With the Indian government gearing up to notify the draft rules under the Digital Personal Data Protection Act (DPDPA), 2023, organizations across the country are entering a critical phase of compliance. One of the most disruptive challenges businesses will face is the issue of legacy data and consent.
What Section 5(2) of DPDPA Means?
According to Section 5(2) of the Digital Personal Data Protection Act (DPDPA), 2023, if a business has already collected personal data from individuals (called Data Principals) before the law officially comes into effect, they must take certain steps to stay compliant. The law says that the business (referred to as a Data Fiduciary) must inform individuals about:
- What personal data they hold, and
- Why this data was collected or used in the first place.
Once the DPDPA officially comes into effect, businesses must promptly notify individuals about the personal data they hold and the reasons for collecting it.
But that’s just the beginning.
After sending this notification, businesses must ensure they have valid and compliant consent to continue using this data. This means saying goodbye to the old way of doing things—no more “I agree to the Terms and Privacy Policy” checkboxes, and no more vague, blanket consents.
Under DPDPA, any consent collected in the past that doesn’t meet the new legal standards is no longer valid. If businesses didn’t collect proper consent earlier—or if the consent wasn’t specific, informed, and purpose-driven—they must reach out to individuals and obtain fresh consent before continuing to process their data.
And before even contacting their customers, the law expects organizations to do some housekeeping. That means conducting an internal audit to clean up outdated or irrelevant data and making sure there’s a clear reason to retain anything that remains.
Where the Problem Begins?
At first glance, this might appear simple – just inform customers and ask for their consent. But in practice, this is an operational and technical minefield, especially for businesses with large, old databases. Let’s break it down with examples:
1. The Dormant Customer Problem
Consider a D2C skincare brand that has collected data from over 1.2 million users since 2019. While around 200,000 of those users are still active and regularly interact with the brand’s platform, the vast majority haven’t engaged with the brand in over two years.
Many of these dormant customers have likely changed their email addresses—either to escape spam or due to personal transitions. Some may have switched phone numbers, while others simply no longer pay attention to the brand’s emails or messages.
This creates a significant challenge under the DPDPA. The brand must now inform each customer about the personal data it holds and the specific purpose for which it is being used. More importantly, the brand must collect valid, purpose-specific consent to continue processing that data. If it cannot obtain consent, the law requires the brand to delete the data.
2. The Cross-Platform Complexity
Take the case of a fintech startup that operates across multiple channels – an app, a website, and even offline campaigns in malls and airports. Over time, customer data has flowed in from all directions: digital ad campaigns, in-person walk-ins, and third-party marketing affiliates.
This creates a serious compliance headache.
Most businesses don’t have one clear record showing when and why they got a person’s consent. In many cases, they never recorded the reason for collecting the data—whether it was for a loan offer, a newsletter, or a contest. Without this context, the consent isn’t valid under the DPDPA.
The startup now faces the enormous task of trying to untangle this legacy data. How do you accurately segment these users, link their data across platforms, and then notify them individually about what data you hold and for what purpose? And once that’s done, how do you collect fresh, DPDPA-compliant consent across fragmented customer journeys?
3. High Cost of Acquisition vs. Risk of Deletion
In competitive industries like ed-tech, fintech & e-commerce customer acquisition costs (CAC) can range anywhere from ₹500 to ₹5000 per user, depending on the marketing funnel and campaign strategy. It’s common for users to sign up, browse course offerings, clothes or loan and then drop off only to return months later when they’re ready to commit.
Now imagine a scenario where a potential student registered for a course back in 2022 but didn’t convert. The company, hoping to win them back through remarketing, held onto their data. Under the Digital Personal Data Protection Act (DPDPA), that strategy now hits a legal roadblock.
If valid, purpose-specific consent isn’t re-collected, the company is required to delete that user’s data. And if the individual can’t be reached through any current contact channel—maybe they’ve changed their phone number or email—that data is essentially as good as gone.
The result? Thousands of rupees in marketing spend per user potentially down the drain, without any return on investment. For many businesses, this could mean a painful reckoning with the true cost of legacy data retention.
4. The Operational Chaos
Now imagine a large e-commerce platform with over 10 million users launching a legacy consent campaign to comply with DPDPA. They send out SMS messages to 6 million users, emails to 8 million (with some overlap), and push notifications through their mobile app. Even with a modest response rate of just 2–5%, that still means hundreds of thousands of users are reacting—some opting in, some opting out, others asking questions, and many triggering fallback identity verification workflows.
The result? A wave of operational complexity. IT and privacy teams suddenly face a flood of compliance logs, customer support tickets, consent confirmation records, and data rectification or deletion requests. Managing this kind of volume isn’t just a technical issue—it’s a full-blown logistical challenge that could overwhelm even well-resourced organizations. Without automation, robust planning, and clearly defined processes, what seems like a simple “consent update” campaign can quickly spiral into operational chaos.
The Broader Business Impact
- Loss of Retargeting Revenue: Businesses rely on historical user data for campaigns, lookalike audiences, churn reactivation. Without consent, much of this is rendered non-compliant.
- Regulatory Risk: Non-compliance can lead to fines under DPDPA, including reputational damage if the issue becomes public.
- Tech Debt Exposure: Companies with fragmented CRMs and no consent management system will struggle to even map consent to user records.
- Strained Marketing Teams: Performance marketing teams must rework strategies based only on consented data, potentially shrinking reach and reducing ROI.
It’s Not Just About Data, It’s About Trust and Preparation.
The legacy consent problem isn’t just legal – it’s strategic.
The Digital Personal Data Protection Act (DPDPA) isn’t just a compliance hurdle- it is a pivotal opportunity for businesses to rebuild trust with their users and clean up years of technical and data debt. But for those who delay, the consequences could be steep—loss of valuable customer data, operational chaos, and reputational damage.
Don’t wait for disruption. Plan proactively.
Speak with Concur – your dedicated Consent Manager. Our advanced tools and strategic guidance are designed to help you implement DPDPA compliance smoothly, collect valid consents efficiently, and ensure business continuity with minimal friction. Book a consultation today and take control of your compliance journey before the deadline controls you.
