Blog
/
Photography
India's DPDP Act: What International Brands Need to Know Before Running Digital Ads
India's Digital Personal Data Protection Act changes how brands can collect data, target ads, and measure campaigns. Here's a practical guide for international brands operating in India.

Posted at
Jan 10, 2026
Posted on
Content
India's Digital Personal Data Protection Act came into force and is being progressively implemented across 2025-2026. For international brands running digital advertising campaigns in India it introduces requirements that are materially different from what most global marketing teams are used to.
What the DPDP Act Covers
The DPDP Act regulates the collection, storage, and processing of personal data of Indian citizens. It applies to both Indian companies and international companies processing data of Indian users. The key requirements for digital marketers are explicit consent — you need affirmative informed consent to collect personal data, not implied consent. Purpose limitation — data collected for one purpose cannot be used for another without additional consent. Data localisation — certain categories of data must be processed within India. Right to erasure — users can request deletion of their data.
What This Means for Your Ad Campaigns
If your website uses Meta Pixel or Google Analytics tags to collect user data for retargeting you need a functioning cookie consent mechanism that actually stops data collection when consent is declined. Your WhatsApp opt-in mechanism needs to clearly describe what data you are collecting, how you are using it, and how users can opt out. Custom audiences built from email lists or pixel-based website visitor data require that the underlying data was collected with appropriate consent for retargeting use.
How This Differs from GDPR
If your organisation already has GDPR compliance you are closer to DPDP compliance than a non-European brand but there are meaningful differences. GDPR compliance is a floor not a ceiling for India. Use it as a starting point and add India-specific compliance on top.
The Attribution Impact
Stricter consent requirements reduce the size of retargeting audiences and the completeness of conversion tracking. The mitigation strategies are the same as post-iOS14: server-side tracking through Meta Conversions API and Google server-side tagging, first-party data collection through email and WhatsApp opt-ins, and modelled conversions to fill attribution gaps.
What to Do Now
Audit your consent mechanism on every India-facing website. Check whether your Meta Pixel actually stops collecting data when consent is declined. Review your WhatsApp opt-in copy. Implement server-side tracking before regulatory enforcement tightens. Brands that invest in compliant first-party data infrastructure now will have a meaningful advantage as third-party data becomes less reliable.


