Sector wise readiness
Consent Managers: a role you apply for, not a sector you land in
Most posts in this series are about sectors you land in by what you build. This one is different. A Consent Manager is a role you apply for, and it runs on its own registration track, not the ordinary Data Fiduciary path.
Two things people get wrong right away
The timing trap. If a vendor is pitching you a "Consent Manager" product today, pause. Registration with the Board only opens around November 2026. Anything sold before then is a consent platform for your own use. It cannot yet be a registered Consent Manager. Buying one and believing you have discharged a statutory role is the trap.
It is a capitalised, tightly conditioned role, not a light label. To register under the First Schedule you must be an India incorporated company with a net worth of at least Rs 2 crore, sound management, and an independently certified interoperable platform. It is closer to a regulated financial intermediary than a SaaS signup.
The baseline still applies, as it does to everyone
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts
- ✅ Breach response
Then the conditions specific to the role
- ✅ Registration conditions. India incorporated, at least Rs 2 crore net worth, sound management, a certified interoperable platform.
- ✅ Fiduciary duty and no conflict. Act in a fiduciary capacity for the Data Principal, avoid conflict with Data Fiduciaries, and disclose directorships and any shareholding above 2 percent.
- ✅ Blind routing. The platform must not be able to read the content it routes. This is central to the design, not an optional feature.
- ✅ Seven year consent records. Keep records of consent given, denied and withdrawn, with notices and sharing, for at least seven years, machine readable on request.
- ✅ No sub contracting, and Board approved change of control.
The better question
The better question is not "can we buy a Consent Manager tool and tick this off?"
It is "are we trying to operate as a registered Consent Manager, where none of this is optional, or do we just need a consent platform for our own compliance?"
Law creates obligations. Scale and risk influence implementation. But if you take on this role, the First Schedule conditions apply in full from the start. There is no lightweight version of a fiduciary intermediary.
Are you being sold a "Consent Manager" that cannot actually be registered yet?