Skip to main content
consent-cmp schedule 10 min read

Registered Consent Manager vs Consent Management Platform: What Indian Businesses Actually Need

DPDP's Registered Consent Manager is NOT the same as a CMP. Learn the critical difference, the Nov 2026 deadline, and what your business actually needs.

ZenoComply Team ·

The DPDP Act introduces a concept called the “Consent Manager” — and it is causing widespread confusion. Businesses assume they need to become one, or that any consent tool qualifies as one.

Neither is true.

There is a critical legal distinction between a Registered Consent Manager (a DPDP-regulated entity) and a Consent Management Platform (a software tool). Confusing the two can lead to wasted compliance budgets, missed deadlines, or worse — a false sense of compliance.

This post breaks down exactly what each term means, who needs what, and how to make the right choice for your business before the November 2026 registration deadline.

Section 6 of the DPDP Act, 2023 defines a Consent Manager as:

A person registered with the Data Protection Board of India who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.

This is not a software category. It is a legal entity — a company that must meet specific regulatory requirements to operate.

Registration Requirements

The Data Protection Board has outlined strict criteria for Consent Manager registration:

RequirementDetails
Entity typeMust be a company incorporated in India
Minimum net worthRs 2 Crore (approximately $240,000 USD)
Registration bodyData Protection Board of India
Registration deadlineNovember 2026
InteroperabilityMust provide interoperable consent infrastructure
AccountabilityActs as a fiduciary on behalf of Data Principals
Audit obligationsSubject to DPB audits and compliance reviews
Penalty exposureUp to Rs 50 Crore for non-compliance as a Consent Manager

A Registered Consent Manager is essentially an intermediary that sits between individuals (Data Principals) and businesses (Data Fiduciaries). Think of it like a credit bureau for consent — a regulated entity that maintains consent records across multiple organizations.

Very few companies. This path is designed for:

  • Large technology platforms building consent infrastructure at national scale
  • Industry bodies that want to offer shared consent services to their members
  • Government-backed digital identity providers extending into data consent
  • Specialized consent technology companies with deep regulatory expertise and capital reserves

If you are a regular business — an e-commerce store, a SaaS company, a healthcare provider, a financial services firm — you do not need to register as a Consent Manager. You need a tool. That tool is a Consent Management Platform.

A Consent Management Platform is a software product that helps businesses collect, store, and manage user consent in compliance with privacy regulations.

A CMP does not require registration with any regulatory body. It is a business tool — similar to how you use accounting software without being a chartered accountant.

What a CMP Does

FunctionDescription
Consent collectionDisplays consent banners, pop-ups, and notices to users
Purpose-level consentCollects separate consent per data processing purpose
Consent storageMaintains auditable records of who consented, when, and to what
Cookie blockingBlocks non-essential cookies and trackers until consent is given
Withdrawal mechanismProvides users an easy way to revoke consent
Multi-language supportDisplays consent notices in regional languages
Compliance reportingGenerates reports for audits and regulatory inquiries
AspectRegistered Consent ManagerConsent Management Platform (CMP)
What it isA regulated legal entityA software tool
Registration requiredYes, with the Data Protection BoardNo
Minimum net worthRs 2 CroreNone
Who uses itInfrastructure providers operating at national scaleAny business that processes personal data
Regulatory exposureSubject to DPB oversight and penalties up to Rs 50 CrNot directly regulated (the business using it is)
RoleIntermediary between Data Principals and Data FiduciariesTool used by a Data Fiduciary for their own compliance
Interoperability mandateMust be interoperable across platformsNo regulatory mandate (vendor choice)
DeadlineNovember 2026 for registrationNo deadline (but your compliance deadline is May 2027)
ExampleA DigiLocker-like consent layerZenoComply, CookieYes, OneTrust

The simplest analogy: a Registered Consent Manager is like a bank (regulated entity with capital requirements). A CMP is like accounting software (a tool any business can use).

Why This Confusion Exists

Three factors drive the confusion:

1. Terminology Overlap

The word “consent manager” appears in both contexts. Marketing materials from CMP vendors sometimes use “consent manager” loosely, making it sound like their product fulfills the DPDP Consent Manager requirement. It does not.

2. GDPR Influence

Under GDPR, “consent management” is primarily a software category. There is no equivalent to India’s Registered Consent Manager concept. Businesses familiar with GDPR naturally assume “consent manager” means “consent software.”

3. Vendor Ambiguity

Some vendors deliberately blur the line to appear more authoritative. If a vendor claims their software makes you a “DPDP Consent Manager,” that is either misleading or they are conflating two distinct concepts.

What Does Your Business Actually Need?

For 99% of businesses operating in India, the answer is straightforward: you need a Consent Management Platform (CMP).

Here is the decision framework:

You Need a CMP If You:

  • Operate a website or app that collects personal data from users in India
  • Use cookies, analytics, or advertising trackers
  • Store customer data for marketing, service delivery, or operations
  • Need to demonstrate DPDP compliance during audits
  • Want to manage consent records with timestamps and audit trails
  • Need to support consent withdrawal as required by Section 6(4)
  • Plan to operate consent infrastructure as a service to other businesses
  • Have Rs 2 Crore+ net worth and want to position as a DPDP-regulated entity
  • Are building a platform that aggregates consent across multiple Data Fiduciaries
  • Want to serve as the single point of contact for Data Principals across industries

If you fall into the second category, you likely already know it. The registration process, capital requirements, and regulatory obligations make this a specialized play.

What to Look for in a DPDP-Compliant CMP

Not every CMP on the market is built for Indian compliance. Many were designed for GDPR and have been lightly adapted. Here is what genuine DPDP readiness looks like:

Must-Have Features

FeatureWhy It Matters Under DPDP
Purpose-level consentDPDP requires separate consent per purpose — no bundled consent
22-language supportConsent notices must be available in Schedule 8 languages
No cookie wallsDPDP prohibits conditioning access on consent
Easy withdrawalWithdrawal must be as easy as giving consent (Section 6(4))
Consent recordsAuditable records with timestamp, purpose, and categories
Pre-consent blockingNon-essential cookies must be blocked before consent
No pre-checked boxesDefault must be opt-out, not opt-in
Grievance mechanismMust link to or integrate with a grievance handling process

Good-to-Have Features

  • Geo-targeting: Show DPDP-specific notices to India visitors, GDPR to EU visitors
  • Consent expiry management: Prompt re-consent before records expire
  • Integration with DSR tools: Connect consent data to data subject request workflows
  • Custom branding: Match consent banners to your site design
  • Analytics dashboard: Track consent rates, withdrawal patterns, and compliance gaps

The November 2026 Deadline: What It Means for You

The Data Protection Board has set November 2026 as the deadline for Consent Manager registration. This applies only to entities that want to operate as Registered Consent Managers.

For regular businesses, the relevant deadline is May 13, 2027 — the DPDP enforcement date. However, waiting until 2027 is risky because:

  1. Consent records take time to build: You need historical consent data before enforcement begins
  2. Website changes require testing: Implementing cookie blocking and consent banners requires QA cycles
  3. Staff training is needed: Your team must understand how to handle consent withdrawal requests
  4. Audit readiness is gradual: Compliance documentation and processes must be in place before the DPB comes knocking

Our recommendation: Have your CMP deployed and collecting consent by Q3 2026 at the latest. This gives you a 6+ month buffer of consent records before enforcement.

How ZenoComply Fits as a CMP

ZenoComply is a Consent Management Platform built specifically for Indian businesses and DPDP compliance. It is not a Registered Consent Manager, and it does not pretend to be one.

What it does:

  • DPDP-first design: Built for Indian privacy law, not adapted from a GDPR tool
  • Purpose-level consent collection: Separate opt-in per processing purpose, no bundling
  • 22-language consent notices: Full Schedule 8 language support out of the box
  • Pre-consent cookie blocking: Blocks trackers before consent is given
  • Auditable consent records: Timestamped, searchable, exportable for DPB audits
  • Easy withdrawal: One-click consent revocation for Data Principals
  • India pricing: Designed for Indian businesses, not priced for Fortune 500s
  • Lightweight widget: Fast-loading consent banner that does not slow down your site
  • DSR integration: Connects consent data to data subject request workflows

ZenoComply handles the CMP layer of your DPDP compliance. You focus on running your business.

Common Questions

Can I use a GDPR-focused CMP for DPDP compliance?

Partially. GDPR-focused tools like Cookiebot or OneTrust handle cookie consent well, but they may lack DPDP-specific features like 22-language support, purpose-level consent separation (as defined by DPDP), and integration with Indian regulatory workflows. You will likely need to customize or supplement them.

Does using a CMP make me compliant?

A CMP handles consent management — one part of DPDP compliance. You also need to handle data principal rights (DSR), breach notification, data processor agreements, and security safeguards. A CMP is necessary but not sufficient.

This question reveals the confusion. Your CMP vendor does not need to be a Registered Consent Manager. The registration requirement applies to entities acting as intermediaries for Data Principals — not to software vendors selling compliance tools.

Technically possible, but the DPB will likely scrutinize potential conflicts of interest. A Data Fiduciary processes data for its own purposes; a Consent Manager acts on behalf of Data Principals. Serving both roles creates tension.

What if I do not implement a CMP at all?

Without a CMP, you will need to build consent collection, storage, withdrawal, and audit capabilities in-house. This is technically possible but expensive and error-prone. Most businesses are better served by a purpose-built CMP.

Summary: What to Do Now

StepActionTimeline
1Understand that you need a CMP, not Consent Manager registrationNow
2Audit your current consent collection practicesThis month
3Evaluate CMP options (prioritize DPDP-native tools)Q2 2026
4Deploy your CMP and begin collecting consent recordsQ3 2026
5Train staff on consent withdrawal handlingQ3 2026
6Build a 6-month consent record buffer before enforcementBy Nov 2026
7Full DPDP compliance readinessBy May 2027

Ready to deploy a DPDP-compliant consent management platform? ZenoComply gives you purpose-level consent collection, 22-language support, cookie blocking, and auditable records — built for Indian businesses, priced for Indian businesses. Start your free trial today and get compliant before the deadline.

Check your DPDP compliance now

Free scan. No signup. Results in 60 seconds.

Scan Your Website arrow_forward
Need DPDP help? Chat with us