When the DPDPA Rules 2025 were notified, the immediate conversations focused on compliance timelines, registration norms, and the operational setup of the Data Protection Board. But hidden inside these Rules is the real policy story, the architectural decision that will influence how privacy operates in India for years to come. That story is the Consent Manager. As someone who works on data protection issues daily and as a researcher studying privacy behaviour, my perspective is shaped by both practice and academic inquiry. The uncomfortable truth is that India is not strengthening privacy. India is creating a privacy middleman. A middleman with more behavioural visibility than any single Data Fiduciary and potentially more than the State itself.
The Consent Manager is assumed to be the trusted layer without ever earning trust
One platform where users can give, view, withdraw, and track consent across different organisations. In practice it becomes a central point of visibility across a citizen’s entire digital life. A Consent Manager sees when a user interacts with which services, how often they give or withdraw consent, what categories of services they access, and behavioural patterns that reveal financial habits, lifestyle indicators, and even possible health triggers. This is not an exaggeration. It is basic metadata logic. A single Data Fiduciary only sees its own slice. The Consent Manager sees the entire stitched narrative. No global privacy law allows an intermediary to have this kind of centralised behavioural visibility, yet we have built it into our core framework.
The seven year retention rule enables forced consent rather than protecting user autonomy
One line in the Rules should concern anyone who cares about privacy. It states that consent related records must be retained for at least seven years or longer if the Data Principal and the Consent Manager agree. Seven years for consent logs is already excessive, but the possibility of extended retention is worse. There is no real negotiation between a Data Principal and a Consent Manager. Users simply accept Terms of Service. If retention for ten or twelve years is buried in those Terms, users have no meaningful choice. This is not real consent. It is coerced acceptance framed as compliance. It goes against purpose limitation, minimisation, and the rights based intention of the DPDPA.
The conflict of interest clause appears strict but is practically unenforceable
The Rules prohibit Consent Manager promoters, directors, and key managerial personnel from having ties with Data Fiduciaries. It is a good principle. But India’s technology and investment ecosystem is deeply interconnected. Investors overlap. Board members often sit across multiple companies. Leadership talent circulates through the same networks. Expecting perfect independence is unrealistic without a strong disclosure and enforcement framework. Without clarity and monitoring, this clause becomes symbolic rather than protective.
The rule against subcontracting is vague and creates operational confusion
The Rules state that a Consent Manager cannot subcontract its obligations. It is unclear whether this means they cannot use cloud providers, cybersecurity companies, or external processors. If interpreted strictly it could prevent Consent Managers from using essential technical infrastructure. If interpreted loosely it may allow excessive outsourcing. A privacy critical intermediary cannot function on ambiguous boundaries. The law needs clarity on what forms of outsourcing preserve accountability while still allowing technological competence.
Interoperability is presented as a convenience feature but it significantly increases risk
The Rules require Consent Managers to be interoperable across Data Fiduciaries and sectors. Although this looks user friendly, it introduces heavy systemic risk. If a Consent Manager is breached, the attacker does not get one dataset. They get a behavioural map of the person across health, finance, mobility, education, employment, and more. Interoperability is strong from a convenience angle but weak from a privacy architecture angle unless paired with strict cryptographic protections, decentralised logs, and minimisation requirements. None of these safeguards have been meaningfully specified.
No major global privacy law uses a Consent Manager model and that is not a coincidence
GDPR, California CCPA CPRA, Brazil’s LGPD, and Singapore’s PDPA all avoid the creation of an intermediary who sits between users and data controllers. Global regulators have consistently rejected this idea because centralising consent logs and metadata creates profiling potential, breaks separation principles, increases breach impact, and concentrates power in unregulated hands. These are exactly the risks India is designing into its Consent Manager model. This indicates that our approach is not inspired by privacy best practices. It is inspired by India’s Digital Public Infrastructure philosophy, the same logic behind Account Aggregators and DEPA. Those models work well in finance, where the ecosystem is narrow and regulated. Privacy is not narrow. It is a fundamental right. Applying a financial style aggregator architecture to privacy is structurally risky.
Is the Consent Manager really for the user or for the ecosystem
This is the real policy question. Is the Consent Manager meant to empower the Data Principal or is it designed to create a new compliance oriented ecosystem. There was no grassroots demand for a privacy intermediary. No global model recommends one. There is no rights based necessity. But the Consent Manager does create a new licensed category, new opportunities for regtech companies, expansion of DPI linked businesses, and an entire market for compliance technology. These may be valid for the economy but they are not privacy outcomes. When an architecture contradicts minimisation, decentralisation, and user autonomy, it becomes important to question what the model truly serves. Nothing illegal is happening. But from a rights perspective the design logic appears misaligned. We are introducing a privacy intermediary that users did not ask for, that no global privacy law requires, that retains records for seven years, and that accumulates metadata across sectors. The alignment of incentives suggests that this model strengthens the ecosystem more than it strengthens the user.
In my view
The Consent Manager model can succeed only if the architecture is corrected. Retention periods must be reduced. Extended retention must not be legitimised through coerced agreement. Subcontracting rules need clarity. Processors should be allowed but core obligations must not be outsourced. Privacy preserving design must be built into the system from day one. Mandatory audits, transparency reports, and explicit bans on metadata monetisation are essential. Conflict of interest rules must be enforceable, not aspirational.
Conclusion:
That is the structural danger. If this model continues without architectural reform, India will end up with a Consent Manager that becomes a point of concentration and vulnerability instead of a safeguard. We will have created exactly the kind of privacy risk that global regulators intentionally avoided. India is at a critical point. The Consent Manager can become a showcase of innovation or a long term structural weakness. The outcome depends on whether we treat privacy as a rights first design challenge or as a compliance driven business opportunity. At the moment we are drifting toward the second path, and the cost of that choice will be borne by the Data Principal.