1. Introduction
India’s digital advertising industry is at an inflection point. With the Digital Personal Data Protection Act, 2023 (DPDPA) and its Rules under active implementation, the era of frictionless, consent-free data harvesting that fuelled India’s adtech boom is drawing to a close. For brands, agencies, demand-side platforms, data management platforms, ad exchanges, and publishers, this is not merely a compliance checkbox, it is a structural challenge to business models built on opaque data pipelines and behavioural profiles assembled without users’ knowledge.
2. The “consent” standard
Section 6 of the DPDPA is the centerpiece. It requires that consent be free, specific, informed, unconditional, and unambiguous, and obtained through a clear affirmative act before processing begins. Crucially, consent must be granular. The bundled, omnibus consent popups that dominate Indian websites today, clearing users for an indeterminate range of future uses, will no longer suffice. A user who consents to personalised recommendations does not, by extension, consent to their profile being sold to third-party ad networks. Each downstream use requires its own valid basis.
Equally disruptive is the withdrawal standard: opting out must be as simple as opting in. This single requirement dismantles the dark-pattern architectures that currently populate consent management platforms across Indian digital properties.
Unlike the GDPR’s “legitimate interests” ground, which European adtech players have extensively exploited for profiling, the DPDPA offers no such commercial escape valve. The “legitimate uses” under Section 7 cover narrow statutory scenarios like medical emergencies and state functions. None extend to targeted advertising. Consent is, for all practical purposes, the only viable lawful basis for India’s adtech stack.
Further, section 9 categorically prohibits the tracking, behavioural monitoring, or targeted advertising directed at children under 18. Given that a significant slice of Indian digital users – on gaming, short-video, and social media platforms – fall into this bracket, entire verticals within the programmatic ecosystem must either implement robust age verification or exit those audience segments.
3. Who gets impacted?
Programmatic advertising and real-time bidding (RTB) are the most exposed. A typical RTB transaction, completed in milliseconds, passes user data across publishers, supply-side platforms, ad exchanges, and demand-side platforms. Under the DPDPA, every entity in this chain is a Data Fiduciary or Processor with distinct obligations. A buried publisher-level privacy policy does not cover downstream uses. Each node in the chain must have consent that specifically covers its processing activity.
FMCGand retail brands using loyalty programme data for lookalike audiences on Meta or Google face a double exposure: first, whether the original data collection included consent for advertising use; second, whether sharing hashed customer lists with a third-party platform requires fresh consent or a tightly scoped data processing agreement.
Financial services firms like banks, NBFCs, fintechs using transaction data to cross-sell products or target insurance advertisements will need explicit, purpose-specific consent for that advertising use. It cannot be bundled with the consent given at account opening. Cross-sharing within even the same financial group constitutes a new processing purpose.
OTT and gaming platforms must recognise that consent for personalised content recommendations is legally distinct from consent for targeted advertising. The two purposes must be addressed separately in consent notices.
4. Europe’s playbook could become India’s roadmap
GDPR enforcement offers a preview. In 2022, Belgium’s data protection authority found that IAB Europe’s Transparency and Consent Framework, the backbone of European programmatic consent, failed GDPR standards. France’s CNIL fined Google €150 million for making cookie rejection harder than acceptance. Meta was eventually forced to build a full consent-based advertising model for European users after regulators rejected both “contract” and “legitimate interests” as valid bases.
India’s DPDPA forecloses these debates from the outset. Platforms cannot rely on legitimate interests and they cannot hide behind contractual necessity. The question before Indian regulators will not be which legal basis was invoked. It will be whether the consent obtained was genuinely free, specific, and informed.
5. The path forward
The scale of the problem is already visible. A dipstick analysis conducted by ASCI in its white paper “Navigating Cookies: Recalibrating your cookie strategy in light of the DPDPA”, released on Data Privacy Day in 2025, examined the cookie consent practices of India’s top 50 websites, which collectively recorded 30 billion visits in December 2024 alone. The finding was stark: only 6% of those websites were ready for the granular, purpose-specific consent standard that the DPDPA demands. Cookies, the most visible tip of the adtech data-collection iceberg, are also among the least compliant. If that is the picture at the very top of India’s web traffic pyramid, the compliance deficit across the broader ecosystem is likely far deeper.
Three priorities are, therefore, non-negotiable for every adtech player operating in India. First, a full audit and redesign of consent infrastructure by replacing dark patterns with balanced, granular, purpose-specific consent flows. Second, data flow mapping across all adtech partnerships, with contracts updated to reflect DPDPA obligations. Third, an accelerated shift to first-party data strategy like consented email lists, CRM systems, loyalty datasets, etc. which will become a genuine competitive moat as third-party pipelines face compliance pressure.
Some will look to the “publicly available data” exclusion in Section 3(c)(ii) as a workaround. That temptation should be resisted. Global regulators have consistently held that making data public for social or professional purposes does not authorise its use for commercial profiling. Indian regulators are likely to take the same view.
The consent economy has arrived in India. The brands and platforms that build genuine user trust, rather than stretch statutory exceptions, will define the next chapter of Indian digital advertising.
Author

