Two terms get used interchangeably in DPDP conversations, and they mean very different things: a Consent Management Platform (CMP) and a Consent Manager. One is software you deploy. The other is a regulated, Board-registered business. Confusing them leads companies to think they must register with the regulator when they simply need a tool — or vice versa. Here is the distinction, cleanly.
Consent Manager: a statutory, registered role
"Consent Manager" is a defined role in India's Digital Personal Data Protection Act, 2023. It is a person registered with the Data Protection Board who acts as a single, accessible point through which a Data Principal can give, manage, review, and withdraw consent — across many Data Fiduciaries — via an interoperable platform.
The DPDP Rules, 2025 set the bar to become one (Rule 4, with conditions in the First Schedule):
- Be a company incorporated in India
- Meet a minimum net worth of ₹2 crore (First Schedule, Part A)
- Satisfy fit-and-proper, technical, and interoperability conditions, and ongoing obligations in Part B — including a duty to act in the Data Principal's interest and not to act as a Data Fiduciary or Processor for the same data it manages
The registration framework for Consent Managers commences ahead of the main obligations — around November 2026.
What to do: Understand that becoming a registered Consent Manager is a deliberate business model — an interoperable consent intermediary — with capital and governance requirements. It is not something you "become" by buying software.
Consent Management Platform: software a fiduciary runs
A CMP is not a statutory term at all. It is software a Data Fiduciary deploys to do its own consent job: show notices, capture consent at signup, checkout, or on a cookie banner, store the consent record, honour withdrawal, and produce an audit trail. The fiduciary remains the accountable party; the CMP is the machinery that helps it comply.
What to do: If your goal is to collect and manage consent from your own users for your own processing, what you need is a CMP — not registration as a Consent Manager.
Side-by-side
| Dimension | Consent Management Platform (CMP) | Consent Manager |
|---|---|---|
| Nature | Software/tooling | Statutory, registered entity |
| Defined in the Act? | No | Yes — registered with the Board |
| Who uses it | A Data Fiduciary, for its own consent | Data Principals, across many fiduciaries |
| Registration | None required | Rule 4 + First Schedule (₹2 crore net worth, India-incorporated) |
| Role conflict rules | N/A | Cannot be Fiduciary/Processor for the same data |
| Who needs it | Almost every fiduciary | A small number of intermediary businesses |
Which one does your business actually need?
For the overwhelming majority of companies — D2C brands, SaaS firms, banks, hospitals, edtech — the answer is a CMP. You are a Data Fiduciary (or a Processor) who needs to capture, store, and honour consent for your own processing. You do not need to register as a Consent Manager.
You would pursue Consent Manager registration only if your *business itself* is to operate a neutral, interoperable consent intermediary serving Data Principals across many fiduciaries — a distinct venture with its own economics and the First Schedule conditions to meet.
What to do: Decide which side you are on before evaluating vendors. If you are building or buying for your own compliance, scope a CMP and skip the registration question entirely.
What a registered Consent Manager actually does
To see why the two terms are not interchangeable, picture what a registered Consent Manager is built to do. It operates a neutral, interoperable platform where a Data Principal can see, in one place, every consent they have granted across many different Data Fiduciaries — and give, review, or withdraw any of them from that single dashboard. It is an intermediary that sits between individuals and the organisations processing their data.
That model only works under strict guardrails, which is why the Rules impose them: a Consent Manager must act in the Data Principal's interest, must not simultaneously be the Fiduciary or Processor for the same data it manages, and must meet the registration, net-worth, and interoperability conditions in the First Schedule. It is, in effect, a regulated piece of public consent infrastructure.
A CMP, by contrast, serves one Data Fiduciary — it is that company's own machinery for collecting and honouring consent for its own processing. There is no neutrality requirement and no registration, because it is not standing between the individual and the wider market.
What to do: If your ambition is to operate cross-fiduciary consent infrastructure, study the Consent Manager regime. If you simply need to run your own consent well, scope a CMP.
Frequently asked questions
Do I have to register as a Consent Manager to be DPDP-compliant?
No. Registration as a Consent Manager is for entities that want to operate a neutral, interoperable consent intermediary serving Data Principals across many fiduciaries. To comply for your own processing, you need a CMP and sound process — not registration.
What does Consent Manager registration require?
The conditions live in Rule 4 and the First Schedule: be a company incorporated in India, meet a minimum net worth of ₹2 crore, satisfy fit-and-proper and interoperability conditions, and accept the Part B obligations — including a duty to act in the Data Principal's interest and not to act as a Fiduciary or Processor for the same data you manage.
When does the Consent Manager framework start?
The registration framework (Rule 4) commences ahead of the main obligations — around November 2026 — while most substantive duties begin 13 May 2027. See the compliance timeline.
Is "CMP" a term defined in the law?
No. "Consent Management Platform" is industry terminology for the software a Data Fiduciary deploys to run its own notice, consent, and rights obligations. Only "Consent Manager" is a statutory, registered role.
So what is Sammati, exactly?
A consent management platform and Data Processor — the tooling a Fiduciary uses for its own compliance. Sammati is not a Board-registered Consent Manager and does not broker consent across fiduciaries.
Could a CMP and a Consent Manager ever overlap?
Conceptually they solve different problems, but a registered Consent Manager would still need software to run its platform. The key distinction is the role, not the technology: a Consent Manager is a registered, neutral intermediary, while a CMP is a tool a single Fiduciary deploys. Buying a CMP never makes you a Consent Manager, and registering as a Consent Manager is a business decision, not a software purchase.
Where Sammati sits
To be precise about our own role: Sammati is a consent management platform (CMP) and Data Processor — not a registered Consent Manager. We provide the software a Data Fiduciary uses to run its own consent, notice, and rights obligations. We do not act as a Board-registered intermediary brokering consent across fiduciaries.
That means Sammati gives you:
- Notice and consent capture across web, app, cookie banner, and bulk channels
- Immutable, hash-chained consent records with a verifiable audit trail
- Withdrawal handling and rights workflows wired to a published grievance contact
- Deployment inside your own environment (BYOC / in-VPC)
This pairs naturally with DPDP cookie consent and Data Principal rights under DPDP, and fits into the broader compliance timeline.
Check your DPDP compliance readiness
62 questions · 15 obligation areas · Instant results · No login