DPDPA

DPDPA Impact on Marketing in India

The Digital Personal Data Protection Act of 2023 (DPDPA) marks a significant milestone in India’s digital landscape as it introduces the country’s first-ever data privacy law. In an era of rapid digital evolution, the need for robust data protection regulations in India cannot be overstated. All stakeholders dealing with data must grasp the profound implications this Act will have on their operations. In this blog, we will dive more into the DPDPA Impact on Marketing in India.

The DPDPA aims to establish more stringent compliance measures to standardize and safeguard user privacy throughout India. For marketers, in particular, it is essential to gain a comprehensive understanding of this Act and its potential impact on their activities.

Brief Background


It is estimated that by 2023, India will boast a staggering 907 million internet users, with approximately 10 million new users joining the digital realm each month. Given this explosive growth, the need for a dedicated data protection law in India becomes increasingly evident. Nations worldwide have already taken steps to enact their own data privacy laws, with the European General Data Protection Regulation (GDPR) leading the way, followed by the California Consumer Privacy Act (CCPA/CPRA) and others.

Prior to the DPDPA, Indian users relied primarily on the Information Technology Act of 2000 for data privacy concerns. However, the landscape changed in 2017 when the Supreme Court of India recognized the right to privacy as a fundamental right under Article 21 of the Indian Constitution. Despite this recognition, there were no specific regulations in place to adequately protect user data until the passage of the DPDPA in 2023.

Digital Personal Data Protection Bill

The Digital Personal Data Protection Act of 2023 (DPDPA) received presidential approval on August 11, 2023. This legislation will have a significant impact on businesses that collect data from individuals in any form. The Act provides a comprehensive framework covering aspects such as user consent for data processing, mandatory measures for businesses, penalties for non-compliance, and more.

One noteworthy aspect of this law is its extraterritorial applicability. It extends its jurisdiction beyond India’s borders to encompass data processing related to Indian users. The DPDPA defines personal data as “any data about an individual who is identifiable by or about such data.” This definition means that any information aiding in the identification of an individual, even in the absence of explicit identifiers like names, email addresses, phone numbers, or IP addresses, falls under the purview of personal data. For instance, a combination of a photograph and a company name can qualify as personal data. Consequently, the DPDPA serves as a robust guardian of user data privacy for individuals within India, regardless of their citizenship status.

To provide an example, even if an eCommerce business or marketer operates from outside India but engages with Indian users, the DPDPA applies to them and mandates compliance.

As for the effective date of this law, it will come into force upon notification by the Government of India. However, Shri Ashwini Vaishnav, the Union Minister for the Ministry of Electronics and Information Technology, has indicated that the implementation of this law may take approximately six to ten months. Therefore, all businesses involved in data collection should proactively make the necessary preparations to ensure compliance with the law within the next ten months. By the end of 2024, all businesses should have adapted to privacy-preserving technologies, especially in light of Google Chrome’s plans to phase out third-party cookies by the same year.

To meet the evolving requirements of data privacy, marketers must begin relying on first-party data, which is akin to a valuable resource. Furthermore, conducting regular data audits and implementing other essential measures will be crucial in ensuring adherence to the law.

DPDPA Implementation

Implementation of the Digital Personal Data Protection Act (DPDPA) falls under the jurisdiction of the Data Protection Board of India, an independent entity responsible for addressing complaints related to the DPDPA.

Under this legislation, all organizations are obligated to appoint two key roles:

  1. Data Protection Officer (DPO):
    • The DPO serves as a crucial link between the organization and the Data Protection Board.
    • Their primary role is to handle user grievances concerning personal data privacy.
    • DPOs are also responsible for conducting regular data protection impact assessments to ensure compliance with the law.

In case of a failure to address user concerns or comply with the DPDPA, users have the right to approach the Digital Protection Board of India, which operates in a digital format. This board functions akin to a civil court, with the authority to impose penalties for non-compliance.

Additionally, there is a provision for an Appellate Tribunal. If either party involved is dissatisfied with the rulings of the Digital Protection Board of India, they can file an appeal with the appellate tribunal within 60 days. The appellate tribunal is tasked with expediting cases, aiming to resolve them within six months.

The DPDPA is not limited to safeguarding the rights of Indian citizens alone; it extends its protection to non-citizens residing in India as well. The law applies to all businesses, regardless of their geographical base, if they engage with users or have customers within India. Furthermore, if a business processes user data within India, it must adhere to the regulations outlined by the Digital Personal Data Protection Act.

In terms of user consent, the law emphasizes that consent must be accompanied or preceded by a clear notice that informs users of:

  • The personal data being collected.
  • The purpose for which it will be processed.
  • How to revoke consent.
  • The process for raising complaints with the Data Protection Board.

For businesses that have already collected personal data before the law’s enactment, are obliged to inform all users about the data processing procedures and seek their consent for any future processing activities.

Rights of Data Principal under DPDPA

The Digital Personal Data Protection Act of 2023 (DPDPA) in India grants users a set of four exclusive rights, designed to safeguard their privacy effectively:

  1. Right to access: Users have the entitlement to access a summary of their personal data and information about how it is shared. Additionally, they can seek details about the purpose of data processing.
  2. Right to correction & erasure: Users possess the right to withdraw their consent and request corrections or deletion of their personal data. It is the responsibility of the data protection officer to ensure that these requests are promptly addressed.
  3. Right of grievance redressal: The DPDPA ensures that users have the right to file grievances with the data protection officer. It also obligates businesses to inform users about the mechanisms available for grievance redressal.
  4. Right to nominate: Users are empowered to nominate another individual to exercise their privacy rights on their behalf. This provision is particularly valuable in cases where the user is unable to act on their own, such as when they are incapacitated or no longer present.

Impact Of The Digital Personal Data Protection Act, 2023 On Marketers

The Digital Personal Data Protection Act of 2023 carries significant implications for marketers and businesses operating in the digital sphere. It is not limited to a specific industry but has a broad-reaching impact on various sectors, including eCommerce, finance, social media, healthcare, insurance, data processing, pharmaceuticals, real estate, banking, and more.

One notable aspect of the law is its stringent regulations regarding the data processing of children, defined as individuals under the age of 18. The DPDPA explicitly prohibits businesses from tracking or collecting behavioral analytics of children for targeted advertising purposes.

While a cursory glance at the DPDPA may not reveal its full impact, a closer examination reveals a comprehensive data privacy framework within the Act. This framework has far-reaching implications for how businesses conduct their digital operations and underscores the law’s significance in protecting user privacy in India’s evolving digital landscape.

Implications of the DPDPA on Marketers

1. Data Minimization, Purpose Limitation, and Data Transparency:

  • Businesses are only permitted to collect personal data that is relevant, necessary, and strictly aligned with its intended purpose.

2. Redefining Consent:

  • Businesses must obtain clear and transparent consent from users for data processing.
  • Robust consent mechanisms, like incorporating consent manager applications, are necessary to inform users about the purpose of data collection and usage.

3. Penalties:

  • Businesses face penalties ranging from a minimum of Rs. 50 Crores to a maximum of Rs. 250 Crores if they fail to implement adequate safeguards against personal data breaches.

Actions Marketers Should Take to Mitigate the Impact of the Digital Personal Data Protection Act

1. Shift Focus to First-party Data:

  • In an era of data privacy, relying on third-party data sources is discouraged.
  • Marketers should prioritize first-party data, which is voluntarily provided by users and carries higher quality and compliance.

2. Robust Data Governance:

  • The DPDPA mandates regular data audits and data protection impact assessments.
  • Businesses must implement strong measures to protect user data, as data breaches can result in substantial penalties.

3. Enhanced Privacy-centric Marketing:

  • Marketers should focus on personalization while safeguarding user privacy.
  • Utilize privacy-centric technologies and tools offered by platforms like Meta and Google to maintain effective marketing activities without compromising privacy.

4. Understand Key Terms in the DPDPA:

  • Consent Manager: A point of contact facilitating user consent management in a transparent and accessible manner.
  • Data Fiduciary: Any business, especially marketers and eCommerce entities, determines the purpose and means of processing user data.
  • Personal Data: Information such as names, email addresses, phone numbers, IP addresses, or any other details enabling user identification.
  • Processing: Includes various data-related activities, from collection and storage to sharing and transmission.

Important Clauses Marketers Should Be Aware Of in the DPDPA

  • Clause 4: Grounds for processing personal data.
  • Clause 6: Guidance on ‘consent.’
  • Clause 7: Necessity of processing personal data.
  • Clause 8: Obligations of a data fiduciary (marketer or business).
  • Clause 9: Processing of personal data of children (those under 18).
  • Clauses 11, 12, 13, & 14: User rights.
  • Clause 16: Applicability of the law outside India’s territory when data is processed abroad.

The Digital Personal Data Protection Act presents both challenges and opportunities for marketers. It calls for a shift towards privacy-centric marketing strategies, emphasizing transparency and the prioritization of first-party data to create personalized user experiences. To excel in this evolving landscape, businesses must educate their teams about the Act’s provisions, conduct regular data audits, seek guidance from data privacy experts, adopt first-party data strategies, and integrate privacy-preserving technologies. By embracing these measures, marketers can not only comply with the law but also build stronger relationships with users based on trust and respect for their privacy, ultimately ensuring long-term success in the digital realm.

About ConcurHarmonizing Data Compliance

Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and the use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.

Check out: Best Consent Management Platforms in India 2024

Gaurav Mehta

Recent Posts

Draft Rules for Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA), 2023, represents a major step forward in India's…

5 months ago

What is PHI (Protected Health Information)?

The concept of Protected Health Information (PHI) has gained significant importance in the modern digital…

9 months ago

What is PII (Personally Identifiable Information)?

The growing number of digital tools such as mobile phones, the Internet, e-commerce, and social…

10 months ago

RBI’s New Directive on DPDPA for Banks

Regulatory bodies are important for determining the path of banking in an evolving financial environment.…

10 months ago

DPDPA Compliance: Why Companies Must Seek Your Consent

In today's digital world, our personal information is incredibly valuable. It shapes our online experiences,…

10 months ago

DPDPA Compliance requirements for Businesses

The recent implementation of the Digital Personal Data Protection Act (DPDPA) has ushered in a…

10 months ago