Consent Fatigue, MSME Strain, and AI Hurdles: Contentious Corners of DPDP Act
From consent overload to localisation, the DPDP Act's sharper edges could disrupt industries and leave smaller firms struggling, say experts.
ADVERTISEMENT
Even as India prepares to operationalise its long-awaited Digital Personal Data Protection Act by September 28, experts warn that the Act’s very design could create unintended hurdles- especially for smaller enterprises, AI innovators, and businesses that rely on global data flows.
At the heart of the concern is consent.
The Act makes consent the primary legal basis for processing personal data, leaving little room for alternatives.
“This will translate into consumers being bombarded with consent notices, leading to fatigue,” said Meghna Bal, Esya Centre. “Over time, people may stop responding altogether, leaving companies unable to complete transactions or run routine security updates.”
The absence of other grounds like “legitimate interest” or “contractual necessity”-commonly used in GDPR- could be particularly disruptive, she added. The ripple effects may hit AI startups hardest.
“Because of restrictions on public data in Section 3, AI training could grind to a halt. Startups won’t be able to use public datasets if they contain any personal data without consent,” Bal warned.
Kamesh Shekar, Associate Director, The Dialogue, flagged another flashpoint: localisation.
Rule 12(4) hints at keeping certain classes of personal data in India, adding layers of compliance on top of existing RBI and IRDAI mandates. “It risks stifling innovation by limiting global data aggregation, which is vital for advanced analytics and research,” Shekar said.
In its recent letter to the Ministry of Electronics and Information Technology (MeitY), the National Association of Software and Service Companies (NASSCOM) had also urged the government to reconsider the proposed restrictions on cross-border data transfers under the draft.
In its submission, the trade body asserted that the proposal risks causing unintended uncertainty about international data transfers. Additionally, the proposal could impact global competitiveness, and increase compliance costs for companies operating across jurisdictions.
NASSCOM warned that limiting Significant Data Fiduciaries (SDFs) from transferring personal data outside India contradicted the broader intent of the DPDP Act and the move could create regulatory uncertainty for businesses.
“Moreover, the ability of such a restriction to afford meaningful additional safeguards to the processing of personal data remains, at best, questionable,” it said.
In its letter to MeitY, the Internet and Mobile Association of India (IAMAI) also pushed back against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs. IAMAI also called for a 24-month implementation period to allow companies to adapt to the regulatory changes.
Children’s data is another sticking point.
The Act requires verifiable parental consent for processing, a noble safeguard but one that may prove impractical. “A universal mechanism could disrupt small businesses,” Shekar noted, recommending a risk-based tiered approach instead.
The compliance burden looms especially large for MSMEs.
Vinod Kumar, President, India SME Forum, said his organisation’s survey of one lakh members showed only 2.5% even understood the Act.
“For most MSMEs, compliance is simply unaffordable. They lack the infrastructure for secure storage, consent management, and breach protocols,” he said. The penalties, however, are steep: fines can run up to ₹250 crore for major violations, and even small lapses can cost ₹10,000 per instance.
MSMEs in India are currently at a low to very low level of readiness for the Act, he pointed out.
"Many MSMEs will face significant challenges in complying with the DPDP Act due to resource constraints, limited technical expertise, and lack of awareness."
Internal study on Readiness to Comply with DPDP, conducted within the around 1 lakh strong membership of India SME forum, have shown only 2.5%, a very small percentage even understand the law.
Startups echo the concern.
Dipankar Mukherjee, Studio Blo, argued that the Act emulates GDPR’s complexity without simplifying for India’s resource-constrained ecosystem.
“While intent is right, execution needs to be easier for young companies, especially in fast-evolving AI fields,” he said.
Shreya Suri, Partner, IndusLaw, shared that the verifiable consent mechanism for parents and guardians along with associated age verification/ gating measures is going to be hard to standardise and implement across multiple sectors. Although what is going to be even harder is to drive privacy within any organisation into its cultural DNA and helping stakeholders understand the consequences of non-compliance – which are likely to go well beyond just penalties.
Experts also worry about overlapping mandates.
Sidharth Deb, Associate Director, TQH Consulting, highlighted the challenge of harmonising DPDP’s breach notification requirements with existing CERT-In and sectoral rules.
“Without alignment, companies may face duplicative reporting, creating compliance fatigue,” he said.
For now, much depends on the final rules, templates, and phased timelines. As Kumar cautioned, “Without pragmatic adjustments- like sector-specific exemptions, extended timelines, and compliance-as-a-service models- the DPDP Act risks acting as a costly barrier rather than an enabler.”
Sanjay Goel, Former Joint Secretary, Ministry of Electronics and Information Technology tells Storyboard18 that while there has been a lot of hue and cry in the industry and the academia, regarding curbing of free speech, freedom/ right for information, why should anyone has to have the right over user's personal data, whether it is through executive action or through courts?
"One’s data is one’s own. This act gives that right to the individual. If a third person wants it, the same is not a right of that entity. It can make a request and the data principle would now be well within his rights to allow or disallow such usage. Whether it is for research or any other purpose no one can claim right and get the data except as per the process or provisions laid down in DPDP," Goel highlighted.
All in all, he thinks DPDP is a good act, may not be transformative, but a step in the right direction and should serve the nation well.
