With India’s Digital Personal Data Protection Act (DPDPA), 2023 moving closer to implementation, the conversation around consent is heating u. Consent isn’t just a checkbox; it’s the core mechanism through which individuals (Data Principals) control how their personal data is used. MiETY/NeGD had called for potential CMP’s for “Code for Consent” challenge wherein vision to build and deploy open-source Consent Management System (CMS) that helps organization quickly bootstrap their DPDPA compliance with open-source tools and technology this system shall be deemed as Digital Public Good released in the market for unlocking privacy objectives for billion India.
We Consent Manager (or Consent Management Platform”) is term defined in DPDPA,2023 with roles and responsibilities. In this context, two terms are gaining attention: Consent Management System (CMS) and Consent Management Platform (CMP). While they sound similar, their roles and scope are quite distinct. Understanding the difference is critical for organizations preparing for compliance.
What is a Consent Manager?
Under India’s Digital Personal Data Protection Act (DPDPA), 2023, a Consent Manager is a regulated entity defined explicitly in Section 2(g) and governed under Section 6(7) of the Act. It refers to a person or entity registered with the Data Protection Board of India (DPBI) that enables Data Principals (individuals) to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Essentially, Consent Managers serve as neutral intermediaries between Data Fiduciaries (organizations collecting or processing data) and Data Principals, ensuring that consent is always valid, traceable, and revocable — as required under Section 6(1)–(5) of the DPDPA.
A Consent Manager will be a regulated and reporting entity, operating under a registration framework prescribed by the Central Government. It must comply with technical and governance standards for interoperability, security, and auditability, ensuring smooth consent exchange across multiple Data Fiduciaries. This interoperability allows a Data Principal to manage all their consents — across banks, fintech apps, e-commerce, healthcare, and other digital services — through a single dashboard. Think of it as a unified privacy cockpit, where individuals can view, track, and withdraw consents and see where their personal data is stored or being processed.
In practice, the Consent Manager will rely on a backend Consent Management System (CMS) to handle machine-level operations like consent logs, verification, and API communication, while exposing a user-facing interface (CMP) for transparency and control. The government envisions this framework — much like India’s Account Aggregator model — as a Digital Public Good, ensuring citizens have one-stop visibility of their data sprawl and consent footprint across the digital ecosystem. This interoperability-first approach will help create a standardized and privacy-respecting digital infrastructure for over a billion Indians.
The Technical Core: Consent Management System (CMS)
A Consent Management System is the technical engine that drives consent-related operations within an organization. It’s responsible for implementing the rules, protocols, and data flows that ensure consent is collected, stored, and validated in compliance with DPDPA.
Recently, the National e-Governance Division (NeGD) released the BRD–CMS (Business Requirements Document – Consent Management System), which provides detailed technical guidance on how a CMS should function and expectations.
According to this document, a compliant CMS should:
- Enable collection of granular consent aligned with specific purposes and data categories.
- Maintain consent logs and audit trails for verifiability.
- Support withdrawal, expiry, and modification of consent in real time.
- Facilitate secure APIs for interoperability with other systems (such as Data Fiduciaries or CMPs).
- Ensure traceability and accountability across consent lifecycles.
In essence, think of a CMS as the engine, it powers consent operations but doesn’t directly interact with the end user in most cases. Its job is to ensure compliance, integrity, and automation behind the scenes.
The User-Facing Layer: Consent Management Platform (CMP)
A Consent Management Platform, on the other hand, is a broader ecosystem that builds upon the CMS. It’s the interface through which Data Principals (individuals) can:
- View and manage their given consents,
- Update preferences or revoke consent,
- Exercise rights such as data access, correction, or deletion,
- And receive transparency on data usage.
CMPs often integrate multiple CMS engines or data sources to present a unified, user-friendly experience.
In the DPDPA landscape, CMPs are expected to play a critical trust role, bridging individuals and organizations. They act as the complete car, carrying the consent engine (CMS) but also providing the steering wheel, dashboard, and controls for the user.
The Relationship Between CMS and CMP
| Aspect | CMS (Consent Management System) | CMP (Consent Management Platform) |
| Function | Backend engine managing consent data flow | Frontend platform enabling users to view/manage consent |
| Primary User | Organization (Data Fiduciary or Processor) | Data Principal (Individual) |
| Focus | Compliance, interoperability, auditability | Transparency, control, usability |
| Example Component | API gateway, consent repository | Web portal, mobile interface |
| Governance Reference | NeGD BRD–CMS Document | DPDPA + User Experience Guidelines (to come) |
Why This Difference Matters for DPDPA Compliance
DPDPA emphasizes valid consent — freely given, specific, informed, and unambiguous.
If an organization’s CMS fails to meet NeGD’s technical standards, it may not be able to demonstrate compliance, even if a CMP appears user-friendly.
In short:
- A CMP without a strong CMS is like a car with a flashy dashboard but no engine.
- A CMS without a CMP is like an engine sitting in a garage — technically functional but inaccessible to the person meant to drive it.
Implementation Readiness: The Road Ahead
Organizations preparing for DPDPA compliance should:
- Study the BRD–CMS document to align their internal systems with NeGD’s technical expectations.
- Evaluate or build CMPs that empower users to manage consent transparently.
- Integrate both layers seamlessly — ensuring that any consent update by a user instantly reflects in backend records.
- Test for interoperability, as multiple Data Fiduciaries may rely on shared or federated consent systems in the future.
As India gears up for its data protection revolution, the Consent Management System (CMS) and Consent Management Platform (CMP) will together define how organizations respect and operationalize user consent.
The CMS ensures compliance and reliability — the engine that makes consent work.
The CMP ensures empowerment and trust — the vehicle through which users control their data journey.
Together, they form the backbone of consent governance under the DPDPA — and every organization will need both to pass the compliance litmus test.
