Most India SaaS founders I talk to are planning for May 2027. They should be planning for November 2026 first.
The DPDP Rules 2025 came into force in three phases. Phase I covered the Data Protection Board's formation — already done. Phase III covers the bulk of operational obligations and kicks in May 2027. Almost nobody is talking about Phase II. That's a mistake.
Phase II goes live November 13, 2026. It makes the consent manager framework mandatory. You've got six months.
What a consent manager is — and what it isn't
A cookie banner isn't a consent manager.
Under DPDP §6 and the Rules notified under it, a consent manager is a registered intermediary sitting between a Data Principal (your user) and Data Fiduciaries (you and your third-party processors). It must be:
- Registered with the Data Protection Board — you can't self-certify
- Interoperable — it must plug into a common framework so users can manage consent across multiple services from one interface
- Capable of logging consent and withdrawal — with a verifiable audit trail, not just a session flag
If you're processing personal data under consent as your legal basis — which most consumer-facing SaaS does — you need a compliant consent manager in place before November 13, 2026, or you need to document an exemption.
Why most teams are behind
The DPDP Act allows consent and "legitimate uses" (§7) as two separate legal bases. A lot of companies are planning to rely on §7 to sidestep the consent manager requirement entirely. That might work — but only if you've done a documented assessment of which processing activities actually qualify, and that assessment has to exist before Phase II goes live.
If you haven't documented that assessment, you're not on legitimate use. You're just hoping.
The EY survey from February 2026 found that while DPDP awareness is high across India SaaS, implementation maturity is "highly uneven." Awareness isn't preparation.
Two ways to handle this in the next 90 days
Go the consent manager route. Map every processing activity that currently runs on consent. Identify which consent managers are or will be registered with the DPB — the board hasn't published a list yet, so you'll need to watch for that. Integrate before November 2026. Build withdrawal flows that actually work — DPDP requires withdrawal to be as easy as giving consent.
Shift to legitimate use (§7). Document the specific §7 ground for each processing activity. Run a balancing test — legitimate interest isn't a blanket exemption; you need to show the processing is necessary and proportionate. Have this dated and signed off before Phase II.
Most companies will end up doing both — some processing sits on legitimate use, some genuinely requires consent infrastructure. The worst outcome is doing neither and finding out in December 2026 that your setup doesn't qualify.
The engineering work most teams underestimate
Consent manager integration isn't a two-day task.
A compliant consent flow needs:
- A consent record store that survives database migrations
- Withdrawal propagation — when a user withdraws consent, all downstream processors need to be notified and the processing has to stop
- An audit log that can be produced on request to the Data Protection Board
- Version tracking — if your privacy notice changes, existing consents need to be re-evaluated
Most teams treat this as a UI task. It's actually a data architecture project. If you start in October 2026, you won't finish in time.
Free consent flow scan — no account required
Juro scans for whether your consent flow actually gates tracking, whether withdrawal works, and whether the audit trail is there. It won't build the consent manager for you, but it'll show you where the gaps are before you walk into Phase II blind. Install takes under five minutes.
Scan your site →