India's data-protection regime crossed two thresholds in the same week: the Data Protection Board opened its first adjudication hearing — the children's-data case against the gaming platform served notice in July — and the government issued the first six consent-manager licences, standing up the plumbing that makes the Act's central abstraction operational.
The adjudication's stakes exceed its facts. The gaming case tests the provisions with the statute's highest penalty band and its clearest evidentiary trail: age-gate flags the platform's own systems recorded, behavioural-advertising profiles built on users those flags identified as minors. The board's first written order will establish the standard of 'verifiable parental consent' every consumer platform in the country must engineer against — and signal whether first-round enforcement prices remediation or deterrence.
The consent managers are the regime's more original wager. Licensed intermediaries through which individuals can view, grant and withdraw permissions across every fiduciary that holds their data — a single dashboard for one's digital consents — exist nowhere else at this scale. The first six licensees span a payments major, two data-aggregator veterans of the account-aggregator framework, and three startups; their interoperability testing with large fiduciaries begins next month.
The account-aggregator precedent is the optimists' exhibit: the same architecture in finance went from licence to two hundred million linked accounts in five years. The pessimists' exhibit is the same: adoption ran through regulatory mandate, and the DPDP rules stop short of mandating consent-manager integration.
Between the hearing and the licences, the regime's character is setting. The board's autumn orders will tell the market what violations cost; the consent dashboards will tell citizens what the law gave them. Two years after passage, the Act is finally both.
