DPDP to push a major reset for ad targeting and personalisation

The Indian government officially announced the Digital Personal Data Protection Rules on November 14, 2025, completing an eighteen-month process that began with the passage of the DPDP Act in August 2023. The Rules follow nationwide consultations that received 6,915 inputs from startups, industry bodies, and citizens. The rules establish a consent-driven framework following seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.

The framework introducespenalties of up to Rs 250 crore for failure to maintain security safeguards, up to Rs 200 crore for not notifying breaches or violating obligations related to children, and up to Rs 50 crore for other violations. The government has phased implementation over eighteen months, giving organisations time to redesign their data infrastructure before full enforcement begins.

For advertising, this shift arrives when consumer trust has reached new lows. Research shows that 94% of consumers are more likely to stay loyal to brands that commit to transparency, with 56% remaining loyal for life when companies ensure complete transparency, yet 64% of global consumers believe companies are reckless with customer data.

Dhruv Garg, Founding Partner at the Indian Governance and Policy Project (IGAP), frames the rules as the culmination of a multi-decade process. "What began in the late 2000s with trade-linked nudges from the EU and early government papers has now matured into a full legal regime, and the final Rules make several important departures from the draft."

Third-party brokers and children's advertising face existential pressure

When asked which parts of the ecosystem will experience disruption first, Garg identifies two pressure points. "The advertising sector will face two immediate pressure points," he explains. "First, third-party data brokers such as audience aggregators, DMPs, and other intermediaries that operated without direct user relationships face existential pressure. Purpose-specific, informed consent rules effectively rule out large-scale harvesting of personal data for unspecified future targeting."

The global data broker market, valued at USD 323.1 billion in 2024, is projected to reach USD 697.6 billion by 2034. Domestic ad-tech firms relying on aggregated audience segments without direct user relationships must restructure or risk penalties reaching Rs 250 crore per violation.

"Second, children's advertising will see sharp disruption," Garg continues. "The Rules prohibit behavioural tracking and ban targeted advertising to anyone under 18. Entertainment platforms, gaming apps, ed-tech providers and toy brands cannot serve personalised ads to children.”

In this case, verifiable parental consent becomes mandatory for processing children's data and voluntary age-gating practices won’t work. Platforms need to implement robust verification protocols, adding friction that can drastically reduce monetisable child audiences which may shift the trend from behavioural to contextual advertising, according to him.

Abhijat Shukla, Vice President of Data Science at WebEngage, explains how these requirements will transform data collection practices. He says that consumer consent will effectively become a new system of record. “DPDP moves the industry toward a model where the consumer has full control and must explicitly opt in."

Brands must define the purpose for collecting each data point clearly. “Sensitive identifiers such as geolocation, biometrics, or financial data must have an explicitly stated purpose before collection. Both brands and data platforms will be bound by that promise and cannot use the data beyond the stated purpose,” Shukla continues.

Data retention windows will also shorten, with brands required to purge data after a certain period depending on enforcement guidelines.

"Additionally, DPDP will introduce the need for maintaining consent lineage," Shukla adds. "Brands must track what data was collected, when, from where, for what purpose, and how consent was captured. This information may need to be available during regulatory audits. If consent lineage is incomplete, penalties could follow. So, data lineage and auditability will become as important as data collection itself."

Eighteen months to redesign before enforcement begins

Rashmi Deshpande, Founder of Fountainhead Legal, clarifies, "With these Rules in place, long-pending questions around the functioning of the Data Protection Board, consent management, security measures for data fiduciaries, and consent requirements for children and persons with disabilities now stand settled, giving stakeholders the clarity they have been waiting for."

Cross-border data transfer restrictions and criteria for identifying Significant Data Fiduciaries will be notified later through separate orders. "The Government has also notified timelines for when different parts of the DPDP Act will take effect," Deshpande notes. "The main provisions covering applicability, notices, consent, personal data processing, fiduciary obligations, and rights of data principals will come into force in 18 months from 13 November 2025, giving businesses a clear and realistic runway to prepare."

Paritosh Desai, Chief Product Officer and Chief Marketing Officer at IDfy, identifies critical areas requiring monitoring. "The final Rules still leave several areas that marketers and advertisers must monitor closely," he says. "The first is the exact boundary between permitted contextual use of personal data and uses that qualify as targeted marketing based on personal data.”

The rules make it clear that consent is required for any activity involving personal data used for personalised outreach, but they stop short of defining how granular that consent needs to be when brands run complex, multi-step journeys across MarTech stacks, agency tools, and programmatic platforms.

According to the Dentsu's digital report 2025, programmatic buying contributed 42% (Rs 20,686 crore) to the digital media industry by the end of 2024. The treatment of legacy data remains unresolved. Many brands have audience data collected over years without provable consent documentation now required.

"A third ambiguity relates to the obligations of data processors in the advertising supply chain," Desai notes. "Programmatic platforms, demand-side systems, measurement vendors, and remarketing partners regularly process large datasets on behalf of brands. The Rules place the legal duty on the brand as the Data Fiduciary, but the exact extent to which a brand can rely on a vendor to obtain or prove consent is not clearly defined. In practice this will heighten the need for rigorous contracts, clear allocation of duties, and strong audits."

First-party data and privacy-by-design become competitive advantages

Vaibhav Velhankar, Co-Founder and Chief Technology Officer at Segumento, sees opportunity in this scenario. "The DPDP Rules mark an exciting new phase for AI in India, signalling that the future isn't just about what AI models can do, but how they are thoughtfully designed and responsibly integrated," he says.

"In AdTech, where AI drives personalisation, audience insights, and real-time decisioning, well-structured systems create clarity, foster innovation, and unlock significant growth opportunities."

Research shows that 93% of marketers believe collecting first-party data is more critical than ever, with incorporating first-party customer behavioural data into marketing strategies positively impacting customer acquisition costs by 83% and conversion by 73%.

"And in the long run, privacy-by-design does not restrict performance, it improves it," Velhankar adds. "When data is clean, consented, transparent, and responsibly governed, the resulting signals are stronger, trust is higher, and models become more accurate.”

He notes that organisations that approach AI with foresight, clarity, and purpose won't just meet international standards they will define what “responsible, high-impact AI looks like in India and set a global benchmark for combining innovation with integrity."

With this, targeting is set to evolve. 

Shukla explains how until now, personalisation and segmentation relied on collecting as many events and attributes as possible. In fact, lifecycle marketing often used hundreds of attributes to create rich consumer personas. 

“But in reality, many of those attributes do not meaningfully influence a given journey," he says. "For example, if you're trying to upsell a customer from one plan to another, you may only need five or six key attributes. So we will move away from using endless data points for each journey. Journeys will become more purpose-driven, and cohorts will form based on specific, consent-backed purposes."

During the transition period, Desai outlines preparation steps that brands need to consider. 

"Redesign consent journeys so that consent is freely given, informed, specific for each purpose, and recorded in a verifiable manner," he explains. "This includes landing pages, app flows, loyalty programmes, contest sign-ups, and any MarTech entry point."

Brands must map every flow of personal data across the advertising ecosystem, create clear legal basis for each marketing activity, and revisit vendor contracts. 

"Additionally, revisit all vendor contracts," Desai notes. "Insert clear clauses on consent obligations, data sharing limits, retention, breach notification, and audit rights. Brands will remain legally liable for unlawful processing by partners, so strong contracts and ongoing oversight are essential."

As reported earlier, research analyst Karan Taurani at Elara Capital observes that ad revenue drives between 40 and 120% of EBITDA for quick commerce platforms, Nykaa, and food-tech platforms, making the transition financially material. 

The era of casual data collection is closing, and the transition period is the final window to remove uncertainty before the rules take full effect. The opportunity now lies in treating privacy as a mandate that improves trust, data quality, and long-term business outcomes.