TL;DR
India’s DPDP Rules 2025 are creating a new category of companies- Consent Managers
All Companies accessing customer data will need to report their data through these Consent Managers.
Consent Managers are to register with the Data Protection Board before November 2026
The market size for consent managers is estimated to be
~ Rs. 700 Cr in financial services alone.Who is a Consent Manager
Who is a Consent Manager?
The DPDP Rules 2025 introduces a new category of “Consent Managers” who will be registered intermediaries that enable customers to grant, manage, review, and withdraw consent of usage of their personal data across multiple apps/websites through a unified platform. This innovation makes it easy for individuals to exercise their rights over the usage of their data.The consent managers will need to be registered with the Data Protection Board, and the current timeline for registration is November 2026.
The Consent Manager, as envisaged by these rules is expected to :
enable secure consent flows allowing data principals (customers) to grant consent directly to data fiduciaries (platforms) or route consent through onboarded entities without accessing underlying personal data. They must also maintain comprehensive logs of all consents granted, denied, or withdrawn, including associated consent notices and data sharing records.
establish grievance redressal mechanisms enabling data principals to file complaints if their concerns are not addressed
build a platform as per the technical standards released by the Data Protection Board. Ensure that the platform is interoperable and has robust security measures in place to prevent data breaches.
How will it work?
An illustration of how consent manager will play a role in our current order flow
Priya orders biryani from Zomato. She provides her phone number and delivery address . She consents for Zomato to use this data only for food delivery operations.
In this scenario, Priya is the Data Principal while Zomato is the data fiduciary. Zomato has integrated with a consent manager. When Priya gave the order, and shared her data. The consent manager was invoked. The consent manager than stores a unique consent ID, the data elements consented for (phone and address in this case), order number, purpose for which this data can be used, duration for which Priya chooses to share the data with Zomato. (Refer image below for propose data flow)
So now, every time Priya orders again from Zomato, Zomato will access the data and give the order number to Consent manager to validate that it was used for the purpose that Priya had consented to.Priya herself would also be able to login to the consent manager’s site and manage her data on every platform including Zomato. For example it can login into the consent manager.
Proposed Flow: Consent Manager (Fig.1)
The Consent Manager acts as a neutral record-keeper enabling the management of consent and maintaining a comprehensive audit trail behind the access , retention and deletion of this data.
Opportunity Size in Fintech
As you can see, the Consent Manager will become a key enabler for the entire digital economy of India. A quick back of the envelope calculation for just the financial services industry alone indicates an annual market size of ~700 cr.
Assuming, a fixed annual fee charged by the consent manager a flat annual fee based on their size and consent volume needs.
Conservatively, Total addressable financial institutions: 2,000 entities (banks, NBFCs, fintechs, insurance firms requiring consent management). Adding a differential chargeable model based on size of the entity.
Tier 1 entities (large banks, major NBFCs): 100 entities at ₹15 lakh per year
Tier 2 entities (mid-size NBFCs, fintechs): 400 entities at ₹6 lakh per year
Tier 3 entities (smaller players): 1,500 entities at ₹2 lakh per year
Annual Market Size for Consent Management adds up to Rs 690 Cr in Financial Services alone.
Financial services is the go-to sector for SaaS companies as they can command premium pricing due to the sensitivity of data they handle, the regulatory complexity as well the requirements to integrate with their existing systems. If we add, growing sectors like ecommerce and edtech the opportunity size will als
The First Movers…
Its not a surprise that enterprise fintech players servicing the BFSI industry are the first movers in this segment. These players already understand the intricacies of the BFSI industry and many have seen the adoption of the Account Aggregator consent framework first-hand.
Solution Name | Promoted by | Current Operations |
|---|---|---|
Consentin | Leegality | E-Sign & Document Managemnt |
Co-Trust | Digio | E-Sign, E-NACH and Online KYC Solutions |
Privy | IDfy | Online KYC Solutions |
While these early movers have an advantage, I feel the real winners will be those who make consent management invisible to end users while solving for scale.