DPDP final rules unintentionally creates 'perpetual' advantage for Big Tech, experts warn

India’s new Digital Personal Data Protection (DPDP) Rules, 2025 have introduced what appears to be a neutral, purpose linked, three year retention framework for large platforms. But as the finer details unfold, one thing is becoming increasingly clear: Big Tech companies are poised to gain the most from this regime. The combination of long retention windows, interaction based resets, mandated pre deletion notices, and complex audit trails create a compliance environment that heavily favors entities with engineering muscle, mature data governance, and high engagement ecosystems.

While the Rules apply uniformly to platforms above specific thresholds in the Third Schedule, the operational reality is asymmetrical in ways that shape competitive dynamics for years to come.

The three year retention window: legally equal, competitively unequal

On paper, the three year retention period is the same for every platform that crosses the DPDP thresholds. In practice, the advantage is unmistakably skewed. As Sonam Chandwani at KS legal explains, “A uniform three year retention period inherently benefits Big Tech because they already operate at scale, have mature compliance systems, and possess the infrastructure to extract greater value from long tail data.”

Smaller platforms, she notes, are hit the hardest. “They may struggle to justify the cost of storing, managing, and auditing data for three years, effectively widening the competitive gap in data driven markets.”

Prashant Mali, advocate, agrees, arguing that the size of the data infrastructure makes the biggest difference. “A three year retention window disproportionately favours Big Tech because they already operate massive data lakes with automated lifecycle management, distributed storage, and AI driven compliance tooling. For smaller platforms, retaining personal data for three years securely, verifiably, and breach free becomes a cost centre they can barely sustain.”

Vinay Butani, Partner at Economic Laws Practice, adds the legal perspective: “The three year retention framework under the DPDP Rules is legally neutral. It applies only to the specific categories listed in the Third Schedule and imposes the same purpose based deletion requirement on every platform. In strict legal terms, it does not confer any special advantage on Big Tech.” But he also emphasises that legal neutrality does not translate into practical neutrality. “Larger platforms typically have higher user engagement and deeper compliance infrastructure, which means their users are less likely to fall dormant and their systems are better equipped to operationalise the retention cycle. Its implementation can unintentionally favour large incumbents and place a proportionately heavier operational burden on smaller entities.”

Akshaya Suresh, Partner at JSA Advocates and Solicitors, points to another layer of asymmetry. “Larger platforms are allowed to hold personal data for up to three years since the last user approach, while smaller platforms must apply the general standard for erasure once the specified purpose is no longer served. This retention asymmetry translates into a competitive advantage for larger entities.”

The interaction reset rule: finite on paper, indefinite in reality

One of the most consequential features of the Rules is the interaction based reset: every time a user logs in, contacts the platform, or exercises a right, the three year deletion clock resets. For high engagement platforms, this clock never actually runs down.

Chandwani puts it plainly: “Practically yes, the interaction reset rule creates a rolling retention period, meaning platforms with high daily engagement can retain user data almost perpetually without ever triggering the deletion threshold.” This, she says, converts a seemingly finite retention period into “an operationally indefinite one, especially for services like social media, search, and messaging”.

Mali says, “If every user interaction resets the retention clock, then for platforms designed to maximize engagement the retention could, in effect, become perpetual. High frequency touchpoints ensure the clock never runs out, granting platforms a legally permissible way to retain personal data forever without calling it indefinite retention.”

Not everyone agrees on its inevitability, though. Akshaya cautions that the reset is still user dependent. “Not necessarily. The interaction reset is at the option of the data principal. When a data principal receives notice that their data will be deleted after 48 hours, they can choose no action and thus let the data be deleted.”

Yet, as multiple experts note, platforms rarely lose users at scale. And that brings us to the most controversial part of the mechanism.

The 48 hour deletion notice: a privacy safeguard or a re engagement funnel

Before deleting data, platforms must send users a mandatory 48 hour notice. In theory, this is a consumer protection measure. In practice, it becomes a strategic lever.

Chandwani says platforms must tread carefully. “Using a deletion notice as a retention extension tool walks a thin line. Any attempt to nudge users into reactivation must avoid manipulative design and withstand scrutiny for dark patterns.” But she acknowledges the risk: the notice can become “a reactivation touchpoint”.

Mali goes further. “You can already imagine the playbook. A You requested deletion are you sure notification becomes a behavioural nudge. Offer a discount, resurrect memories, extend subscriptions, trigger fear of loss. If the user clicks, engages, or even logs back in, the retention clock resets.” Akshaya Suresh agrees that this possibility exists within the rule itself. “In practice, the 48 hour pre deletion notice may serve as a re engagement touchpoint. The Rule requires platforms to inform users that their data will be deleted unless the user logs in or otherwise contacts the Data Fiduciary. This mandated notice may operate as a trigger for renewed user activity, thereby lawfully extending retention.”

Deep data, deeper moats: the competition implications

More data means better models, which means better ad economics, which leads to stronger market capture. Under the DPDP regime, this flywheel accelerates for incumbents.

Chandwani observes that longer windows and rolling resets “can entrench incumbents by allowing them to maintain deeper behavioural datasets”. Prashant calls this “the elephant in the room”, describing the cycle bluntly: “More data then better models then deeper behavioural mapping then superior ad economics then further market capture.”

Butani refrains from assessing competition impacts but acknowledges that implementation differences can create unintended advantages. Akshaya Suresh calls the asymmetry direct: “This retention asymmetry translates into a competitive advantage for larger entities.”

With billions of touchpoints resetting retention clocks every second, Big Tech companies effectively gain multi year continuity of behavioural, transactional, and engagement data that newer entrants cannot replicate.

Purpose separation and compliance: a landmine for everyone, but especially for smaller firms

Large platforms also have an upper hand in implementing purpose separation, which is non negotiable under the DPDP Rules. Chandwani warns that blending datasets is dangerous. “Commingling these datasets can trigger violations relating to purpose limitation, inadequate consent, and excessive processing.”

Mali calls it “a compliance landmine”. Butani explains the legal stakes: “Under Rule 8, retention is strictly purpose linked. If account access data and ad targeting data are commingled within the same flows, the fiduciary cannot demonstrate that a valid purpose continues for each dataset.”

Akshayy S. Nanda, Partner at Saraf and Partners, emphasises the marketing risk: “If account access data is mixed with behavioral targeting data, deletion requests become impossible to honor cleanly. Individuals end up receiving marketing they never consented to.”

This, Nanda says, exposes platforms to liability for sending non consented marketing messages. The audit trail burden: Big Tech can handle it, smaller players cannot

Big Tech already logs every interaction down to milliseconds. Smaller platforms do not.

Chandwani says companies will need “granular audit trails, timestamped, logged, and mapped to retention triggers with demonstrable deletion workflows”. Prashant adds that Big Tech will rely on “tamperproof lifecycle tracking” while “smaller platforms will struggle to match this sophistication”. Akshaya explains how larger platforms will prove compliance: “Big Tech can demonstrate compliance primarily through the retention of system logs that are already mandated. These logs capture when a user last logged in or approached the platform. By maintaining audit trails that record each interaction and the recalculation of the retention period, platforms can demonstrate compliance.”

India’s DPDP Rules, 2025 aspire to standardise data protection and improve accountability. But in the real world, where data volume, engagement patterns, and engineering capacity define competitiveness, the framework disproportionately strengthens the incumbents.

The result is a regulatory landscape where Big Tech does not merely comply more easily. It comes out stronger. Smaller players face higher costs, higher compliance barriers, and a shorter data runway.

Big Tech, meanwhile, enters a new era of lawful, operationally perpetual data advantage, built not through loopholes but through the very structure of the rules themselves.

The implications for competition, privacy, and market dynamics will unfold over time. But one thing is already evident: data retention is no longer just a compliance requirement. It is the new battleground for digital power.