Account Aggregators & Consent Managers under the DPDP Act

The Digital Personal Data Protection (DPDP) Act, 2023 has been passed, and the Draft DPDP Rules, 2025 have been released, introducing a framework for Consent Managers (CMs). This has sparked discussions on leveraging the existing Account Aggregator (AA) model as a blueprint for rolling out consent-based data governance across sectors beyond finance.

Background (India’s Data Governance Landscape)

• India is moving towards a more structured, privacy-respecting, and user-empowering data ecosystem. This effort is driven by:
  • The Digital Personal Data Protection (DPDP) Act, 2023: India’s landmark privacy law which gives individuals (called Data Principals) greater control over their personal data.
  • The Account Aggregator (AA) framework: A practical model already working in India’s financial sector that enables individuals to share their financial data securely, based on explicit consent.
• As India rolls out the DPDP Act, Consent Managers (CMs) are being proposed as key players to ensure that people have full control over who uses their personal data and for what purpose. The AA model is seen as a blueprint for this broader regime.

What are Account Aggregators (AAs)?

• Account Aggregators are digital platforms licensed by the RBI that allow individuals to:
  • View, manage, and share their financial data (like bank statements, insurance, tax info) from multiple sources.
  • Share this data securely with other institutions like lenders or investment platforms – only if they give consent.
  • Revoke consent any time they want.
• This system does not store data – it simply acts as a secure bridge between the data holder (like your bank) and the data receiver (like a loan provider), based on user consent.
• Significance:
  • It breaks data silos across banks, mutual funds, and insurers.
  • It makes financial services faster and more tailored.
  • Most importantly, you remain in charge of your data.

What is the DPDP Act, and what are Consent Managers?

• The DPDP Act, 2023 aims to create a rights-based framework where:

• Data can be collected or processed only after the user consents.
• Consent must be free, informed, specific, and revocable.
• Users must be able to manage and withdraw this consent easily.

• This is where Consent Managers come in.
• Under the DPDP regime:

• A Consent Manager is an intermediary who helps individuals give, manage, and withdraw consent from multiple organisations (called Data Fiduciaries).
• They act as user-friendly dashboards that work across sectors – not just finance, but also healthcare, education, employment, e-commerce, etc.

• This mirrors the AA model but on a wider, all-sector scale.

Why the AA Model is the Blueprint?

• The AA framework already works at scale in finance and has:
  • A strong legal foundation (via RBI’s Master Directions).
  • Real-time, machine-readable, API-based consent flows.
  • A focus on user control, privacy, and data minimisation.
• Given this experience, it makes sense to use it as the base model for Consent Managers under the DPDP Act. This would help India avoid starting from scratch and create one interoperable, unified framework for all personal data.

Key Proposals & Needed Reforms

• Mandatory Registration with the Data Protection Board (DPB): All Consent Managers should be officially registered to ensure accountability and legal compliance.
  • Allow Sector-Specific Consent Managers
  • Let different sectors (health, education, etc.) have their own consent managers, as long as they follow common technical standards.
• Enable Commercial Sustainability: Consent Managers should be allowed to form legitimate business arrangements with Data Fiduciaries (like banks, hospitals, etc.), provided they don’t compromise user rights.

Wider Significance and Challenges