The compliance paradox: DPDP rules hand data advantage to Google, Meta, and Amazon

India’s new Digital Personal Data Protection (DPDP) Rules have triggered a fundamental shift in how platforms collect, store and monetise user data. And according to industry experts, the impact will be most deeply felt in Big Tech’s favour.

Sajal Gupta, CEO, Kiaos Marketing, frames the power imbalance. “If you really look at it, who has the data, who is actually sitting on it? It’s the triopoly - Google, Meta and Amazon. The person who’s actually got the data is the one who’s going to benefit the most.”

He explains that data behaves like a perishable product, whose value declines rapidly once a requirement is fulfilled. “For a product with a three month purchase cycle, like a car, my requirement is fulfilled after that period. I’ll go online, look at various models, compare SUVs, sedans. After I purchase the car, my next requirement may come five years later. So after those three months, that data perishes.”

What matters, Gupta argues, is who collects fresh data at velocity. “Who is getting data on a continuous and regular basis? The Big Tech players. Even if I hold on to that data and refresh it regularly, they are the ones who can make the best use of it.”

Quick commerce players come second, he adds, but their data windows are far shorter. “Quick is the key word. That requirement is fulfilled immediately. In cars, the second requirement is after five years. Here, it can be after thirty minutes. That’s the difference.”

Beyond quantity, data quality will now shape competitive advantage. “Everybody says they are in the data business, but what is the quality? PayU can tell me how much money I spent and where, but he doesn’t know what I bought. MakeMyTrip has very valuable data. They know if I travel business or economy, which hotels I stay at, whether I’m a five star or three four star person. That’s quality.”

Loyalty programs like Amex or Marriott Bonvoy, he notes, are evolving into advertising engines because they sit on regular, layered behavioural and transactional data.

Gupta draws a sharp distinction between behavioral data and hard transactional data. “Google or Meta are directional. I could be searching for a BMW even if I don’t have the money to buy one. Someone downloading a BMW wallpaper doesn’t mean they’re a buyer. That’s behavioral. Hard data is when I go to the BMW showroom and actually buy the car.”

DPDP tries to regulate how this mix of data is stored, reused and protected. “DPDP is trying to put some degree of privacy on this data because it can be misused. All of us get spam calls. If I give my number for KYC while buying a mutual fund, after the KYC is done, my data remains there. That’s where leakage happens,” he says.

On the retention timer resetting with every login or interaction, Gupta acknowledges the ambiguity. “Does the rule effectively allow Big Tech to hold user data indefinitely? In a way, yes. Technically you can hold my data for three years since each visit refreshes it. But Big Tech data is behavioral. After the transaction is over, I visit very rarely. It is essentially behavioral and it perishes.”

He also points out that data misuse often starts offline. “DPDP is not just digital. It applies to offline telecalling, where the bigger leak of data is happening.”

Big Tech’s challenge is architectural, not operational

Malcolm Gomes, COO at IDfy, says the DPDP Rules demand a foundational redesign. “For Big Tech, the DPDP Rules are not a policy update. They are an architectural reset. The challenge is not scale. It is the need for a trust control nerve system that connects every workflow, legacy stack and algorithm to a single compliance spine.”

He expects Big Tech to embed governance into engineering. “Those that act early will strengthen trust and move faster. Those that delay will face heavier remediation, regulatory friction and slower product velocity.”

Naqeeb Ahmed Kazia, Partner at CMS IndusLaw, emphasises that retention is tied to purpose, not platform choice. “The interaction reset signifies that the purpose is not completed and the data fiduciary can continue processing the data. High engagement platforms may extend retention, but they must limit processing solely to the consented purpose.”

He cautions platforms against exploiting the 48 hour deletion notice. “If a platform uses this notice as a dark pattern to re engage data principals, it may undermine the user’s consent and could attract regulatory scrutiny.”

Kazia adds that compliance itself will reshape operations. “Organizations will need to re engineer their platforms and ensure that audit logs track user consent, user activity, deletion workflows. This might require automating systems and adopting privacy by design principles.”

Startups will struggle. Large platforms will accelerate

Dhiraj Udapure, CTO of SCS Tech India, says the rules introduce a three year retention window that is both an opportunity and a burden.

“The new three year retention window gives technology companies a stronger legal basis to analyze long term trends and personalize services, but it brings sharper scrutiny around how behavioral data is used for profiling. Bigger firms can adapt, but the requirements can be disproportionately heavy for startups.”

He warns that without support, the rules could deepen Big Tech’s data lead. “There is growing concern that the rules could inadvertently reinforce data advantages for high engagement platforms.”

Clean data will matter more than ever

Amit Relan, CEO and Co founder of mFilterIt, highlights a different risk: polluted signals. “As organizations work toward compliance, it is important to ensure that the data entering these systems is genuine. Bots and synthetic identities can influence behavioral insights and long term models. Traffic validation naturally complements data protection. When the data foundation is clean, the ecosystem becomes stronger.”

Vijender Yadav, CEO and Co founder of Accops, says Big Tech will not necessarily gain unlimited profiling power, but the compliance load will shift dynamics.

“Earlier, data fiduciaries had a free hand to collect and retain data. The three year window will force them to prioritize what attributes to collect. But for high engagement platforms, the clock keeps resetting.”

He predicts substantial infrastructure upgrades. “Big Tech will need centralized consent management, automated data discovery, purpose based access control, system logging, monitoring and auditing, anonymization and deletion automation, and localized storage. Smaller players will struggle with cost and penalties.”

On competition, his view is clear. “Yes, India’s retention rules could create competition concerns by letting high engagement platforms build data monopolies. Big Tech already has teams and infrastructure to comply with similar global requirements.”

DPDP does not hand Big Tech more data. It hands Big Tech more advantage.

These companies already collect high velocity behavioral signals, already run global scale compliance systems, and already monetize long tail insights better than anyone else. The new three year retention window, combined with the interaction based reset, adds a regulatory layer that smaller firms will find expensive to navigate.

As Gupta puts it, “The owner of the data is the beneficiary. It comes down to who is able to refresh data, and how fast.”

And right now, only three companies do that at planetary scale.