In an age where even India’s biggest celebrities have fallen prey to data breaches, it’s clear that no one is immune, not even the common man. In response to this growing threat, the government has introduced the draft Digital Personal Data Protection (DPDP) Rules, 2025. But will these new regulations, if implemented, be effective in preventing such breaches and safeguarding personal data?
Over the past five years, we’ve witnessed alarming data leaks from prominent names like HDFC Life, RailYatri, Star Health, Dominos, Zivame, Dr. Reddy’s, and Boat, exposing private user information such as addresses, phone numbers, and even bank details. As these breaches grow more frequent and severe, the stakes couldn’t be higher. For brands, the implications are equally significant. In a world where first-party data fuels personalised marketing campaigns, predictive personalisation, and AI-driven customer experiences, the new rules prompt an important question: Could this be the beginning of the end for data as the ultimate marketing asset? As the DPDP Rules, 2025, open for public comment, businesses and users alike must grapple with whether these guidelines will pave the way for a secure digital future—or create a labyrinth of compliance challenges for brands in a data-driven world.
NEED FOR DPDP RULES
On January 3, 2025, the Union Ministry of Electronics and Information Technology (MeitY) unveiled the draft DPDP Rules, 2025, marking a significant milestone in India’s digital governance landscape. The draft rules, framed under the landmark Digital Personal Data Protection Act, 2023, are open for public consultation until February 18, 2025, providing an opportunity for stakeholders to shape the nation’s privacy ecosystem.
“There is criticism surrounding the draft DPDP Rules, 2025. However, the rules are intended to operationalise India’s Digital Personal Protection Act, 2023, and are open for public feedback. If the public, stakeholders or experts have any concerns, they should provide comments to allow the Government to amend and improve the draft. This is a huge step toward implementing India’s data protection law, clarifying protocols for data breaches and outlining key requirements for data fiduciaries, such as consent management, security safeguards, and the processing of children’s data. The rules also address the operations of the data protection office and state-led processing for subsidies or services,” states Sajai Singh, Partner, JSA Advocates & Solicitors.
While further explaining how the draft rules provide much-needed clarity and guidance for businesses to determine their compliance requirements, he says, “For instance, if an advertiser collects personal data from data principals, it is classified as a data fiduciary with clearly defined obligations. If, based on the data, the entity qualifies as a significant data fiduciary, its obligations become more stringent. Similarly, businesses acting as consent managers must adhere to specific registration and other obligations. Each business must first identify its classification and then ensure compliance with the finalised rules once notified.”
Highlighting the benefits and challenges of the draft rules, Ankit Sharma, Senior Director and Head - Solutions Engineering, Cyble, explains, “The DPDP Act marks the start of statutory personal data protection regulation, built on over five years of debate. While the law provides necessary scaffolding, it is not sufficient for full data privacy. It is modest and pragmatic, imposing lower costs on Indian businesses compared to earlier versions, though at times to the detriment of privacy. Significant discretionary power lies with the government, making its commitment to privacy crucial. Also, it does not directly address cybercrimes beyond personal data breaches, such as ransomware or phishing attacks. Additionally, non-digital and non-personal data leaks fall outside its purview, leaving certain types of data unprotected. Lastly, while the Act strengthens data protection measures, it lacks explicit mechanisms for collaboration with law enforcement to address large-scale cybercrime incidents, which limits its scope in tackling broader cybersecurity challenges.”
“As the emphasis is on consent-based processing, data minimisation, and privacy-by-design principles, the DPDP Rules, 2025, draw some parallels with global frameworks like the EU’s GDPR,” explains Devroop Dhar, Co-Founder & Managing Director, Primus Partners. However, implementing these rules in India presents unique challenges. India’s vast linguistic and cultural diversity requires compliance tools and frameworks that go beyond those used in smaller, more uniform regions. Dhar adds, “India’s focus on data sovereignty and localisation may impose restrictions on international data transfers, posing hurdles for global platforms relying on cloud infrastructure outside the country.” Additionally, the gap in digital literacy could hinder many citizens from understanding their data protection rights. Despite these challenges, the rules provide a flexible framework tailored to India’s needs while aligning with international privacy standards.
IMPACT ON MARKETING
The draft DPDP Rules will bring significant changes in how marketers collect, process, and manage personal data, but does this also signal the end of data’s reign as the ultimate marketing asset?
“For brands and marketers, the draft DPDP rules present both an opportunity and a challenge,” says Dr. Ravinder Varma, Brand Manager, Naturell India Pvt. Ltd. (RiteBite Max Protein). A key requirement is the refinement of data collection mechanisms, including clear, user-friendly consent processes and robust parental consent systems for minors. Dr. Varma notes, “Such transparency is a great source of earning loyalty from consumers, making brands more accountable for data privacy.” However, operational compliance comes at a cost. Brands will face stricter data retention rules and the need to enhance consent systems, requiring investments in technology, automation, and training. While these investments may strain resources initially, they set the foundation for sustainable and ethical growth in a competitive landscape. Balancing personalisation with compliance will also push brands to innovate, prioritise first-party data, and engage directly with consumers for long-term strategies.
“In the MarTech ecosystem, the focus has shifted to first-party data—information collected directly from consumers with their consent through channels like websites or apps,” notes Ankur Gattani, Chief Growth Officer, WebEngage. He cites an example: “Ticking a box on Amazon to receive order updates illustrates this approach.” However, Gattani warns that even minor privacy violations can pose significant legal and reputational risks.
With increased consumer awareness of privacy rights and stricter penalties, brands must safeguard their touchpoints to avoid potential fallout. Cold outreach, such as unsolicited calls resulting from data leaks at malls or petrol pumps, is also under scrutiny. The new regulations aim to curb these practices, transforming direct marketing. While reducing nuisance calls benefits consumers, balancing protection with business needs is challenging, particularly for businesses reliant on such outreach. “Technologically, the rules emphasise data deletion requests and traceability of past communications, requiring platforms to evolve to ensure compliance while meeting brand objectives,” adds Gattani.
“One of the most notable changes is the introduction of a new entity in the digital advertising ecosystem: the Consent Manager,” explains Vishal Rupani, Co-Founder, Sprect.com. “This will enable brands to track and manage user consent more effectively across platforms. For example, an e-commerce brand must obtain explicit consent from users before using their data for personalised offers.” While this can streamline compliance, Rupani emphasises that “brands must handle user consent with utmost care, as mismanagement could lead to reputational damage, penalties, and a loss of customer trust.”
For users, the DPDP rules grant greater control over their data, including clear communication about its usage and the ability to revoke consent when needed. Although this enhances transparency and the online experience, Rupani notes that poorly executed consent requests could frustrate users, making the process feel cumbersome or annoying.
“The new rules introduce accountability to advertisers and data processors, similar to that in other regions globally, and ensure increased safety and privacy for users. For advertisers and content publishers, this ‘cookie-pocalypse’ exercise means safeguarding user data, including the implementation of mechanisms such as obtaining consent for the processing of data, as well as its storage and security,” opines Siddharth Kelkar, Managing Director, India and MENA, AnyMind Group.
Speaking about the impact of DPDP rules in terms of increased costs for clients, especially for SMBs, he adds, SMBs can strategically leverage support for compliance from trusted partners and also use tools from companies with experience managing and adapting to data regulations in other regions, as these companies are flexible and experienced enough to provide solutions that comply with various data regulations.”
IMPACT ON THE USE OF AI
The new rules will have a profound impact on the use of AI, particularly in areas such as AI-powered personalisation and predictive AI. As AI systems depend on vast amounts of data for training and optimisation, these regulations will influence how data is collected, processed, and utilised across AI applications.
“AI loves data the way chefs love salt—it’s essential for flavour,” remarks Rupani. With stricter consent protocols, AI systems will face greater challenges in delivering the same level of personalisation. However, Rupani highlights that this can actually push brands to become more creative and ethical in their data usage. “For example, platforms like Zomato and Swiggy, which use AI to predict food preferences, will now require explicit user consent before collecting data on dietary habits or past orders.” He suggests that this transparency could strengthen consumer trust, fostering a healthier relationship between brands and users, leading to better long-term outcomes. Additionally, AI models may need to shift toward aggregated or anonymised data, which could slightly reduce recommendation precision but significantly enhance privacy compliance.
“The DPDP rules 2025 represent a key step in establishing a strong data governance framework in India,” states Ankush Sabharwal, Founder & CEO of CoRover. “At CoRover, we view this as an opportunity rather than a challenge. The rules focus on transparency, accountability, and citizen trust, aligning well with our approach to developing conversational AI. Strategically, this shift encourages better data handling practices, emphasising privacy by design and the use of anonymised data for model training. Integrating Sovereign AI, which complies with regional data sovereignty and privacy standards, will ensure both compliance and trust among users.”
Sabharwal adds, “While user consent may complicate things, it will also contribute to building ethical AI practices. There’s a wealth of large data sets for training AI, but now the focus will shift to responsibly sourcing data and obtaining consent. The winner will be the one with real, high-quality, accurate data. CoRover is already implementing systems to unobtrusively integrate user consent, ensuring legal compliance and enhancing user confidence in AI technologies.”
WAY FORWARD
“The implementation of this Act will have a positive impact: creating a safer and more trusted advertising ecosystem. This will also bring in line India’s digital advertising landscape with that of other regions, thus growing the entire industry in a streamlined manner,” affirms Kelkar.
“The DPDP rules serve as a reminder for brands to prioritise trust, transparency, and consumer well-being,” says Dr. Varma. “While the journey may not be simple, the long-term benefits of building deeper, more meaningful connections with consumers will far outweigh the costs. Brands that succeed in this new landscape will be those who view compliance as the foundation of their marketing strategy, not as a hurdle,” he adds.
“India’s regulatory framework strikes a balance between aligning with global data privacy standards and addressing its own market needs,” highlights Sharma. “While the focus on data sovereignty and government exemptions may lead to differences, India’s emphasis on consent, accountability, and data breach management marks progress towards greater alignment. Overcoming challenges such as the digital divide, compliance costs, and privacy awareness will be essential for the framework to be both globally competitive and locally effective,” he explains.
In conclusion, while the draft DPDP rules present new challenges and opportunities for businesses, they also pave the way for a more structured approach to data protection in India. As these rules evolve, it’s essential for stakeholders across industries to stay informed and actively participate in shaping the final framework. We encourage all stakeholders to share their recommendations and feedback on the MyGov portal, contributing to the refinement of these crucial regulations.
