Section 2(g) defines a Consent Manager as an entity registered with the Data Protection Board, acting as a unified, transparent, and interoperable point through which Data Principals can give, manage, review, or withdraw consent. Section 6(7) reinforces this role, while Section 6(8) declares that the Consent Manager must act on behalf of the Data Principal, accountable to them and bound by obligations yet to be detailed.

From these provisions, I envisioned an almost idealistic figure, a guardian of my data, a true agent who could bind me even more effectively than I could bind myself. In my imagination, Consent Managers were noble institutions: perhaps NGOs, charitable organisations, or government-backed bodies devoted to the cause of privacy. I pictured them as selfless agents who would make thoughtful decisions on my behalf, safeguard my interests, and uphold the fair use of my data. Individuals of unimpeachable character, untouched by commercial motives, sustained by CSR funds or philanthropic contributions. A benevolent service designed for ordinary citizens.

However, my quixotic imagination failed the moment I read the Digital Personal Data Protection Rules, 2025 (DPDP Rules). They paint a very different picture. Rule 4 and the First Schedule lay out a detailed set of requirements.

I am, as Descartes described, a thinking being capable of choice — yet the Consent Manager who acts on my behalf is not someone I am free to choose. It is someone defined and characterised by statute. And the law is clear: a Consent Manager cannot be an individual. It must be a company incorporated in India, equipped with the technical, operational, and financial capacity to discharge its responsibilities. Its “general character of management” must be sound — a phrase whose meaning continues to puzzle me. What is this “character”? How is it assessed? Has this expression “general character of management” ever been used meaningfully in another regulatory context? I am still searching for clarity.

Then comes the financial threshold: a minimum net worth of two crore rupees. With that, the role begins to look less like a public-spirited safeguard and more like the terrain of well-capitalised corporates. Such net-worth requirements are typical for financial intermediaries. Why mandate such a requirement here? Why this specific number? It almost appears arbitrary.

The more I read, the more my earlier idealism faded. The rules make it evident that the Consent Manager is expected to operate as a business, one that must demonstrate revenue prospects and provide corresponding capital adequacy. But what will be its source of revenue?  Will individuals have to pay to manage their own consents?  Will Data Fiduciaries pay for each consent processed? Will earnings depend on the number of consents granted or the number refused?  This leads to a deeper concern:  If commercial interests become central, how can a Consent Manager’s incentives remain aligned with the welfare of the Data Principal?

Technology, interoperability, and user-friendly consent mechanisms are undeniably important. That part is entirely logical. Yet the broader picture remains murky. I find myself perplexed — not just about the identity of a Consent Manager, but about its business model and even its intended purpose.

Are these entities supposed to be my agents, defending the sanctity of my personal data? Or are they simply another intermediary, positioned to profit from it?   Only time will tell which face of the Consent Manager will ultimately emerge.

Despite all my confusions, I have one clear aspiration: as a legal practitioner, to create and register Consent Managers; and perhaps, in doing so, shape their true character.