Rule 4 · Consent Manager

Consent Manager registration.

Vishwaas is built to register.

The DPDP Rules 2025 create a Consent Manager regime under Rule 4 — a registered, interoperable intermediary through which data principals manage consent. Registration is open only to India-incorporated entities meeting residency and interoperability obligations. Vishwaas is architected to register.

Book a Demo Why India-native matters →

Nov 13, 2025

DPDP Rules live

Done

Nov 13, 2026

Consent Manager registration opens

Up next

The window opens — registered Consent Managers go first.

May 13, 2027

Full enforcement · ₹250 Cr penalties

Deadline

What Rule 4 requires

Who can be a Consent Manager.

Rule 4 sets a deliberately high bar. It is not a feature you switch on — it is a registration an entity qualifies for.

India-incorporated company

A Consent Manager must be a company incorporated in India with a demonstrable net worth and governance posture. This is the threshold most global privacy tools cannot clear — incorporation is not a setting.

Data-residency obligations

Consent and the records mediated through a Consent Manager must sit within India's data-residency expectations. A platform serving consent state from an EU or US region does not meet the bar.

Interoperability obligations

A Consent Manager is an interoperable intermediary — it must let data principals view, give, manage, and withdraw consent across data fiduciaries through a common, standards-based interface, not a single-vendor silo.

What it means for the field

Foreign tools and non-India entities cannot register.

This is not a marketing distinction — it is a structural one.

Eligibility is decided at the corporate level, not the feature level

A platform incorporated outside India cannot become a registered Consent Manager no matter how complete its consent feature set. The same is true for any entity that cannot meet the residency and interoperability obligations. For a data fiduciary choosing where to anchor its consent infrastructure, this narrows the field to India-incorporated, DPDP-architected platforms — the question shifts from "does it manage consent" to "could this vendor ever participate in the Consent Manager regime at all."

Our posture

India-incorporated. Preparing to register.

We're precise about where we stand, because the regime is precise.

India-incorporated

Vishwaas AI is operated by IdentityPlus Pvt. Ltd., an India-incorporated company — the threshold question for Rule 4 eligibility is one we already meet.

DPDP-architected

The platform was built around India's law — hash-chained consent, Eighth Schedule notices, §6/§7 split, ap-south-1 residency — not retrofitted from a GDPR product.

Preparing our registration

We are preparing our Consent Manager registration in line with Rule 4 as the regime operationalises. To be exact: Vishwaas is built to register and is preparing to — it is not yet a registered Consent Manager.

Your move

What data fiduciaries should do this year.

Whether or not you adopt a Consent Manager, the architecture choices you make now decide your options later.

Anchor consent on India-eligible infrastructure

Choose a consent platform whose vendor could itself participate in the Consent Manager regime. Anchoring on an ineligible foreign tool forecloses interoperability before it begins.

Make your consent records interoperable now

Adopt hash-chained, independently verifiable consent so that when interoperability obligations land, your evidence is already in a portable, standards-friendly shape — not locked in a mutable vendor database.

Map your notices and §6/§7 split

Get your processing activities, Rule 3 notices, and consent-vs-legitimate-use split correct now. A Consent Manager mediates consent — it cannot fix an underlying model that records consent where none is required.

Plan your Consent Manager posture early.

30 minutes on Rule 4 eligibility, interoperability, and how to anchor your consent infrastructure on India-eligible architecture before the regime operationalises.

Book a Demo See the full DPDP Act mapping →