What is India's DPDP Act?

India's Digital Personal Data Protection Act (DPDP Act) is the country's comprehensive data privacy legislation, enacted in 2023 and now operationalised with enforcement beginning May 2027. It governs how personal data of Indian citizens is collected, processed, stored and shared — requiring explicit, informed, purpose-specific consent before data collection, and giving citizens rights including access, correction and erasure.

What are the penalties under India's DPDP Act?

Penalties under the DPDP Act can reach up to ₹250 crore (approximately $30 million USD) per violation for significant data breaches or systemic non-compliance. The Data Protection Board of India has authority to investigate complaints, conduct audits and impose financial penalties. Non-compliance is not a fine structure — it is an existential risk for businesses whose revenue model is built on personal data.

How does the DPDP Act affect programmatic advertising in India?

The DPDP Act directly impacts programmatic advertising by requiring that personal data used for audience targeting be collected under specific, informed consent that discloses the purpose of data use. Third-party data purchased from brokers — where the original consent may be ambiguous, stale or purpose-limited — becomes legally problematic. The Act accelerates the shift to first-party data and publisher-direct audience relationships that are already commercially superior.

What is a Data Fiduciary under the DPDP Act?

A Data Fiduciary under the DPDP Act is any entity that determines the purpose and means of processing personal data. For AdTech: brands are Data Fiduciaries for their customer data. Publishers are Data Fiduciaries for their user data. DSPs, SSPs and data brokers handling personal data on behalf of others may be Data Processors. Significant Data Fiduciaries — entities with large-scale or sensitive data processing — face additional obligations including data audits and algorithmic transparency.

What should AdTech businesses do to prepare for DPDP compliance?

AdTech businesses should take five actions: (1) Conduct a data audit to map every data source, its consent basis, purpose and retention period; (2) Build a consent management platform that captures specific, informed, purpose-bound consent; (3) Audit third-party data relationships to assess DPDP risk in purchased audience segments; (4) Establish publisher-direct data partnerships as a DPDP-compliant alternative to broker data; (5) Establish data governance protocols including breach notification procedures and data subject rights handling.

Is the DPDP Act similar to GDPR?

The DPDP Act draws inspiration from GDPR but has several India-specific characteristics. Like GDPR, it requires explicit consent, grants data subject rights and imposes significant penalties. Unlike GDPR, it does not include a right to data portability, has a separate framework for cross-border data transfers, and applies only to digital personal data (not physical records). The enforcement mechanism — the Data Protection Board of India — is also distinct from European supervisory authority structures.

How does DPDP compliance create competitive advantage?

DPDP compliance creates competitive advantage because the assets required for compliance — genuine first-party data, transparent consent frameworks, clean publisher relationships — are also commercially superior assets. The brands that build DPDP-compliant data practices now will have higher-quality audience intelligence, more defensible supply chains and stronger publisher partnerships than competitors still relying on third-party broker data. Compliance is not a cost. It is a strategic investment.

When does DPDP enforcement begin in India?

DPDP enforcement in India begins May 2027, giving businesses a transition window to achieve compliance. However, the compliance infrastructure — consent management platforms, data audits, publisher partnerships, data governance protocols — typically takes 12-18 months to build properly. Businesses that begin in early 2026 will arrive at enforcement readiness. Businesses that wait until late 2026 will be scrambling.

DPDP Compliance for AdTech India: What Every Business Needs to Do Right Now

India's DPDP Act is now operational. Enforcement begins May 2027. Penalties up to ₹250 crore. Here's what every AdTech business needs to do right now.

For years, the advertising industry has been told that the third-party cookie is dying. Chrome's deprecation timeline kept moving, clean room technology evolved, alternative IDs proliferated, and the industry's response has mostly been: let's wait and see.

India just made waiting a legal liability.

The Digital Personal Data Protection Act — the DPDP Act — is now operational. The Data Protection Board of India is being constituted. Enforcement begins May 2027. Penalties reach up to ₹250 crore per violation. And the provisions of the Act are not theoretical: they directly, materially affect how every brand, publisher, DSP, SSP, data broker, agency and AdTech vendor in India operates.

The question is no longer whether DPDP will change India's advertising industry. It will. The question is whether your business will be positioned to operate cleanly within it — or whether you'll spend the next eighteen months scrambling to retrofit compliance into systems that were never designed for a consent-first world.

What the DPDP Act Actually Says: The AdTech-Specific Provisions

Most coverage of the DPDP Act has focused on consumer rights and enterprise data governance. The AdTech implications are more specific — and more urgent.

The Act establishes a consent architecture that is fundamentally incompatible with how most programmatic data flows in India currently work. Specifically:

Consent must be specific and informed. A user consenting to "personalised advertising" is not consenting to their data being sold to a data broker, modelled into an audience segment, and activated on a DSP by a brand they've never interacted with. The DPDP Act requires consent to be specific to the purpose and entity collecting the data. Broad consent catch-alls buried in terms and conditions do not meet the standard.

Consent must be freely given and revocable. The Act gives data principals (users) the right to withdraw consent at any time. Any data pipeline that doesn't have a functional consent withdrawal mechanism — and that means most of India's third-party data supply chain — is non-compliant from the moment enforcement begins.

Data use must be purpose-limited. Data collected for one purpose cannot be repurposed without fresh consent. An email address collected for a loyalty programme cannot be used to build a lookalike segment for programmatic targeting without additional, specific consent for that use.

Data fiduciaries have accountability obligations. Every entity that determines the purpose and means of processing personal data — brands, publishers, platforms — is a Data Fiduciary with legal accountability for how that data is handled, including by processors and partners downstream.

Is your programmatic supply chain DPDP-ready? The compliance infrastructure — consent management, data audits, publisher partnerships — takes 12-18 months to build properly. Businesses beginning now will be ready for May 2027. SGCube Consultants can help you understand where you stand.

Discuss your DPDP readiness

The DPDP Penalty Structure: What Non-Compliance Actually Costs

The DPDP Act's penalty structure is not a symbolic deterrent. It is designed to be financially material for businesses of every scale operating in India.

DPDP Penalty Schedule (Selected Provisions)

Failure to implement reasonable security safeguards resulting in a data breach	Up to ₹250 crore
Failure to notify the Data Protection Board and affected data principals of a breach	Up to ₹200 crore
Non-fulfilment of obligations with respect to children's data	Up to ₹200 crore
Non-compliance with Data Protection Board orders or provisions	Up to ₹150 crore
Failure to fulfil data principal rights obligations	Up to ₹50 crore

For context: a ₹250 crore penalty is approximately $30 million USD. For mid-sized publishers, agencies or AdTech vendors operating in India, this is an existential number. For large platforms, it is a material operational risk.

The Data Protection Board has investigative authority — it can initiate inquiries, demand records and conduct audits without waiting for a consumer complaint. Non-compliance discovered through proactive enforcement is not materially different from non-compliance discovered through a breach.

Why Most of India's AdTech Supply Chain Is Currently Non-Compliant

The honest assessment — and the one most AdTech businesses are avoiding — is this: if you conducted a DPDP audit of your data supply chain today, most of the personal data flowing through it would not meet the Act's consent standard.

Here's why.

India's programmatic audience data market is built on a consent architecture designed for a pre-DPDP world. Most third-party data has been collected under broad, bundled consent — a checkbox buried in an app's terms and conditions that a user accepted without reading, that covers dozens of undisclosed purposes and downstream partners.

The DPDP Act invalidates this architecture. Consent must be specific to purpose and entity. "You consent to our privacy policy" is not DPDP-compliant consent for programmatic audience targeting by an advertiser the user has never heard of.

The implications cascade through the supply chain:

Data brokers whose inventory is built on bundled, non-specific consent are selling non-compliant data.
DSPs activating audience segments without verifying consent provenance are processing non-compliant data.
Brands activating third-party segments for targeting are the Data Fiduciaries ultimately responsible for the consent basis of that targeting.
Publishers who have not built first-party consent management for their own user data are both non-compliant and competitively disadvantaged.

The DPDP Act doesn't just create compliance obligations. It creates a commercial advantage for every player in the supply chain that has invested in genuine first-party data infrastructure. As we've explored in our analysis of the programmatic supply chain, the publishers and platforms that have built direct, consented, verified audience relationships are already sitting on a commercially superior asset. DPDP makes that superiority a legal imperative, not just a strategic preference.

The brands and publishers that build DPDP-compliant data infrastructure now will have a structural competitive advantage when enforcement begins. SGCube Consultants helps AdTech businesses design data strategies that are both commercially effective and regulatory-ready.

Build your DPDP-compliant data strategy

Significant Data Fiduciaries: The Higher Obligation Tier

The DPDP Act creates a two-tier accountability structure. Most businesses will operate as standard Data Fiduciaries. But businesses designated as Significant Data Fiduciaries — entities processing large volumes of personal data, sensitive data, or data with significant potential impact — face substantially higher obligations.

For the AdTech sector, Significant Data Fiduciary designation is likely for:

Large-scale consumer platforms with tens of millions of registered Indian users
Data brokers processing personal data at scale for commercial purposes
AdTech infrastructure providers handling personal data across multiple third-party platforms

Significant Data Fiduciaries must appoint a Data Protection Officer, conduct periodic Data Protection Impact Assessments, submit to algorithmic transparency audits and maintain data processing records at a higher standard than standard fiduciaries.

If your business processes personal data at scale in India and you haven't yet assessed whether you meet the Significant Data Fiduciary threshold, that assessment needs to happen before the Data Protection Board begins making designations — which could happen well before the May 2027 enforcement date.

The Five Actions Every AdTech Business Should Be Taking Right Now

The compliance window is open. It will not remain open indefinitely. Here is where to begin.

Action 1: Conduct a comprehensive data audit. Map every data source in your business: where it comes from, what consent basis it was collected under, what purpose it was collected for, how it is processed, who it is shared with and how long it is retained. This audit is the foundation of everything that follows. You cannot build a compliant data practice on an inventory you don't understand.

Action 2: Build a consent management platform. If you don't have one, build one. If you have one, audit it against the DPDP standard — not the legacy standard it was built to. Specific. Informed. Purpose-bound. Freely given. Revocable. These are not aspirational qualities. They are legal requirements.

Action 3: Audit your third-party data relationships. Every data supplier relationship in your supply chain needs to be assessed for DPDP risk. What consent basis was used to collect the data you're buying? Can your supplier provide documentation of that consent? If they cannot, you are the Data Fiduciary activating non-compliant data — and the liability sits with you, not with them.

Action 4: Establish publisher-direct data partnerships. The DPDP-compliant alternative to broker data is publisher first-party data — collected directly from users, under specific consent, for disclosed purposes. Publishers who have invested in first-party infrastructure are now strategically valuable partners, not just reach vehicles. Establishing direct data partnerships with publishers whose consent architecture you can verify is both a DPDP compliance strategy and a commercial upgrade.

Action 5: Establish data governance protocols. Breach notification timelines under the DPDP Act are short. Data subject rights requests — access, correction, erasure — must be fulfilled within defined timeframes. The Data Protection Officer role (mandatory for Significant Data Fiduciaries, advisable for all) needs to be defined and resourced. These are operational changes that require planning, not last-minute implementation.

The DPDP-GEO Convergence: Why Content Strategy and Data Strategy Are Now One

There is a second-order effect of DPDP that the advertising industry hasn't fully mapped yet.

The Act's consent architecture makes it significantly harder to use personal data for audience targeting in the traditional programmatic sense. At the same time, the shift to AI-powered search — Generative Engine Optimisation, or GEO — is reducing the reach of programmatic display at the top of the funnel, as we've explored in The Funnel Didn't Break. The Top of It Just Moved Somewhere You're Not.

These two forces converge on the same strategic conclusion: the brands that will win in India's next advertising era are the ones that invest in authority content and genuine first-party audience relationships — not the ones that continue to rely on third-party data pipelines and top-of-funnel reach mechanics.

DPDP compliance is not separate from content strategy. It is content strategy. The brands that produce authoritative, citable, GEO-optimised content are simultaneously building the audience relationships that generate DPDP-compliant first-party signals. The brands that build direct publisher relationships are simultaneously creating DPDP-compliant data partnerships and GEO-relevant authority endorsements.

This convergence is not a coincidence. It is the market resolving to the same answer from two different directions: build genuine value, build genuine relationships, and the regulatory and algorithmic environment will reward you. Continue to operate on intermediated, consent-ambiguous, attention-rented foundations, and both DPDP and GEO will erode your position simultaneously.

The Timeline You Cannot Afford to Ignore

May 2027 is eighteen months away. That sounds like a long time. It isn't — not for the scale of change required.

A proper consent management platform takes three to six months to design, build and deploy at scale. A comprehensive data audit of a complex AdTech supply chain takes two to four months. Third-party data relationship assessments, publisher partnership negotiations and data governance protocol implementation add further months. Significant Data Fiduciary compliance preparation — DPIA processes, algorithmic audit frameworks, DPO resourcing — adds more.

Businesses that begin the DPDP compliance journey in early 2026 will arrive at enforcement readiness with time to test and refine. Businesses that begin in late 2026 will be implementing under pressure, likely with material gaps. Businesses that wait until 2027 will be non-compliant from enforcement day one.

The window is open. It is not open indefinitely.

The brands and AdTech businesses that treat DPDP not as a compliance burden but as a strategic forcing function — to build the first-party data infrastructure, publisher relationships and consent frameworks they should have been building anyway — will emerge from this transition with materially stronger commercial positions than the ones that treat it as a problem to be managed.

The cookie is dead. DPDP just made sure it stays buried.

The Cookie Is Dead. DPDP Just Buried the Grave.