechanism intended to give individuals real control over how their personal data is collected and used across the digital economy.

What a consent manager does

Consent managers are envisioned as interoperable platforms through which a person, described in the law as a data principal, can grant, review and withdraw permissions across multiple services from a single interface. Rather than navigating dozens of separate privacy settings, users would manage their consents in one place, with companies required to honour those choices.

Officials are expected to bring this framework into operation over the coming weeks, marking one of the most tangible consumer-facing elements of the new regime. It shifts the burden away from individuals deciphering dense privacy policies and toward a standardised, auditable system of permissions.

A phased enforcement timeline

The rules were notified in late 2025, and the government has set out staggered dates for different provisions to take effect through 2026 and into 2027. The period ahead is widely seen as the transition from preparatory compliance, where firms map their data and update notices, to active enforcement, where regulators can hold them accountable.

  • Consent managers let users grant, review and withdraw data permissions in one place
  • The framework is being operationalised in the months following rule notification
  • Enforcement is phased, with provisions taking effect through 2026 and into 2027
  • Penalties for serious security failures can run into hundreds of crores of rupees
  • Special protections apply to children's data and other sensitive categories

The stakes for business

The penalties for non-compliance are steep, with fines for failing to implement reasonable security safeguards reaching into the hundreds of crores of rupees, and substantial sums attached to mishandling children's data or failing to report breaches. That has pushed companies, from large platforms to smaller startups, to invest in data mapping, consent flows and breach-response plans.

The consent manager is where data protection stops being a policy document and becomes something an ordinary user can actually touch.

Technology and privacy lawyer

Much will depend on how usable the consent-manager interfaces turn out to be, and how rigorously the regulator enforces the rules once they bite. If implemented well, the framework could become a reference point for privacy regimes in other emerging economies; if it becomes box-ticking, the promise of genuine user control will remain unrealised.

The NE Times View

Notified rules and a consent-manager framework finally move data protection from statute to practice, years after the law was first promised. The NE Times View: the test is whether consent managers genuinely empower citizens or become a compliance ritual that buries real control in fine print. Enforcement with teeth, applied equally to the state and to Big Tech, will decide whether the DPDP era means anything.

This article is original commentary and analysis by The NE Times. Background facts were referenced from The Indian Express and the Press Trust of India.

Share

You may also like to read

More from this section

More