DPDP Act rules may hit e-commerce ad revenues as consent-driven data drops

The Indian government has notified the rules for the Digital Personal Data Protection Act (DPDPA)-2025, a regulation that is expected to reshape the digital ecosystem. The new rules, which mirror key principles of the European Union's GDPR, are predicted to have an initial negative impact on e-commerce advertising and the digital ad-tech industry, primarily in cases where user consent is not secured.

However, Karan Taurani, EVP, Research Analyst (Media, Retail, Consumer Discretionary and Internet) at Elara Capital, also projects a positive outcome over the long term, noting that high-quality, explicit consent could significantly raise conversion quality across the ecosystem.

Key monitorables and financial impact

Taurani highlights several areas that will determine the final impact of the law:

A primary question is whether apps will be legally mandated to allow users to continue using the service even if they deny consent for data processing. If the law mandates access despite refusal, ‘data signals may drop meaningfully.’ Conversely, if apps are allowed to restrict usage upon consent denial, user friction will rise, but ‘data availability stays intact.’ Clarity is urgently awaited on what constitutes ‘necessary data’ for an app's core functioning and if ‘deny consent equals no service’ will be legally acceptable.

Taurani noted that e-commerce companies and ad-tech platforms will be required to invest more significantly in compliance and robust consent management systems.

The negative impact on e-commerce advertising and ad-tech platforms will materialise only if users withhold consent. Taurani notes a crucial difference in consumer behaviour: "Generally, EM consumers give consent, unlike DM, where they usually don’t."

In a worst-case scenario for a market like India, even without consent, there will be a near-term impact on conversions and e-commerce ad revenue. Taurani noted, "quality of conversions may improve over the longer term, benefiting the ecosystem."

Any negative impact on ad revenue for Indian e-commerce players poses a severe risk to profitability, as “ad revenue drives 40-120% of EBITDA for Q-commerce platforms, Nykaa and food tech platforms."

Smaller, fringe players in the ad-tech ecosystem may suffer a negative impact due to compliance costs, lower conversions, and higher dependence on third-party data. This is projected to potentially benefit stronger, organised players like Affle over the long term.

Penalties and implementation timeline

The consequences of non-compliance are substantial:

• Each instance of non-compliance may attract hefty penalties of INR 250 crore, similar to the high penalties imposed under the EU's GDPR (EUR 2mn).
• As per checks, the DPDP Act permits penalties up to INR 2.5 billion (or 5% of turnover, whichever is higher) for violations.
• "So far, the publicly known fines under GDPR (since launch in 2018) have exceeded EUR 5.7 billion with cases on Meta, Alphabet, H&M, etc.,” Taurani noted. Consequently, platforms in India are expected "to exert higher caution in operation, near term till the models fine-tune for the new regime."
• While the Act received assent on August 11, 2023, the core compliance requirements will be enforced over 18 months in a phased manner. Directional clarity on consent access and withdrawal is expected in eight to nine months.

First-party vs. Third-party data platforms

Taurani noted, “First-party data fiduciaries are better placed than third-party ones." Platforms like Zomato, Nykaa, Paytm, Amazon, and Flipkart, which collect deep, purchase-linked data directly from users with clear consent, are better positioned for compliance and monetisation.

Players reliant on third-party data, such as Google cookies or publisher-supplied audience segments, will face higher compliance risks, rising data-sourcing costs, and a need to verify consent provenance. This may compel programmatic ad-tech companies to invest more in their own first-party datasets.

For ad-tech companies like Affle, the shift to a consent-led data regime may cause conversions to moderate in the near term as user acquisition funnels shrink to only those who actively consent. This, however, "increases signal-density, producing a smaller yet materially more valuable user cohort," which should "lift effective conversion rates, attribution accuracy, and ROAS, offsetting the early transition impact" over time.

The DPDP Act broadly mirrors principles of the EU’s GDPR, making the European experience a relevant case study.

The GDPR initially triggered an immediate contraction in European programmatic activity. A Digiday Research survey cited by Taurani found that platforms noticed a "20-30% drop in ad demand for several publishers in the first few months due to missing or invalid consent strings."

Targeting volumes shrank, causing lower conversions and weaker yields. However, some publishers saw revenue rise because "GDPR concentrated advertiser demand on high-consent, high-quality inventory, pushing up CPMs." Spend consolidated toward larger, data-rich publishers with strong first-party data.

The Act introduces rigorous requirements across four main areas.

First, consent must be free, specific, informed, unconditional, and unambiguous, collected via a clear affirmative action (no pre-ticked boxes). The withdrawal of consent must be as easy as giving it, and the Act bans bundling data for unrelated purposes.

Second, platforms must explicitly list and disclose all data uses before/at collection, including categories of personal data, exact purposes of processing, data sharing map, cross-border flows, and retention periods.

This is noted as the "strictest regime in global comparison," requiring mandatory verifiable parental consent and prohibiting targeted advertising to children, behavioural monitoring, and tracking.

One of the last requirements of the act is rigorous compliance with infrastructure, governance & accountability.

It mentions duties and rights for all data fiduciaries as follows:

• Implement reasonable security safeguards (encryption, access control, audits).
• Maintain data-accuracy mechanisms. Build grievance redressal systems with response SLAs.
• Enable user rights: access, correction, erasure, grievance escalation.
• Report personal data breaches to users + Data Protection Board.
• Define data-retention limits and erase when the purpose is complete.

Additional duties for significant Data Fiduciaries (SDFs):

• Appoint a Data Protection Officer (DPO) based in India.
• Conduct Data Protection Impact Assessments (DPIAs).
• Undergo annual data audits by independent auditors.
• Maintain risk assessments and mitigation plans.
• Publish detailed transparency reports (if mandated).

Internal compliance workflow expected

• The act will force the data inventory and mapping across all systems with purpose-wise classification
• It will require consent-flow redesign, retention schedule rollout
• Incident response plan and breach reporting module
• It will require the appointment of a DPO / privacy officer

Rights of data principals under the rules

• Right of access: Data principal can ask the fiduciary for a summary of personal data processed, identities of other fiduciaries/ processors with whom sharing occurred, etc.
• Right to correction/completion/updating/erasure: Principal may request the fiduciary to correct or complete inaccurate/incomplete personal data, or erase personal data in certain cases (unless retention is required by law).
• Right to withdraw consent: Principal has the right to withdraw consent at any time; the fiduciary must cease processing from that point unless a legal ground exists.
• Right to grievance redressal: Principal can make a complaint to the Board or the fiduciary’s grievance mechanism per the Rules/Act.