Most India SaaS founders I talk to are planning for May 2027. They should be planning for November 2026 first.
The DPDP Rules 2025 came into force in three phases. Phase I covered the Data Protection Board's formation — already done. Phase III covers the bulk of operational obligations and kicks in May 2027. Almost nobody is talking about Phase II. That's a mistake.
Phase II goes live November 13, 2026. It makes the consent manager framework mandatory. You've got six months.
What is a consent manager under DPDP — and what doesn't qualify?
A cookie banner isn't a consent manager.
Under the DPDP Act 2023, a consent manager is a Data Protection Board-registered intermediary through which a Data Principal gives, manages, and withdraws consent across one or more Data Fiduciaries via a single interoperable interface.
Under DPDP §6 and the Rules notified under it, a consent manager is a registered intermediary sitting between a Data Principal (your user) and Data Fiduciaries (you and your third-party processors). It must be:
- Registered with the Data Protection Board — you can't self-certify
- Interoperable — it must plug into a common framework so users can manage consent across multiple services from one interface
- Capable of logging consent and withdrawal — with a verifiable audit trail, not just a session flag
If you're processing personal data under consent as your legal basis — which most consumer-facing SaaS does — you need a compliant consent manager in place before November 13, 2026, or you need to document an exemption.
Why are most India SaaS teams behind on Phase II?
The DPDP Act allows consent and "legitimate uses" (§7) as two separate legal bases. A lot of companies are planning to rely on §7 to sidestep the consent manager requirement entirely. That might work — but only if you've done a documented assessment of which processing activities actually qualify, and that assessment has to exist before Phase II goes live.
If you haven't documented that assessment, you're not on legitimate use. You're just hoping.
The EY survey from February 2026 found that while DPDP awareness is high across India SaaS, implementation maturity is "highly uneven." Awareness isn't preparation.
What are the two ways to meet the November 2026 deadline?
Go the consent manager route. Map every processing activity that currently runs on consent. Identify which consent managers are or will be registered with the DPB — the board hasn't published a list yet, so you'll need to watch for that. Integrate before November 2026. Build withdrawal flows that actually work — DPDP requires withdrawal to be as easy as giving consent.
Shift to legitimate use (§7). Document the specific §7 ground for each processing activity. Run a balancing test — legitimate interest isn't a blanket exemption; you need to show the processing is necessary and proportionate. Have this dated and signed off before Phase II.
Most companies will end up doing both — some processing sits on legitimate use, some genuinely requires consent infrastructure. The worst outcome is doing neither and finding out in December 2026 that your setup doesn't qualify.
What engineering work does a DPDP consent manager actually require?
Consent manager integration isn't a two-day task. Under DPDP, every Data Fiduciary that processes personal data under consent must connect to a registered consent manager — and that connection has to be verifiable.
A compliant consent flow needs:
- A consent record store that survives database migrations
- Withdrawal propagation — when a Data Principal withdraws consent, all downstream Data Fiduciaries and processors must be notified and processing must stop
- An audit log that can be produced on request to the Data Protection Board
- Version tracking — if your privacy notice changes, existing consents need to be re-evaluated against the new version
Most teams treat this as a UI task. It's actually a data architecture project. If you start in October 2026, you won't finish in time.
Frequently asked questions
What is a consent manager under India's DPDP Act?
Under the DPDP Act 2023 and DPDP Rules 2025, a consent manager is a Data Protection Board-registered intermediary that enables Data Principals to give, manage, and withdraw consent across multiple Data Fiduciaries through a single interoperable interface. It is not a cookie banner — it requires DPB registration, interoperability, and a verifiable audit trail.
When does DPDP Phase II go into effect?
DPDP Phase II goes live on November 13, 2026. It mandates the consent manager framework for all Data Fiduciaries who process personal data under consent as their legal basis under the DPDP Rules 2025.
Can India SaaS companies use DPDP Section 7 legitimate use instead of a consent manager?
Yes, but only with a documented assessment. DPDP Section 7 allows processing under legitimate uses without a consent manager, but companies must conduct and date a proportionality assessment for each processing activity before Phase II goes live on November 13, 2026. Undocumented reliance on Section 7 does not constitute compliance.
What engineering work is required to integrate a DPDP-compliant consent manager?
A DPDP-compliant consent flow requires four engineering components: a durable consent record store that survives database migrations; withdrawal propagation to all downstream Data Fiduciaries when a Data Principal revokes consent; an audit log producible on request to the Data Protection Board; and version tracking to re-evaluate existing consents when a privacy notice changes. This is a data architecture project — teams that start in October 2026 will not finish in time.
What is the penalty for non-compliance with DPDP Phase II?
The DPDP Act 2023 provides for financial penalties up to ₹250 crore for significant data breaches and up to ₹200 crore for non-fulfilment of obligations regarding children's data. The Data Protection Board has adjudication powers and penalties are assessed per violation. Companies without a documented consent framework or legitimate use assessment face compounding exposure from November 13, 2026.
Free consent flow scan — no account required
Juro scans for whether your consent flow actually gates tracking, whether withdrawal works, and whether the audit trail is there. It won't build the consent manager for you, but it'll show you where the gaps are before you walk into Phase II blind. Install takes under five minutes.
Scan your site →