Burden or Boost? Industry weighs in as DPDP Act countdown nears

New Delhi: On September 29, India’s Digital Personal Data Protection (DPDP) Act will finally roll out, ushering in a new era of accountability in how businesses collect, store, and use personal data. 

For the first time, companies across sectors, from AI startups to publishers to fintech firms, will be bound by stringent requirements around explicit consent, grievance redressal, breach notifications, and penalties that can reach Rs 250 crore.

But as the deadline looms, the mood across industries is a mix of anticipation and apprehension. The DPDP Act is being seen not merely as a compliance framework, but as a force that could reshape business models, product design, and even India’s global competitiveness in AI and digital innovation.

The startup’s dilemma: Growth or compliance?

For the country’s burgeoning AI ecosystem, the DPDP Act is both a catalyst and a constraint. Nishith Srivastava, founder of Agentics and an advisor to AI startups from Bangalore to Silicon Valley, doesn’t mince words.

“I view the Digital Personal Data Protection (DPDP) Act, not merely as a legislative barricade against data misuse, but as a double-edged sword that could either galvanise ethical AI evolution or stultify India's nascent ambitions in the field,” said Srivastava.

At the heart of the tension is data. AI models thrive on vast datasets, traditionally drawn from open web sources like Common Crawl or ImageNet. But the DPDP Act introduces a clear line; companies can no longer indiscriminately scrape publicly available data without user consent.

“The DPDP Act says you can’t just grab publicly available data for AI training without clear permission from the folks it’s about. That’s a big deal because startups often rely on stuff like social media posts or open web data to build their models on a budget. Now, they’ll need to get consent or create their own datasets, which takes time and money,” Srivastava explained.

This is already leading to workarounds such as synthetic data, computer-generated datasets designed to mimic real-world patterns. “I’ve seen teams pivot to making synthetic data (fake but useful stuff) to keep things moving, but it slows down research and early testing. This might lead to a surge in creating synthetic data, which could help us build models that are both better and less biased. But it could also slow things down a bit, making it take longer to test out ideas,” he added.

For resource-constrained startups, compliance itself is a heavy lift. Appointing data officers, conducting audits, and preparing for impact assessments mean less time spent on actual innovation. “For small startups, that’s a headache that pulls engineers away from coding cool AI to filling out paperwork. I’ve been in rooms where teams spent weeks on this instead of building. And the fines? Up to Rs 250 crore! That’s enough to make any founder sweat and play it safe instead of going big,” Srivastava shared.

He warned that without flexibility, such as innovation sandboxes or carve-outs for early-stage research, India risks repeating missteps seen in places like California under the CCPA, where regulatory overheads diverted engineering talent away from core R&D.

“So, the Act is like a big step forward in taking care of things ethically, but if we don’t make some flexible exceptions, it might actually slow down the very people who could help India become a big player in the global AI scene,” Srivastava asserted.

The publisher’s tightrope

For publishers, the DPDP Act strikes at the very foundation of their business models. Suresh Vijayaraghavan, Chief Technology Officer at The Hindu Group, outlined the magnitude of the shift.

“The Digital Personal Data Protection (DPDP) Act introduces a major shift for publishers in India, reshaping how user data can be collected and monetised. Mandating explicit consent for personal data usage forces publishers to redesign user experiences with greater transparency and accountability. While this builds trust, it also risks ‘consent fatigue,’ where repeated prompts may reduce engagement and limit opportunities for personalisation,” Vijayaraghavan underscored.

Advertising, the lifeblood of most publishers, is particularly vulnerable. “Advertising models will face the sharpest impact. Global platforms with GDPR-compliant frameworks are better prepared, while Indian publishers must innovate with privacy-first ad technologies that respect cultural expectations. Traditional tracking methods may become less viable, encouraging a pivot toward contextual targeting and hyperlocal campaigns. Regional language personalisation, particularly in Tier 2 and Tier 3 markets, offers a strong path to growth without compromising privacy,” Vijayaraghavan added.

But compliance pressures could also accelerate a long-predicted industry shift: subscriptions. “Declining ad revenues could accelerate the adoption of subscription-based models. Paywalls and premium content strategies not only provide a revenue stream but also strengthen audience relationships by giving users more control over their data,” he said.

For Vijayaraghavan, the opportunity lies in embracing ethical data practices not just as a necessity, but as a differentiator. “Ultimately, the DPDP Act is more than a compliance hurdle. For publishers willing to embrace ethical data practices and user-centric models, it represents a strategic opportunity to build sustainable, trust-driven ecosystems in India’s digital economy,” said Vijayaraghavan.

The enterprise perspective

On the enterprise side, companies that manage digital journeys: banks, fintechs, insurers, e-commerce players are staring at one of the Act’s most practical challenges: consent.

Nikhil Jhanji, senior product manager at IDfy, believes the solution lies in reimagining how consent is sought and communicated.

“Privacy notices should be product-first and lifecycle-aware; not legal appendices. When notices are contextual, byte-sized, and tied to user journeys, consent becomes meaningful, manageable, and a source of competitive trust rather than fatigue,” said Jhanji.

The DPDP Act’s insistence on consent being specific, unambiguous, and affirmative means businesses can no longer rely on long, dense policies buried at the bottom of a webpage. Instead, they must design notices into the user journey.

“Think of stock vs. flow consent: stock covers existing data principals, while flow consent is sought just-in-time for net new /specific interactions, like enabling a feature or sharing data with a partner. This reduces overload, keeps choices meaningful, and aligns with the Act’s requirements,” Jhanji explained.

Equally important is accessibility. “When designed well, these notices not only meet regulatory standards but also create ‘happy friction’: small pauses that build awareness without disrupting user journeys,” Jhanji added.

For IDfy, the shift is not just about compliance but competitive advantage. “Beyond compliance, embarking on a privacy transformation delivers real business value. It enforces tighter controls over third parties, helps reduce data footprints, and ultimately enables better personalisation grounded in explicit user trust,” said Jhanji.

What you need to know

The Digital Personal Data Protection (DPDP) Act is India’s first comprehensive privacy law. It introduces explicit, affirmative consent for personal data processing, rights for individuals, including withdrawal of consent and grievance redressal, and obligations for companies, such as appointing Data Protection Officers and conducting impact assessments for significant data fiduciaries. The Act also mandates breach notification to both regulators and affected users, imposes heavy penalties up to Rs 250 crore for non-compliance, and includes cross-border restrictions, with rules to be notified by the government. In essence, the Act aims to build a trust-first digital economy where businesses balance innovation with user rights.