Consent Managers and Account Aggregators: Strengthening India’s Data Governance Framework

Pursuant to the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act“), the personal data of a ‘Data Principal’¹ can be processed only in accordance with the DPDP Act and for a lawful purpose for which the Data Principal has given consent. This consent needs to be ‘free, specific, informed, unconditional and unambiguous‘ with a clear affirmative action. The DPDP Act has introduced the concept of a ‘Consent Manager’ to streamline the process of obtaining the consent of the Data Principal and allows the Data Principal to give, manage, review or withdraw consent to the ‘Data Fiduciary’² through a Consent Manager.

Who is a Consent Manager?

Consent Manager is defined as “a person registered with the Data Protection Board of India, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform“. The DPDP Act further provides that the Consent Managers will be: (i) required to be registered with the Data Protection Board of India (“Board“); and (ii) accountable to the Data Principal and will act on her behalf. The qualifications and procedure for registration as a Consent Manager as well as the obligations of the Consent Manager have been provided in the draft Digital Personal Data Protection Rules, 2025 published by the Ministry of Electronics and Information Technology on January 3, 2025 (“Draft Rules“, examined in our article here).

Conditions for Registration as a Consent Manager

The Draft Rules provide for the following conditions for registration as a Consent Manager:

• The applicant must be a company incorporated in India;
• It must have adequate technical, operational and financial capacity to fulfil Consent Manager obligations and a sound financial condition and competent management;
• It should have a net worth of at least Rs. 2,00,00,000/- (Rupees Two Crore);
• The volume of business likely to be available to and the capital structure and earning prospects of the company should be adequate;
• Directors, key managerial personnel and senior management of the company should have a good reputation for fairness and integrity;
• The company’s memorandum of association and articles of association must include provisions ensuring adherence to conflict-of-interest obligations, with changes allowed only with prior Board approval;
• Its operations should align with the interests of Data Principals; and
• The applicant’s platform must be independently certified for compliance with data protection standards and technical security requirements as specified by the Board.

Obligations of a Consent Manager

 The obligations of the Consent Managers as provided under the Draft Rules are summarised below:

• Enable Data Principals to give consent for their personal data processing by Data Fiduciaries through its platform;
• Ensure that personal data or its sharing is not readable by the Consent Manager itself;
• Maintain records of consents, notices preceding or accompanying requests for consents, and data sharing activities on its platform;
• Provide Data Principals access to their consent records, make information available in machine readable form upon request and maintain records for at least 7 (seven) years;
• Develop and maintain a website or app for Data Principals to access services provided by the Consent Manager;
• Prohibit sub-contracting of obligations under the DPDP Act and the Draft Rules;
• Implement reasonable security measures to prevent personal data breaches;
• Act in a fiduciary capacity in relation to the Data Principal;
• Avoid conflict of interest with Data Fiduciaries;
• Publish information about company ownership, shareholding, and any conflicts of interest on its website or app;
• Maintain effective audit mechanisms to review compliance with technical and organizational controls, registration conditions and regulatory obligations; and
• Obtain prior approval from the Board before transferring company control through sale, merger, or other means.

Account Aggregators

While the concept of Consent Manager has been newly introduced under the DPDP Act, the Reserve Bank of India (“RBI“) has established a similar framework via the ‘Account Aggregator’ (“AA“) network as a financial information sharing system under the Master Direction – Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 issued on September 2, 2016 (“AA Directions“)³.

An Account Aggregator is a type of non-banking financial company (NBFC) that facilitates the retrieval and collection of a customer’s financial information. The Account Aggregator framework ensures that no financial information is accessed, shared or transferred without the customer’s explicit consent. It enables the secure transfer of financial information between institutions based on the individual’s instructions and consent.

Entities can join the Account Aggregator framework as financial information provider (“FIP“) – such as banks, NBFCs, asset management companies, depositories, insurance companies, pension funds, and others; or as financial information user (“FIU“), which are entities regulated by financial sector authorities.

Similar to a Consent Manager, an Account Aggregator provides services to a customer based on the customer’s explicit consent and must ensure that the provision of services to a customer is backed by appropriate agreements or authorisations between the Account Aggregator, the customer and the FIPs. The Account Aggregator can share information only with the customer to whom it relates or any other FIU as authorized by the customer in accordance with the terms of the consent provided by the customer. Additionally, the Account Aggregator cannot part with any information that it may come to acquire from or on behalf of a customer without the explicit consent of the customer. 

The AA Directions also provide for a consent architecture in relation to the financial information of the customer which states that:

• Financial information of a customer cannot be retrieved, shared or transferred by the Account Aggregator without the explicit consent of the customer;
• The Account Aggregator is responsible for obtaining, submitting and managing the customer’s consent as per the AA Directions;
• Consent must be documented in a standardised format, containing: (a) customer identity and optional contact information; (b) nature of financial information requested; (c) purpose of information collection; (d) recipients of the information, if any; (e) URL or other address to which notification needs to be sent every time the consent artefact is used to access information; (f) consent creation date, expiry date, identity and signature of the Account Aggregator; and (g) any other details as prescribed by the RBI;
• Consent artefacts can also be obtained and maintained in electronic form;
• Customers must be informed about consent details and their right to file complaints if grievances are not addressed;
• Customers must have the ability to revoke consent fully or partially and a fresh consent artefact must be issued upon revocation; and
• Electronic consent artefacts should be capable of being logged, audited and verified. 

Conclusion and Analysis 

The DPDP Act introduces the Consent Manager framework as a new regulatory mechanism to streamline and standardize personal data processing. In contrast, the AA framework, established by the RBI in 2016, has been operational for several years in the financial sector. While the AA framework already governs financial data-sharing through explicit customer consent, the DPDP Act and the Draft Rules expand similar principles to broader categories of personal data across industries.

Since Consent Manager and AA framework share similar principles and given that the Reserve Bank Information Technology Private Limited (ReBIT) has already established a set of core technical specifications for Account Aggregators, it is probable that Consent Managers will also be required to adhere to similar technical standards. Entities looking to register as Consent Managers may benefit from reviewing these technical specifications on ReBIT’s website (www.rebit.org.in).

With the DPDP Act bringing personal data protection into a formal legal structure, businesses handling consumer data must adapt to a more structured and compliance-driven ecosystem. The interplay between the new Consent Manager framework and the existing AA framework will require alignment to avoid redundancy and ensure seamless, consent-based data governance across both personal and financial domains. The success of these frameworks will depend on strict enforcement, technological integration and user education to ensure individuals can effectively exercise control over their data.

¹ Section 2(j) of the DPDP Act defines “data principal” as an individual to whom the personal data relates and where such individual is – (i)a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.

² Section 2(i) of the DPDP Act defines “data fiduciary” as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

3 Reserve Bank of India – Master Directions.