DPDPA Consent Manager vs. CMP: Key Differences Explained
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/consent-manager-under-dpdpa-vs-consent-management-platform/
Content Type: resource
Section 1
These two concepts are often confused because both involve the word “consent,” but they operate at fundamentally different levels, serve different purposes, and exist in different regulatory contexts. Consent Manager Under India’s DPDPA Under India’s Digital Personal Data Protection Act, 2023 (DPDPA), India introduced a new concept of “Consent Manager”, which is defined as an entity or person registered with the Data Protection Board (DPB) of India, who acts as the point of contact for individuals (e.g., a user or consumer) to manage their consent across multiple organizations. The purpose of Consent Managers are to transmit an individual’s consent preferences to a Data Provider (e.g., a bank, hospital, e-commerce platform) or once validated forwards or blocks the request for Data
Section 2
Requester (e.g., a fintech, marketing firm, analytics agency). Consent Managers act on behalf of the individual, not the businesses, and do not access or store the actual data, only mediates and authorizes based on consent data. Under DPDPA, Consent Managers are not required for businesses. Records consent as a formal “consent artefact” Validates consent-based requests Forwards data access / withdrawal requests Blocks requests where valid consent does not exist A registered third-party intermediary : A Consent Manager must be registered with the Data Protection Board of India (DPB). It must be a company incorporated in India with adequate technical, operational, and financial capacity (minimum net worth of ₹2 crore / ~$233,000). Acts on behalf of the Data Principal (individual) :
Section 3
It is accountable to the individual — not to businesses (Data Fiduciaries). It provides a single point of contact for individuals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Does not access or store personal data : The Consent Manager mediates and validates consent but must ensure that personal data shared is not readable by the Consent Manager itself — it only handles consent artefacts (records of consent). : The DPDPA explicitly requires Consent Managers to avoid conflicts of interest with Data Fiduciaries, including those related to shareholding or key personnel relationships. Records consent artefacts for at least 7 years and must undergo audits reported to the DPB. Data Fiduciaries (businesses) may optionally integrate
Section 4
with registered Consent Managers. It is not mandatory for every business to use one, but if they do, it is through a registered and regulated channel. In short, A DPDPA Consent Manager is a government-registered, neutral intermediary that is designed for consumers, and is not required to be used by businesses under DPDPA. They are different from Consent Management Systems/Platforms (such as TrustArc Consent & Preference Manager ), which enables businesses to lawfully collect, validate, enforce, and demonstrate consent. Consent Management Platform (CMP) , is an organization’s tool to manage the full consent lifecycle. The purpose is to enable businesses to lawfully collect and enforce consent. It is a regulatory requirement to capture and honor consent under many global privacy
Section 5
laws such as the GDPR, ePrivacy Directive, and others. Collect and enforce valid consent for tracking Provide configurable consent experiences Maintain audit-ready records Not a regulated entity : It is a technology tool often deployed by businesses to display cookie banners and capture user preferences. It is not required to be registered with any authority and does not need to be a separate incorporated company. Operates on behalf of the business (Data Controller) : Unlike the DPDPA Consent Manager, a CMP serves the business’s compliance needs, it helps them obtain and record valid consent from website visitors before setting non-essential cookies and allows users to opt in or out of categories of cookies (e.g., analytics, advertising, functional), display layered notices,
Section 6
and record consent strings. Handles personal data : CMPs often process consent records securely and may be treated as a Data Processor of the website operator, requiring a data processing agreement. No minimum financial or registration requirements from a regulatory standpoint — any company can build or provide a CMP. In short, a cookie CMP enables businesses to lawfully collect, validate, enforce, and demonstrate user consent for trackers across websites and mobile apps. CMPs that also manage broader consent preferences, including zero- and first-party data, are commonly referred to as “Consent & Preference Managers,” though they may still be labeled simply as a “CMP.” With TrustArc, you can manage both. As a Google-certified “Gold” CMP partner, TrustArc supports cookie and
Section 7
tracker consent through the TrustArc . Additionally, the TrustArc Consent and Preference Manager , allows organizations to collect, manage, and centrally orchestrate user-submitted preferences across multiple consent collection channels and martech systems, ensuring those preferences are consistently honored. Consent Manager under DPDPA Regulated legal entity Software/technology product Must register with India’s DPB No regulatory registration required The individual (Data Principal) The business (Data Controller) Broad personal data consent across organizations Website/app cookie and tracker consent, zero and first party data consent and preferences Cannot read personal data — consent artefacts only May process consent and preference data Must be independent; no conflict of interest with businesses Deployed and configured by the business GDPR, ePrivacy Directive, CCPA, etc. Accountable to the
Section 8
Data Principal Accountable to the Data Controller A Consent Manager under India’s DPDPA and a Consent Management Platform (CMP) may sound similar, but they serve entirely different roles in the privacy ecosystem. A DPDPA Consent Manager is a government-registered, independent intermediary that acts on behalf of individuals (Data Principals). Its role is to facilitate, validate, and communicate consent across multiple organizations without ever accessing personal data itself. It is neutral, regulated, and optional for businesses, designed to give users centralized control over their consent decisions. In contrast, a Consent Management Platform (CMP) is a business-operated technology solution used to collect, manage, enforce, and demonstrate consent—typically for cookies and tracker, and sometimes can include marketing preferences within the same solution. CMPs
Section 9
are not regulated entities, operate on behalf of the business (Data Controller), and are often required to comply with consent requirements under DPDPA. A DPDPA Consent Manager empowers individuals across organizations as a trusted, regulated intermediary. A CMP enables businesses to comply with consent requirements within their own digital properties. Understanding this distinction is critical: they are complementary but not interchangeable, and a DPDPA Consent Manager is not a substitute for a CMP, nor is it mandatory for businesses to use one. Simplify Your India DPDPA Compliance Journey