These two concepts are often confused because both involve the word “consent,” but they operate at fundamentally different levels, serve different purposes, and exist in different regulatory contexts.
Consent Manager Under India’s DPDPA
Under India’s Digital Personal Data Protection Act, 2023 (DPDPA), India introduced a new concept of “Consent Manager”, which is defined as an entity or person registered with the Data Protection Board (DPB) of India, who acts as the point of contact for individuals (e.g., a user or consumer) to manage their consent across multiple organizations.
The purpose of Consent Managers are to transmit an individual’s consent preferences to a Data Provider (e.g., a bank, hospital, e-commerce platform) or once validated forwards or blocks the request for Data Requester (e.g., a fintech, marketing firm, analytics agency).
Consent Managers act on behalf of the individual, not the businesses, and do not access or store the actual data, only mediates and authorizes based on consent data. Under DPDPA, Consent Managers are not required for businesses.
Key Functions:
- Records consent as a formal “consent artefact”
- Validates consent-based requests
- Forwards data access / withdrawal requests
- Blocks requests where valid consent does not exist
Characteristics:
- A registered third-party intermediary: A Consent Manager must be registered with the Data Protection Board of India (DPB). It must be a company incorporated in India with adequate technical, operational, and financial capacity (minimum net worth of ₹2 crore / ~$233,000).
- Acts on behalf of the Data Principal (individual): It is accountable to the individual — not to businesses (Data Fiduciaries). It provides a single point of contact for individuals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
- Does not access or store personal data: The Consent Manager mediates and validates consent but must ensure that personal data shared is not readable by the Consent Manager itself — it only handles consent artefacts (records of consent).
- Legally neutral: The DPDPA explicitly requires Consent Managers to avoid conflicts of interest with Data Fiduciaries, including those related to shareholding or key personnel relationships. Records consent artefacts for at least 7 years and must undergo audits reported to the DPB.
- Data Fiduciaries (businesses) may optionally integrate with registered Consent Managers. It is not mandatory for every business to use one, but if they do, it is through a registered and regulated channel.
In short, A DPDPA Consent Manager is a government-registered, neutral intermediary that is designed for consumers, and is not required to be used by businesses under DPDPA. They are different from Consent Management Systems/Platforms (such as TrustArc Cookie Consent Manager and TrustArc Consent & Preference Manager), which enables businesses to lawfully collect, validate, enforce, and demonstrate consent.
Consent Management Platform (CMP)
A Consent Management Platform (CMP), is an organization’s tool to manage the full consent lifecycle. The purpose is to enable businesses to lawfully collect and enforce consent.
The term ‘Consent Management Platform’ within the industry is most often referring to a cookie consent management tool for third party trackers/cookies, however it can also encompass first and zero party consent preferences (e.g., Marketing preferences for email, SMS, push, or product/brand preferences).
It is a regulatory requirement to capture and honor consent under many global privacy laws such as the GDPR, ePrivacy Directive, and others.
Key Functions:
- Collect and enforce valid consent for tracking
- Provide configurable consent experiences
- Maintain audit-ready records
- Align with MeitY guidance on cookie consent guidance
Characteristics:
- Not a regulated entity: It is a technology tool often deployed by businesses to display cookie banners and capture user preferences. It is not required to be registered with any authority and does not need to be a separate incorporated company.
- Operates on behalf of the business (Data Controller): Unlike the DPDPA Consent Manager, a CMP serves the business’s compliance needs, it helps them obtain and record valid consent from website visitors before setting non-essential cookies and allows users to opt in or out of categories of cookies (e.g., analytics, advertising, functional), display layered notices, and record consent strings.
- Handles personal data: CMPs often process consent records securely and may be treated as a Data Processor of the website operator, requiring a data processing agreement.
- No minimum financial or registration requirements from a regulatory standpoint — any company can build or provide a CMP.
In short, a cookie CMP enables businesses to lawfully collect, validate, enforce, and demonstrate user consent for trackers across websites and mobile apps. CMPs that also manage broader consent preferences, including zero- and first-party data, are commonly referred to as “Consent &
Preference Managers,” though they may still be labeled simply as a “CMP.”
With TrustArc, you can manage both. As a Google-certified “Gold” CMP partner, TrustArc supports cookie and tracker consent through the TrustArc Cookie Consent Manager. Additionally, the TrustArc Consent and Preference Manager, allows organizations to collect, manage, and centrally orchestrate user-submitted preferences across multiple consent collection channels and martech systems, ensuring those preferences are consistently honored.
| Characteristic | Consent Manager under DPDPA | Consent Management Platform (CMP) |
|---|---|---|
| Nature | Regulated legal entity | Software/technology product |
| Registration | Must register with India’s DPB | No regulatory registration required |
| Serves | The individual (Data Principal) | The business (Data Controller) |
| Scope | Broad personal data consent across organizations | Website/app cookie and tracker consent, zero and first party data consent and preferences |
| Data access | Cannot read personal data — consent artefacts only | May process consent and preference data |
| Neutrality | Must be independent; no conflict of interest with businesses | Deployed and configured by the business |
| Applicable law | India DPDPA | GDPR, ePrivacy Directive, CCPA, etc. |
| Accountability | Accountable to the Data Principal | Accountable to the Data Controller |
Summary
A Consent Manager under India’s DPDPA and a Consent Management Platform (CMP) may sound similar, but they serve entirely different roles in the privacy ecosystem.
A DPDPA Consent Manager is a government-registered, independent intermediary that acts on behalf of individuals (Data Principals). Its role is to facilitate, validate, and communicate consent across multiple organizations without ever accessing personal data itself. It is neutral, regulated, and optional for businesses, designed to give users centralized control over their consent decisions.
In contrast, a Consent Management Platform (CMP) is a business-operated technology solution used to collect, manage, enforce, and demonstrate consent—typically for cookies and tracker, and sometimes can include marketing preferences within the same solution. CMPs are not regulated entities, operate on behalf of the business (Data Controller), and are often required to comply with consent requirements under DPDPA.
In simple terms:
- A DPDPA Consent Manager empowers individuals across organizations as a trusted, regulated intermediary.
- A CMP enables businesses to comply with consent requirements within their own digital properties.
Understanding this distinction is critical: they are complementary but not interchangeable, and a DPDPA Consent Manager is not a substitute for a CMP, nor is it mandatory for businesses to use one.
Simplify Your India DPDPA Compliance Journey
From managing cookie consent to automating data subject requests (DSRs), TrustArc provides the tools you need to navigate India’s Digital Personal Data Protection Act with confidence. Transform manual compliance into a scalable, automated privacy program.
Explore DPDPA Solutions
