DPDP Rules Phase 2 Notified: Consent Manager, SDF Criteria, Cross-Border Negative List

Last updated: May 18, 2026

After the first tranche came into force earlier this year, MeitY has notified the second tranche of DPDP Rules covering the operational pillars Indian organisations have been waiting on — with concrete thresholds, registration mechanics and the architecture of the Consent Manager market.

What got notified

• Consent Manager registration Rules — eligibility, net-worth floor, technical interoperability obligations and the DPDP Board registration process.
• Significant Data Fiduciary (SDF) criteria — the factors the Central Government will weigh when designating an organisation under §10, along with the additional duties that follow.
• Children’s data verification — the "verifiable parental consent" mechanics expected under §9, including reliance on government-issued identity, virtual tokens and Consent Manager flows.
• Cross-border transfer restrictions — the negative-list model under §16, replacing the earlier whitelist proposal that had drawn industry pushback.
• DPDP Board procedure — complaint intake, inquiry timelines and digital-by-design hearings.

Consent Manager framework — how it works

The Consent Manager (CM) is an independent intermediary registered with the DPDP Board that lets a Data Principal give, manage, review and withdraw consent across multiple Data Fiduciaries through a single interface. The architecture echoes the Account Aggregator pattern — the CM never sees the underlying personal data, only the consent artefact.

• Registration is anticipated under the Rules notification programme to require a minimum net-worth, an Indian-incorporated entity, and interoperable consent receipts.
• CMs must publish a machine-readable consent schema and honour withdrawals in near real time.
• Data Fiduciaries integrating with one CM must accept artefacts from any registered CM — portability is a core design goal.
• Conflicts of interest with Data Fiduciaries attract heightened scrutiny.

SDF criteria — are you one?

Section 10 lists the factors the Central Government may weigh when notifying an organisation as a Significant Data Fiduciary. The Rules translate those factors into illustrative thresholds.

An SDF must appoint an India-resident DPO, commission an annual DPIA, and conduct a periodic audit by a Board-empanelled auditor.

Cross-border negative list approach

The earlier discussion draft contemplated a whitelist of approved jurisdictions. The notified Rules adopt the opposite default under §16: transfers are permitted unless the destination appears on a negative list maintained by the Central Government. This preserves operational flexibility for multinationals while leaving the Government room to restrict specific countries on national-security or reciprocity grounds. Sectoral regulators (RBI, IRDAI, SEBI) retain their existing data-localisation powers, so the negative list is a floor, not a ceiling.

What this means for your roadmap

1. Map every consent-collection surface to a Consent Manager integration plan — even if you defer go-live, the schema discipline pays off now.
2. Run a self-assessment against the SDF factors above; if you are plausibly in scope, start DPO recruitment and DPIA scoping in parallel.
3. Inventory every cross-border transfer destination and the sectoral law that governs it; the negative list is lighter than expected but sectoral floors still bite.
4. Operationalise verifiable parental consent in any product touching under-18 users — ed-tech, gaming, social and health platforms first.
5. Stand up a breach-notification runbook aligned to the DPDP Board’s digital hearing process; tabletop it before the enforcement window opens.

References

• DPDP Act overview
• DPDP Act practitioner guide
• DPDP readiness checklist
• India compliance services

Related engagement → How we delivered DPDP Act readiness for a multi-million-user fintech