For years, the `916-billion Indian marketing industry has relied on an abundance of personal data to craft targeted campaigns, often without explicit user consent. Clearly, there was significant disconnect between consumers and their personal data and how the companies that collect it, use it. The proposed Digital Personal Data Protection (DPDP) Rules have the capacity to disrupt this framework, handing the lever to the consumer. “Brands must now focus on creating value exchanges where consumers willingly share data because they see tangible benefits, not just because they have no other choice,” says Surendra Singh, CEO, Brand Street Integrated.
The push for stringent data protection laws mirrors global trends akin to European Union’s General Data Protection Regulation (GDPR) that protects the privacy and security of personal data. “While laws exist, the real challenge is not just their creation but how well they are implemented and enforced,” says Chandan Bagwe, founder & director of C Com Digital.
Time to rebuild trust
The overwhelming consensus among marketers is that the DPDP Act and Rules will not only reshape how individual brands communicate with their consumers but will challenge the broader advertising ecosystem. To start with, the Rules mandate a shift from implied consent to explicit opt-ins. Pre-checked boxes and vague consent mechanisms will be things of the past. By prioritising user privacy and granular consent, it will encourage marketers to focus on genuine leads. “Marketers and advertisers are far more likely to rely on intelligent as opposed to mass data,” says Dhruv Suri, partner at PSA Legal. “With granular consent levels, only genuinely interested consumers will opt-in, improving the probability of conversions.” Contextual advertising will probably be a bigger deal now than hyper-personalisation. In other words, there could be a considerable shift away from targeting customers based on their profiles and instead focus on what they are already searching for or consuming online.
Additionally, withdrawing consent must be as seamless as granting it. That will force brands to redraw the line between privacy and commerce. “Marketers thrive on data to achieve maximum reach. The proposed DPDP Rules will require the industry to adapt by fine-tuning and updating their systems,” notes Raj Ramachandran, partner at JSA Advocates & Solicitors.
Seemingly straightforward forms that collect basic information, such as names and email addresses, will fall under the Act’s purview. Once collected, consumer data must remain confidential and used for the stated purpose. It cannot be shared without consent and must be deleted after three years. “That adds another layer of operational complexity,” says Chandan Bagwe, founder & director of C Com Digital.
Not just complexity, for marketers, these requirements translate into additional costs. The cost of storing information, maintaining inventory across systems like email, WhatsApp, and websites, and categorising it accurately is significant. Even the deletion process requires either automation or manual intervention, which incurs additional expenses. “Security, throughout the lifecycle of the data, will be paramount,” says Bagwe.
The financial burden aside, the Act will trigger marketers to think out of the box. It will prompt businesses to prioritise first-party data, leveraging loyalty programmes and direct customer engagement over third-party data. This shift could level the playing field for smaller firms, allowing them to compete through meaningful customer relationships rather than sheer data volume. A comprehensive ground-up approach will lay the foundation for effective long-term compliance, adds Mayuran Palanisamy, partner, Deloitte India.
Ambika Sharma, founder & chief strategist, Pulp Strategy, says while small businesses might face some early hurdles in the form of high compliance cost, in the long run, these regulations will foster trust. “This shift will compel brands to build deeper relationships with consumers by focusing on transparency and offering genuine value,” she says.
Going forward, brands must align with what Hemal Majithia, founder, Oktomind, refers to as the CARE framework of communication — comprising clarity, accountability, relevance, and engagement. “Marketers can no longer rely on vague consent or indefinite data retention. The DPDP Act forces us to clearly communicate why we’re collecting data, how long we’ll store it, and how it benefits the user. This isn’t just compliance; it’s about fostering trust,” he asserts. The three-year data retention limit will push them to focus on the value of experiences and products, which ultimately builds deeper customer trust, sums up Pathik Patel, founder, D2C brand Fit & Flex.