DPDP Act Rules: Why Indian cos are divided between compliance and opposition

Even as India prepares to operationalise its long-awaited Digital Personal Data Protection Act, the Act’s very design have created unintended hurdles- especially for smaller enterprises, AI innovators, advertising and media industry that rely on global data flows. At the heart of the concerns is consent and restrictions on cross-border data.

Consent Management and Customer Privacy

The Act makes consent the primary legal basis for processing personal data, leaving little room for alternatives.

The framework mandates a separation of consent for optional and mandatory services. In other words, “bundled” consent- a common practice where users agree to all data processing purposes in a single click- will soon become non-compliant. This aligns India’s privacy regulations more closely with global norms that emphasize purpose limitation, granularity, and user autonomy.

Read more: Reset for Advertising: Why DPDP Act will transform media and marketing

At the center of this CMS proposal is a live Application Programming Interface (API) call to validate consent before any data can be processed. If consent is missing, outdated, or invalid, the system must automatically deny the request. This "consent ping" mechanism ensures that companies cannot use stored or assumed consent to process personal data.

The impact could be significant for the advertising and media industry. Experts have warned that consent fatigue could cripple operations. If every click requires consent, consumers will stop responding, making it harder for companies to operate.

Advertising technology intermediaries, who rely heavily on third-party cookies and cross-platform data, are also bracing for disruption. In some cases, firms are already reducing third-party tags, enforcing runtime consent, and defaulting to contextual targeting when provenance is weak.

Meanwhile, many believe, the Act is expected to accelerate technological innovation in the compliance space. It will forever change the way organizations approach data security architecture with a rapid shift toward AI-driven consent management, automated privacy impact assessments, and integrated platforms that unify compliance with customer engagement.

Read more: Decoding India’s DPDP Rules: Final Rollout Nears, Businesses Face New Compliance Demands

In addition, the Act marks a paradigm shift in India’s digital workplace. Companies can no longer afford to treat employee data protection as an afterthought. Encryption, governance, zero-trust access, audits, and transparency are becoming baseline expectations.

Employee Privacy

Employee data is as sensitive as customer data. With the DPDP Act, the risk of leaks is no longer just a technology lapse but a compliance breach. Until now, most companies treated employee data protection as a secondary IT task. The DPDP Act changes that calculus.

The law sets out strict obligations for data fiduciaries, with limited exemptions for employers in cases like protecting trade secrets or preventing corporate espionage.

Read more: Consent Fatigue, MSME Strain, and AI Hurdles: Contentious Corners of DPDP Act

Beyond these purposes, fiduciaries must safeguard employees’ digital personal data against leaks and comply with reasonable safeguards. For smaller companies and start-ups, this transition may increase operational costs, but privacy-enhancing technologies can ease the shift.

The consequences of mishandling employee data are devastating. When employee data leaks, it doesn’t remain a minor privacy lapse, it becomes a chain of high-risk exposures. Identity details like Aadhaar or PAN can fuel KYC fraud, SIM swaps, and forged IDs. Payroll records turn into social-engineering weapons. Even contact details can enable doxxing, stalking, or harassment.

For organizations, this translates into regulatory penalties, reputational loss, and legal liabilities.

Restrictions on cross-border data

Various bodies have pointed out that the proposal risks causing unintended uncertainty about international data transfers. Additionally, the proposal could impact global competitiveness, and increase compliance costs for companies operating across jurisdictions.

In its submission to the Ministry of Electronics and Information Technology (MeitY), NASSCOM warned that limiting Significant Data Fiduciaries (SDFs) from transferring personal data outside India contradicted the broader intent of the DPDP Act and the move could create regulatory uncertainty for businesses.

Read more: DPDP Countdown: Why employee data is India Inc.’s next big compliance test

The Internet and Mobile Association of India (IAMAI) has also pushed back against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs.

IAMAI also called for a 24-month implementation period to allow companies to adapt to the regulatory changes.

MSMEs brace for impact

While large digital platforms and tech firms are relatively better positioned to absorb the compliance demands, micro, small, and medium enterprises (MSMEs) are expected to face significant hurdles.

Storyboard18 earlier reported that many MSMEs, which rely on affordable digital tools and third-party marketing software, may now find themselves at a disadvantage. The CMS requirements could limit their ability to use programmatic advertising, retargeting tools, and analytics software- tools that are often critical to their digital growth strategies.

Read more: New consent API under DPDP Act set to redefine data use rules for digital platforms

Overregulation of data and digital tools risks are undermining MSME success in India, according to the latest survey by India SME Forum (ISF), wherein many MSME members have expressed to ISF that the current overall regulatory framework for personal data and non-personal data is overly restrictive, creating compliance burdens that hinder their ability to market effectively, engage with customers, and grow their businesses.

MSMEs fear that overly restrictive policies may limit their ability to leverage digital tools for marketing, customer engagement, and business growth.

MSMEs rely on digital technologies to overcome challenges in customer acquisition, brand building, and operational efficiency, particularly as they lack the resources for large-scale marketing strategies.

Read more: NASSCOM opposes DPDPA rules on cross-border data transfer restrictions

Read more: Businesses gear up for DPDP Rules with privacy policy updates, appoint Data Officers