India's Digital Personal Data Protection Act — the DPDP Act 2023 — is the country's first comprehensive data privacy law, and it directly affects how marketers collect, store, use, and process personal data. The Act received presidential assent in August 2023. Rules under the Act are expected to be notified in 2025–26, after which compliance becomes mandatory.
For performance marketers, this is not a legal technicality to hand off to your lawyers. The DPDP Act changes how you can run lead generation, how you can use data for retargeting, what your CRM workflows must look like, and what penalties apply when things go wrong. This post is a plain-English breakdown — what the Act requires, where most marketers are exposed, and exactly what you need to change.
Disclaimer: This post is written for marketing practitioners and is educational in nature. It is not legal advice. Consult a qualified legal counsel for compliance guidance specific to your business.
What the DPDP Act Actually Covers
The DPDP Act governs the processing of digital personal data — any data about an individual that can identify them, collected in digital form or digitised after collection. This includes names, email addresses, phone numbers, IP addresses, device IDs, purchase history, browsing behaviour, location data, and inferred attributes (like income segment or interests derived from online behaviour).
The Act applies to any entity that processes personal data of Indian residents — whether the entity is based in India or outside it. If you run ads targeting Indian consumers, collect leads from Indian users, or operate an Indian ecommerce store, the DPDP Act applies to you.
Key terms defined in the Act:
- Data Principal — the individual whose personal data is being processed (your customer or lead)
- Data Fiduciary — the business or person determining the purpose and means of processing (you, the marketer or business)
- Data Processor — a third party that processes data on behalf of a Data Fiduciary (your CRM vendor, email tool, ad platform)
- Consent Manager — a registered entity through which Data Principals can give, review, and withdraw consent
Consent: The New Gold Standard
The DPDP Act requires that personal data be processed only for a specific, clear purpose, and only with the individual's free, specific, informed, unconditional, and unambiguous consent. This is a significantly higher standard than what most Indian businesses currently meet.
What valid consent looks like
Under the Act, valid consent must be:
- Free — not bundled with terms of service or made a condition of using a product
- Specific — obtained separately for each distinct purpose (e.g., marketing emails cannot be bundled with order confirmations)
- Informed — accompanied by a clear notice explaining what data is collected and why
- Unambiguous — expressed through a clear affirmative action (a pre-ticked checkbox does not count)
- Revocable — the individual must be able to withdraw consent at any time, as easily as they gave it
This means:
- Pre-ticked "I agree to receive marketing communications" boxes on lead forms are non-compliant
- Bundled consent (one checkbox for order updates AND promotional messages) is non-compliant
- Implied consent from website visits for retargeting purposes requires a clear consent mechanism (like a cookie consent banner)
- Any data collected without specific consent cannot be used for marketing purposes
The consent notice requirement
Before collecting any personal data, you must provide a notice in clear, plain language (and in the language the individual prefers, if they request it) that explains: what personal data is being collected, the purpose for which it will be processed, how they can exercise their rights, and how they can withdraw consent. This notice must be provided before or at the time of consent — not buried in a privacy policy linked from the footer.
Key Obligations for Data Fiduciaries
Purpose Limitation
Data collected for one purpose (e.g., processing an order) cannot be used for another purpose (e.g., retargeting ads) without separate consent.
Data Minimisation
You can only collect the personal data that is necessary for the specific purpose stated. Collecting "just in case" data is non-compliant.
Storage Limitation
Personal data must be deleted once the purpose for which it was collected is fulfilled, unless retention is required by law.
Accuracy
You must ensure that personal data is accurate and up-to-date, particularly when it is used for decisions affecting the individual.
Security Safeguards
Reasonable security measures must be implemented to protect personal data from breaches. Breaches must be reported to the Data Protection Board.
Grievance Redressal
Data Fiduciaries must have a mechanism for individuals to raise privacy-related grievances and receive responses within specified timeframes.
Rights of Data Principals
The DPDP Act gives individuals a set of enforceable rights over their personal data. As a marketer and data fiduciary, you must build systems to honour these rights:
- Right to access information — individuals can request a summary of what personal data you hold and how it is being processed
- Right to correction and erasure — individuals can request correction of inaccurate data and deletion of their data when it is no longer needed
- Right to grievance redressal — individuals can raise complaints and expect timely resolution
- Right to nominate — individuals can nominate another person to exercise their rights in the event of death or incapacity
- Right to withdraw consent — withdrawal must be as easy as giving consent, and must be honoured without detriment to the individual
Practically, this means you need a working "unsubscribe" or "delete my data" mechanism in your CRM and email tools — not just a legal page. If someone requests deletion, you must be able to execute it across your entire data stack, including any processors you've shared their data with.
Penalties: What You're Risking
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards resulting in a personal data breach | ₹250 crore |
| Failure to notify the Data Protection Board of a breach | ₹200 crore |
| Non-fulfilment of obligations regarding children's data | ₹200 crore |
| Non-fulfilment of data principal rights | ₹50 crore |
| Non-compliance with provisions of the Act (general) | ₹50 crore |
These are per-violation caps. Multiple violations can attract multiple penalties. For context, ₹250 crore is approximately $30 million USD — comparable in intent to GDPR fines, though the amounts are lower. The Data Protection Board of India will be the adjudicating authority for complaints and penalties.
What Marketers Must Actually Change
Lead Generation Forms
Every lead form must include a clear, un-bundled consent checkbox for marketing communications. The checkbox must be unchecked by default. The consent text must specify exactly what the person is consenting to receive and who will process their data. Forms that just collect name, email, and phone number without a consent mechanism are non-compliant from the moment the rules are notified.
Meta and Google Lead Ads
Platform-level lead forms (Meta Lead Ads, Google Lead Form Extensions) typically have a privacy policy link field. Under DPDP, you will likely need more than a link — the notice provided must meet the Act's specificity requirements. Watch for guidance from the Data Protection Board on how platform-based lead collection is treated, and ensure your privacy policy is sufficiently detailed about marketing use of collected data.
Retargeting and Custom Audiences
Using website visitor data for retargeting requires valid consent (typically via cookie consent). Using CRM data (email lists) for Custom Audiences on Meta or Google — where you upload hashed emails to match against platform users — requires that the data was collected with consent that covers this specific use. If your current lists were built without explicit consent for this purpose, they may be non-compliant.
Email and WhatsApp Marketing
Marketing communications via email or WhatsApp require prior consent. Consent obtained through a purchase transaction (for transactional updates) does not automatically extend to promotional messaging. You need separate, explicit consent for marketing messages. Review your current opt-in flows and ensure each channel has its own consent mechanism.
CRM and Data Retention Policies
Most Indian businesses have no formal data retention policy — data sits in CRMs indefinitely. Under DPDP, you are required to delete data once its purpose is fulfilled. Practically, this means building retention periods into your CRM (e.g., delete inactive leads after 12–24 months), and having a process for honouring deletion requests within the timeframe specified by the rules.
Vendor Contracts (Data Processors)
As a Data Fiduciary, you are responsible for how your Data Processors (your CRM vendor, email platform, analytics tool, ad agency) handle personal data. You must have contracts in place that require them to process data only as instructed, maintain security, and cooperate with Data Principal rights requests. Standard vendor terms of service are unlikely to be sufficient — you may need data processing agreements.
"The DPDP Act doesn't just create legal obligations — it changes the implicit contract between marketers and the people they're trying to reach. Consent is now the currency. Earn it properly or you can't spend it."
Getting Ready: A Practical Checklist
- Audit every lead gen form and landing page for compliant consent mechanisms
- Update privacy policy to meet DPDP notice requirements (purpose, retention, rights)
- Build separate consent checkboxes for transactional vs marketing communications
- Add a working data deletion / unsubscribe process accessible from your website
- Review CRM data — understand what you have, where it came from, and how long you're keeping it
- Check cookie consent banners: ensure they meet the "specific and informed" standard
- Review Meta and Google custom audience practices against consent obtained
- Update contracts with CRM, email, and ad vendors to include data processing clauses
- Train your marketing team on the basics of DPDP compliance
The good news: Most of these changes are not technically complex. They're process and copy changes — consent checkbox updates, privacy policy rewrites, CRM retention rules. The brands that act now will have cleaner data, better audience quality, and a defensible compliance posture when enforcement begins.
If you're reviewing your digital marketing practices for DPDP compliance and want help auditing your lead generation and data workflows, get in touch with the Flauntix team.