DPDP rules to crack down on marketing campaigns
Over 70 per cent of India’s MSMEs rely on targeted digital advertising channels
| Photo Credit:
Big Sale and festival Diwali Dhamaka ads are set to become a thing of the past following the notification of the Digital Personal Data Protection Rules 2025. Under the rules notified on Friday, companies have 18 months to overhaul existing mechanisms and make way for consent-driven management of personal data. Entities that fail to do so will have to pay fines between ₹200-250 crore. Experts said the requirements are going to hit marketing in a big way.
Over 70 per cent of India’s MSMEs rely on targeted digital advertising channels (Google Search, YouTube, Amazon) to reach customers, and around 60 per cent say WhatsApp for Business is critical for their direct sales and engagement, Akshay Garkel, Partner & Leader, Cyber, Grant Thornton Bharat (GTB), told businessline.
Challenges ahead
According to Nikhil Jhanji of IDfy, the DPDP norms will fundamentally reshape marketing in India. For AI-driven campaigns, companies must now rely on data that is transparently collected and explicitly consented to for specific purposes. Campaigns will need to embed consent, purpose limitation and accountability. Over time, this will push organisations towards more contextual, trust-driven engagement, where personalisation and privacy reinforce each other rather than conflict.
Firms will have to build capabilities to collect valid consent, map their data flows, and put in place grievance-mechanisms, said Garkel. This will hit companies in a big way, considering they will have to conduct a data-inventory — list all customer touchpoints (WhatsApp chat, ad cookies, CRM entries), classify data by sensitivity (children’s data, profiling), follow-up with a simple consent update (clear language, opt-in, withdraw option) and review vendor/advertising partner contracts.
Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, said all of this will drive compliance costs significantly. Until now, companies have never needed to build stringent data protection compliance mechanisms to operate in India.
“Key drivers for cost will include legal and consultancy fees, appointing data protection professionals, building, implementing and maintaining technical systems to ensure compliance, staff training and audits,” he said.
Updating T&C
Manish Sehgal, Partner at Deloitte India, said while publication of mass messages or anonymous reach out will fall considerably, marketing will not be significantly impacted.
“As long as messaging is legitimately done, there will be no impact. Nowhere does it says that you can’t market out. You have to have the right mechanism and a legitimate ground, which in this case is very likely to be a consent mechanism,” he said.
Amol Kulkarni, Director (Research), CUTS International, also pointed out that there are already several regulatory frameworks to reduce spam and scam. However, poor enforcement has led to these frameworks remaining on papers.
“Companies may simply expand the scope of terms like ‘communication’, ‘updates’ and ‘offers’ to send marketing messages with the consent of users, who may agree without understanding the implications,” said Kulkarni.
Published on November 16, 2025
