All guides
ExplainersJul 19, 2026 - 6 min read

Consent Manager vs consent banner: which one does the DPDP Act require?

The most confused question in DPDP compliance. Short answer: valid consent behaviour on your website is YOUR duty; a registered Consent Manager is optional infrastructure most businesses will never need.

Who this is for
Founders deciding what to buy before May 2027
What you leave with
Know exactly which of the two you need - and what each costs you

Two very different things share the word "consent" in the DPDP world, and vendors profit from the confusion. One is a duty you cannot avoid. The other is a registered platform most businesses will never touch. Buying the wrong one wastes money; skipping the wrong one risks penalties.

The duty: valid consent on your own website

Section 6 of the Act says consent must be free, specific, informed, unconditional, and unambiguous - given by a clear affirmative action, for the specified purpose. Section 6(4) adds the part most websites fail: withdrawal must be as easy as giving consent was. In practice, for a website that uses analytics, pixels, or marketing tools, this means a consent banner that shows a plain-language notice, keeps non-essential trackers OFF until the visitor agrees, offers a real decline option, and lets the visitor change their mind later in one step. You also need to be able to show WHEN consent was given - a record.

The optional platform: a registered Consent Manager

A Consent Manager under Section 6(7) and Rule 4 is something else entirely: a company registered with the Data Protection Board that gives individuals a single interoperable dashboard to give, review, and withdraw consent across MANY businesses. Registration opens from 13 November 2026, with net-worth and governance conditions. Think of it like UPI for consent: infrastructure operated by dedicated players, useful in ecosystems like finance where one person's data moves between many institutions.

Nothing in the Act or the 2025 Rules requires a typical business to register as one or to plug into one. Your duty is the consent behaviour on your own properties. If Consent Managers become common in your industry, you may later need to interoperate - but that is a future integration, not a 2026 purchase.

So what should you actually do?

  1. Every business with trackers or marketing: get the banner behaviour right - notice, held trackers, real decline, one-step withdrawal, records. This is what enforcement will look at first, because it is visible from the outside.
  2. Check what your site does today: most banners imported from GDPR templates fire Google Analytics and Meta pixels BEFORE the visitor clicks anything. That is the gap - the banner exists, the behaviour fails. A free check shows you in one minute whether yours does this.
  3. Large fiduciaries in data-heavy ecosystems: watch the Consent Manager registrations from November 2026 and plan interoperability with counsel - alongside, not instead of, your own consent flows.

On PrivacyReady plans from Micro up, the same tag that checks your pages also serves a compliant banner with records and one-tap withdrawal - and if you later adopt a Consent Manager, they work side by side. As always: this is orientation, not legal advice; section references are there so your counsel can verify fast.

See where your website stands

Free readiness check in about a minute. No card, no signup, no code to install.

Free. No card, no signup, about a minute.