What is the deadline for DPDP Act enforcement in India?

Hard enforcement for the Digital Personal Data Protection (DPDP) Act begins on May 13, 2027. The transition window is currently active.

What are the penalties under the DPDP Act?

Penalties range from ₹50 Crores for general violations to ₹250 Crores for failure to take reasonable security safeguards.

How much does DPDP compliance cost?

Market rates for comprehensive DPDP compliance range from ₹3-7 Lakhs for SMEs to ₹15+ Lakhs for enterprises. This includes awareness training, data audit, DPA deep-dive sessions, consent manager setup, and ongoing DPO support.

Does DPDP apply to small businesses?

Yes. The DPDP Act makes no distinction based on turnover. Even if you have 100 customers, if you collect digital personal data, you are a Data Fiduciary and must comply.

What is included in a DPDP compliance workshop?

A DPDP readiness workshop typically includes: understanding the DPDP Act, mapping your tech stack, reviewing data processor agreements, checking consent flows, and creating a clear action plan.

Quick Answer•4 min read

DPDP for Marketing: What Customer Data Can You Use?

Indian marketing teams: Understand DPDP rules for customer data, consent, and targeted ads. Learn what data you can use post-DPDP.

Sushant Pasumarty20 May 2024

DPDP for Marketing Teams: What Data Can You Use?

Yes, marketing teams can still use customer data under the Digital Personal Data Protection Act (DPDP), 2023. However, the legal basis for processing this data has shifted, primarily emphasizing explicit, informed consent or legitimate uses.

This means your approach to data collection, storage, and usage for campaigns, personalization, and analytics must be re-evaluated. Blanket opt-ins are no longer sufficient.

What This Means Right Now for Marketers

The DPDP Act has received presidential assent, meaning it is law. While full enforcement details are pending, businesses must prepare as if the rules are active. The government is expected to notify the exact effective dates and associated rules soon. This means Indian businesses cannot delay compliance planning.

Sushant Pasumarty, founder of Meridian Bridge Strategy, notes, "The practical reality is that companies that begin mapping their data flows now will be in a much stronger position when enforcement ramps up. Waiting will expose you to significant risks."

💡 Key Insight: DPDP requires a legal basis for processing personal data. For most marketing activities, this will be explicit consent from the Data Principal (your customer).

What Marketing Teams Actually Need to Do Under DPDP

Your marketing data practices require a strategic overhaul to align with DPDP. Here are the core actions:

Re-evaluate Consent Mechanisms: Obtain explicit, granular, and easily withdrawable consent for each specific marketing purpose (e.g., email newsletters, SMS alerts, personalized recommendations). Pre-ticked boxes are out. Your consent forms must clearly state *what* data is collected and *how* it will be used for marketing.
Map Your Marketing Data Flows: Understand every piece of personal data your marketing team collects, from web analytics to CRM entries. Identify where it comes from, where it's stored, which third-party tools (like ad platforms, email marketing software) access it, and for how long.
Implement Data Minimisation: Only collect and retain data that is strictly necessary for your stated marketing purpose. If you don't need a specific data point for a campaign, don't collect it. This reduces your risk surface.
Ensure Data Principal Rights: Marketing teams must be prepared to handle requests from individuals to access their data, correct inaccuracies, or erase their data (the "Right to Erasure"). Your systems must support these requests efficiently.
Review Third-Party Data Sharing: If you share customer data with ad networks, data brokers, or marketing agencies, ensure you have a valid legal basis (usually specific consent) and Data Processing Agreements (DPAs) in place that outline responsibilities and security measures.

✅ Pro Tip: Consider a Consent Management Platform (CMP) to automate and manage consent collection, recording, and withdrawal across your marketing channels. This is an upfront investment that streamlines DPDP compliance. Read more about Consent Manager costs.

What DPDP Compliance for Marketing Costs (MBS Tiers)

The cost for marketing teams to become DPDP compliant depends on your current data practices, the complexity of your marketing tech stack, and the volume of data you handle. Meridian Bridge Strategy offers tiered services to address these needs:

Tier	What it includes for Marketing	Price Range	Duration
Data Mapping	Identify all customer/prospect data collected by marketing, its source, storage, and who processes it (e.g., CRM, analytics tools, ad platforms).	₹1.5L – ₹3L	1-2 weeks
DPDP Readiness Audit	Data Mapping + Gap Analysis on existing marketing consent forms, privacy notices, data retention policies, and third-party data sharing agreements.	₹2L – ₹6L	2-4 weeks
DPDP Workshop	Data Mapping + Gap Analysis + Prioritized Recommendations for consent redesign, data minimization, and a 90-day roadmap for marketing data compliance.	₹5L – ₹10L	4-6 weeks
Full DPDP Consulting	Workshop + Implementation support for new consent flows, DPA reviews with marketing vendors, DPO training on marketing data, and a final readiness opinion.	₹7L – ₹12L	3-6 months

Sushant Pasumarty often observes, "The initial data mapping exercise is crucial for marketing teams. Many discover they're collecting far more data than necessary, or relying on outdated consent. This foundational step drastically reduces future compliance efforts and risks."

When to Start Your Marketing DPDP Compliance

Start now. The sooner you understand your marketing data landscape and implement necessary changes, the lower your risk of non-compliance penalties, which can be substantial. Proactive compliance also builds customer trust, a valuable asset for any marketing team.

Next Step

The first step is to understand your specific compliance needs. Use the free calculator on dpdpworkshop.com to get an estimate of which MBS tier fits your organization. Then, schedule a call with Sushant Pasamarty to discuss a tailored approach for your marketing team's DPDP readiness.

Frequently Asked Questions

Can marketing teams still use customer data for targeted advertising under DPDP?

Yes, but only with explicit, informed consent from the data principal (customer) for that specific purpose, or under a legitimate use basis where applicable. Generic consent for 'marketing' may not suffice.

Does DPDP require new consent for my existing marketing email lists?

Yes, if your existing consent does not meet DPDP's standards (i.e., explicit, specific, informed, and easily withdrawable). You may need to re-engage your list to obtain fresh, compliant consent, or identify an alternative legitimate use.

How does DPDP affect using third-party data for marketing?

If you acquire personal data from third-party sources (e.g., data brokers), you must ensure that the original data collector obtained explicit and compliant consent for the data to be shared with you for your specific marketing purposes under DPDP. Due diligence on third-party data vendors is critical.

Check Your DPDP Cost

Use the free calculator to estimate your compliance cost. Then book a call with Sushant to scope the right engagement.

Estimate My DPDP Cost →

Or book a call with Sushant →

DPDP for Marketing: What Customer Data Can You Use?

DPDP for Marketing Teams: What Data Can You Use?

What This Means Right Now for Marketers

What Marketing Teams Actually Need to Do Under DPDP

What DPDP Compliance for Marketing Costs (MBS Tiers)

When to Start Your Marketing DPDP Compliance

Next Step

Frequently Asked Questions

Related Guides

DPDP Compliance: Mandatory for Indian Startups?

DPDP Fines for Small Businesses: What You Need to Know

DPDP Act: Foreign Companies in India – Guide by MBS

Check Your DPDP Cost