India’s new Digital Personal Data Protection Act 2023 (DPDP Act) ushers in sweeping data-privacy rules just as the country’s digital economy is booming. India now has 806 million internet users (55% of the population) and a Rs 49,000 crore (~$6 billion) digital advertising market growing 20% year-over-year. In this context, personal data is the lifeblood of modern marketing – and the DPDP Act changes the game. It sets strict new ground rules on how businesses collect, use and share consumers’ data. Marketers, advertisers and brand teams must understand these rules to avoid fines and loss of trust.
A thriving digital market, rising user distrust. India’s digital ad spend now dwarfs traditional media (digital is 44% of total ad budgets), and 56 million new users joined the internet in 2025. But consumer trust in data practices is low. In one survey only 18% of people believed companies were transparent about how they use personal data, while 82% found companies only partly transparent or not at all. A majority (61%) even suspect firms engage in “problematic” data practices (excessive collection or secondary use without consent). At the same time, over half of Indian organizations (52%) have suffered at least one data breach in the past 5 years. These trends – a surging digital economy and public anxiety about privacy – underscore why the DPDP Act is so important for marketers.
Core Principles: Consent, Purpose and Accountability
The DPDP Act is built on principles very similar to global privacy laws like the EU’s GDPR. The government explicitly says it rests on “seven core principles”: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability. In practice, this means a marketing team must declare why it collects each piece of data and stick to that purpose. Any personal data collected must be strictly needed for that stated purpose. Marketers can no longer sweep up user data on a whim or use vague “catch-all” consent.
For marketers, the biggest change is the focus on consent. The law treats each person (a “Data Principal”) as sovereign over their own data. You must obtain explicit, informed consent before using any personal data (beyond very narrow exceptions). Consent under the Act must be free, specific, informed, unconditional, and unambiguous (per Section 6 of the law). That means no pre-checked boxes, no buried clauses, and no “bundling” consent with other terms. Each consent form should clearly itemize what data is collected and why, in plain language. Agencies should adopt a “consent-first” mindset: treat every campaign that uses personal data as something that needs opt-in permission (from each user) before it can run.
Every business that decides why and how data is processed is labeled a Data Fiduciary (essentially the equivalent of a GDPR “data controller”); any entity that processes data for a fiduciary is a Data Processor. Data fiduciaries carry the compliance burden – they must set up systems for consent, secure storage, breach response and so on. Significantly, the Act even introduces a new role called Consent Manager. A Consent Manager is an interoperable platform (run by a company in India) through which users can give, review or withdraw consent. (In effect, it’s a kind of centralized “consent registry” separate from any one brand’s site.) The rules require that consent managers be Indian-based entities. In practice, this means large companies will either build their own consent-management tools or work with approved third-party consent platforms.
Finally, the Act enshrines strong accountability and transparency duties. Firms must publish clear contact info (a Data Protection Officer or similar) for data queries. Significant Data Fiduciaries (large platforms and sensitive-data firms) will have extra duties: they must do independent security audits and data-protection impact assessments, and exercise special care with new technologies. In short, privacy is no longer just a legal box-ticking exercise – it must be built into system design and culture. As one industry leader puts it, “for most companies, compliance will not come from adding new paperwork but from rethinking how data flows within their systems”.
Data Collection and Consent Mechanisms
For marketing teams, the consent mechanism is now as important as any ad tool. The DPDP Act requires that consent be declarations in plain language. Every time you ask a user to share personal data, a separate consent notice must be issued that clearly explains what data is collected and why. This notice must be easy to read and understand – no cryptic legalese or hidden pre-checked boxes. Users must be able to give consent by a clear affirmative action (like clicking an “I agree” toggle) and they must be able to withdraw consent just as easily.
Consent withdrawal: The law guarantees every user the right to revoke consent at any time, for any reason. Marketers should therefore provide straightforward “unsubscribe” or “delete my data” buttons and honor them promptly. Technically, you must respond to any such request within 90 days. If a user asks to delete or correct their data, you have up to 90 days to comply. In practice, set up internal workflows so that customer-service or compliance teams can quickly locate personal records and carry out requests on demand.
Children’s data: Special rules apply to under-18s. Companies must obtain verifiable parental consent before using data of minors for profiling or marketing. The rules explicitly prohibit using certain data types (like device IDs or unique identifiers) to target ads at children, responding to a long-standing industry concern. In short, under-18 users get extra protection – and marketers must adapt campaigns to exclude under-18 data unless proper consent is in place.
Data Storage, Retention and Cross-Border Transfers
The DPDP Act also governs how long you may keep data and where you may store it. By default, personal data cannot be stored indefinitely. The notified rules state that data should not be kept beyond one year after collection, unless a specific law requires longer retention. (For example, some finance or tax laws mandate longer record-keeping.) Importantly, if you do delete a user’s data after one year, the user must be informed at least 48 hours before erasure unless the account remains active. In practice, marketers should set up automated retention policies: delete or anonymize old customer records regularly (with appropriate notice), rather than hoarding data “just in case.”
Cross-border transfers: India’s approach is somewhat different from the GDPR. The DPDP Act allows data to be sent outside India unless the government explicitly bans that country. In other words, it uses a “blacklist” approach: transfers are allowed to any country except those specifically forbidden by a government notification. (So far no country has been blacklisted, but rules may change.) Even so, marketers should stay alert: the government can impose conditions on transfers (such as ensuring an “adequacy” of protection or using standard contracts). Notably, other Indian laws can override this: for example, banking and telecom rules already require certain sensitive data to stay in India. Any company subject to sectoral localization laws (e.g. payment or telecom data) must comply with those stricter requirements alongside the DPDP Act.
In practice: if your marketing operation spans multiple countries, map out where Indian user data will reside. Use encryption and pseudonymization as extra layers of protection. And monitor any government announcements: if India ever posts a list of “blacklisted” nations or extra conditions, you will need to implement them. At a minimum, it’s wise to maintain Indian customer data on servers within India, or use cloud providers who guarantee data residency options.
Breach Notification and Penalties
Under DPDP, breaches of personal data carry steep consequences. The Act requires that any personal data breach be reported promptly. Practically, a company must notify both the Data Protection Board (the new regulator) and all affected individuals within 72 hours of discovering a breach. The notice to users must be in plain language and explain what happened, what data was involved, and what steps to take (for example, change passwords). Marketers should therefore have a breach-response plan in place: in the event of a leak (whether a hacked database or accidental email slip), you need templates and channels ready to inform customers and regulators quickly.
The penalties for non-compliance are unforgiving. The DPDP Act ties fines to the company’s negligence category: failures to implement reasonable security safeguards (the worst offense) can bring penalties up to ₹250 crore (~$30 million) per incident. (Violations of child-consent or breach-notification rules carry fines up to ₹200 crore; other breaches are up to ₹50 crore.) For context, ₹250 crore is roughly 1% of the revenue of India’s largest tech firms – a truly punitive amount. In the words of the press release, the Act “places clear responsibilities on Data Fiduciaries to keep personal data safe” and grants individuals the “right to seek correction or removal” of their data. In other words, the law is designed both to encourage better practices and penalize lax security.
For marketers, this means privacy compliance is a board-level priority. As one industry expert put it, the DPDP framework “sets the tone for a more disciplined and transparent data culture” and pushes organizations to build stronger internal systems. Achieving compliance should not be an afterthought or checkbox; it will require coordination among IT, legal, and marketing teams. Many companies are hiring or appointing Data Protection Officers to drive this effort (all major social media platforms and data handlers must do so within 18 months). Startups and small businesses without mature security practices should budget now for upgrades: audit your data flows, implement encryption and firewalls, and train staff on the new rules.
DPDP vs. GDPR: What’s Different?
Many Indian marketers have seen GDPR in action and may wonder how DPDP compares. At a high level, both laws share common goals: they grant users rights (access, correction, erasure) and make organizations responsible for data protection. However, there are key differences:
Basis for processing: GDPR allows multiple legal bases (contract, legitimate interest, etc.), whereas DPDP relies almost entirely on consent. There is currently no equivalent of GDPR’s “legitimate interest” exception in DPDP. For marketing, this means you generally cannot claim any purpose without user opt-in.
Scope of data: DPDP covers only digital personal data (information in electronic form). Offline or paper records are excluded unless digitized. GDPR covers both. Most digital marketing data fits DPDP’s scope, but physical customer databases (say, hard-copy loyalty cards) fall outside DPDP – though other laws might still apply.
Data subject rights: GDPR grants rights like data portability and restrictions on automated decisions, which DPDP does not explicitly provide. On the other hand, DPDP does introduce unique tools: notably the Consent Manager concept for managing permissions.
Processors vs. fiduciaries: Under GDPR, data processors (e.g. a marketing agency processing data on behalf of a brand) have direct obligations and potential liability. In DPDP, only the Data Fiduciary (the brand or platform that decides purpose) is held directly responsible. This means brands must ensure their vendors comply, because the brand ultimately faces penalties.
Breach notification: DPDP arguably has a broader breach-reporting requirement. All breaches must be reported to the government board and affected users, with relatively few exceptions. GDPR also mandates breach notification within 72 hours, but only if there is a risk to user rights; DPDP’s rule, as written, appears stricter.
In practice, any company already aligning with GDPR will have a strong head start. Key steps – such as mapping data, documenting consent and securing user rights – are common to both. But firms should not assume they’re automatically compliant. For example, India’s requirement to delete data after one year may be shorter than the period you keep data under GDPR. And Indian law’s consent-manager framework has no parallel in Europe. In short, treat DPDP as a separate mandate: audit your marketing data flows specifically against the new rules.
Industry Reactions: “Privacy by Design” in Action
Industry leaders are already waking up to the DPDP Act’s impact. Many see it as a positive push toward better data governance. Ankit Kedia of VC firm Capital-A says the law “brings clarity to how personal data is collected, stored and processed, and pushes organisations to build stronger internal systems”. Identities verification startup IDfy (a Bengaluru company chosen by the government to prototype consent systems) argues the new regime is a “pivotal shift.” Its CEO, Ashok Hariharan, stresses that privacy must move from “being a legal topic to an operational reality” – building systems where consent isn’t an afterthought and breach-readiness is built in. Likewise, privacy-tech firm Redacto highlights a “new phase of accountability” for enterprises. Its co-founder Shashank Karincheti says compliance will come from mapping every data interaction and creating a “single source of truth” for personal information. In short, several executives note that the DPDP Act will reward companies that treat regulation as a roadmap for better customer relationships, not just a nuisance.
The government’s own messages underline this collaborative tone. Officials emphasize that the rules aim to build trust in India’s digital economy. A Ministry of Electronics press release says the DPDP framework “strengthens privacy, builds public trust and supports responsible innovation”. The government is also eager to shepherd businesses through the transition. MeitY (the IT ministry) has launched initiatives like an 18-month phased rollout, a “Code for Consent” challenge to build consent-management prototypes (won by Jio, IDfy, etc.), and guidelines for consent notices. On an official level, Commerce Secretary Ashwini Vaishnaw has publicly said that regulators will work with industry to shorten compliance timelines and clarify ambiguities, showing a willingness to accommodate business concerns.
Still, some voices caution that practical challenges remain. Civil society and privacy advocates note that DPDP leaves some tricky questions unanswered – for example, it creates a committee to decide which firms are “significant” (thus subject to extra duties) and which data categories must be localized, but gives no details on the criteria. In other words, as one lawyer observes, businesses may not yet know whether they will be deemed a Significant Data Fiduciary, or what data they may have to store in India. Marketers should monitor these developments, because the government may still tighten rules (for instance, it could add sectors or data types to local-storage mandates).
Actionable Takeaways for Marketers
To stay compliant and competitive under the DPDP Act, consumer-facing businesses should take these steps now:
Audit and map data flows. Know exactly what customer data you collect, why you collect it, where it’s stored, and who can access it. Trim any data that isn’t strictly needed. DPDP’s purpose and minimisation principles mean you must justify every data field in your CRM or ad platform.
Revise consent and privacy notices. Update all signup forms, cookie banners and terms to plain-language statements of purpose. Clearly explain what personal data you’re collecting (e.g. name, email, device ID) and why (e.g. for targeted promotions). Remove any pre-ticked boxes. Ensure every consent is explicit (e.g. a checked box or “Agree” click) and provide an easy way to withdraw it later.
Implement consent management. Decide how to comply with the “consent manager” model. You may build an internal system to record and update consents, or partner with a registered consent-manager service. Plan to complete this within the government’s 12-month window. Start evaluating tech vendors or in-house solutions for fine-grained consent dashboards.
Enable user rights. Set up processes for access, correction and deletion requests. When a customer asks “what data do you have on me?”, be prepared to deliver it within 90 days. Offer a straightforward web portal or email contact (e.g. “privacy@yourcompany”) to handle such requests. Make it as easy as possible for users to opt out of marketing or delete their account.
Data retention and deletion. Configure systems to auto-delete or anonymize personal data after one year, unless retention is legally needed. If you plan to erase an active user’s data, be sure to send them a notice 48 hours beforehand. In practice, archive old marketing lists and stale user accounts regularly to avoid over-retaining.
Secure data end-to-end. Apply strong technical safeguards (encryption, firewalls, access controls) to protect user data, as required by the Act. Educate your staff on phishing and other threats – remember that 61% of breaches in India in 2023 involved compromised credentials or phishing. Having good cybersecurity will help reduce liability under DPDP’s strict security-duty clause.
Breach response plan. Design a breach-response workflow now. If personal data is leaked, you have 72 hours to notify the Data Protection Board and affected users. Prepare templates for those notifications (covering what happened, what was exposed, and steps taken) in advance. Also coordinate with legal and PR teams to handle any fallout.
Cross-border strategy. Track India’s rules on international data transfer. Until any country is blacklisted (none are yet), transfers are allowed. Still, adopt standard contractual clauses or corporate rules for international data sharing as best practice. If you operate in finance, healthcare or telecom, check sector rules – you may already be required to localize data (which DPDP acknowledges as superseding it).
Leverage GDPR readiness. If your company already complies with GDPR, reuse and adapt those policies. Many concepts overlap: consent, breach notification, data minimisation. But be sure to fill gaps: for example, DPDP requires a data protection officer and consent architecture even if your GDPR program didn’t. And notice the differences in rights – DPDP does not require a right to data portability or restrictions on automated decision-making like GDPR does.
Monitor and adapt. The DPDP Act is new, and rules will evolve. Stay tuned for further notifications by MeitY and the Data Protection Board. Watch for any changes to the 18-month rollout schedule or added requirements. In India’s dynamic regulatory environment, build flexibility: treat privacy compliance as an ongoing process, not a one-time project.
In short, treat data protection as an opportunity, not just a hurdle. Embedding privacy can build customer trust in an era when 61% of consumers already worry about shady data practices. Companies that move early – mapping their data, revamping consent flows, and strengthening security – will turn DPDP compliance into a competitive edge. As one privacy-tech investor put it, “the winners in this new phase will be the ones that treat regulation as a roadmap, not a restraint”.
Disclaimer: All data points and statistics are attributed to published research studies and verified market research.
Related Articles
