India DPDP Phase 2 — Consent Manager Framework Live

What this countdown tracks

The timer runs to 13 November 2026, the date on which the Consent Manager framework under India's Digital Personal Data Protection Act becomes operational. From that day the Data Protection Board of India begins registering entities that will sit between users and data fiduciaries, offering a single dashboard for granting, reviewing and revoking consent. Phase-two rules also activate notice requirements and the draft grievance-redressal workflow.

Background

The DPDP Act received presidential assent on 11 August 2023 but was held back pending subordinate rules. The Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025 on 13 November 2025, setting a staggered commencement schedule with Consent Managers flipping on exactly twelve months later. A Consent Manager must be an Indian-incorporated company with a minimum net worth of ₹2 crore and must interoperate via the Account Aggregator-style API stack specified in the First Schedule.

The Data Protection Board, chaired under Section 18 by a person of Secretary-rank seniority, will publish its registration portal and a public directory of approved Consent Managers. Major fintech, telecom and e-commerce operators, including those handling more than 50 lakh users who are classified as Significant Data Fiduciaries under Section 10, are expected to route consent through these intermediaries. Children's data, defined as users below 18, requires verifiable parental consent as a precondition for processing. The Act establishes penalties of up to ₹250 crore per instance of breach under Schedule I, administered by the Board through inquiries on suo motu cognisance or complaint. Consent Manager operations must maintain immutable logs of every consent transaction for a period of at least seven years, available on demand to the Board and the registered individual.

Why the date matters

13 November 2026 ends the grace period carved out between rule-notification and operational enforcement. Until that moment the Board exists on paper but cannot register intermediaries, and consent UX remains whatever each company chooses. After the date, fiduciaries must route new consent flows through registered managers or document why they cannot, exposing themselves to inquiry under Section 28. It is also the last window for firms to align notice templates in the 22 scheduled Indian languages required by the rules. The twelve-month lag mirrors the approach used under the GDPR's two-year transition between publication in May 2016 and enforcement from 25 May 2018, a comparator MeitY has acknowledged in its explanatory memoranda.

What to watch for

• Data Protection Board chairperson and member appointments by the central government.
• First wave of Consent Manager registrations and their equity-holding disclosures.
• MeitY's interoperability spec and whether it reuses the Sahamati AA stack.
• Notice templates in scheduled languages and how large platforms implement them.
• Significant Data Fiduciary designations published under Section 10.
• Children-consent verification mechanisms and age-gating approaches.
• Cross-border data-transfer negative list under Section 16.
• Board's first adjudication orders on breach complaints.
• Industry-body responses from NASSCOM, DSCI and the Internet and Mobile Association.

Who's affected

Directly in scope are every data fiduciary processing digital personal data of Indian residents — a universe ranging from large tech platforms and banks to schools, hospitals, housing societies and government portals. Significant Data Fiduciaries face additional obligations including Data Protection Impact Assessments, periodic audits and the appointment of a Data Protection Officer resident in India. Children's data obligations apply with particular force to ed-tech, gaming and social-media platforms, which must implement age verification and parental-consent mechanisms. Consent Managers themselves represent a new regulated category of intermediary, expected to number in the low dozens in the first registration cycle, drawing entrants from the Account Aggregator ecosystem and from fintech players looking to extend into consent orchestration beyond financial data.

Related events to track

Phase two leads directly into the India DPDP full compliance deadline six months later, and the framework will be measured against the EU AI Act enforcement and the GDPR 10-year review as comparator regimes abroad.

FAQ

When exactly is the Consent Manager framework live? 13 November 2026, twelve months after the DPDP Rules notification of 13 November 2025.

Is the rollout confirmed or expected? Confirmed in the Gazette. Operational activation depends on Board readiness, which remains a delivery risk given pending member appointments.

Who is responsible? The Ministry of Electronics and Information Technology owns the rules; the Data Protection Board of India administers registration and enforcement.

Where can I read the official announcement? The DPDP Rules, 2025 as gazetted by MeitY on 13 November 2025, alongside explanatory notes on meity.gov.in.