Navigating India’s DPDP Act with Privacy-by-Design

At the heart of the DPDP Act is a simple, uncompromising principle: permission is king. The days of relying on “legitimate business interest” to track users across the web are gone. The Act mandates explicit, verifiable consent.

The Data Principal (the customer)
The individual to whom the personal data relates. They are now empowered with specific rights, including the right to access, correct, and erase their data, as well as the right to grievance redressal.

The Data Fiduciary (the brand)
The entity that determines the purpose and means of processing. You are no longer just a collector; you are a trustee, liable for compliance.

The Significant Data Fiduciary (the heavyweights)
Organisations processing high volumes of sensitive data face enhanced obligations. This includes appointing an India-based Data Protection Officer (DPO), conducting periodic Data Protection Impact Assessments (DPIAs), and ensuring board-level accountability.

The Consent Manager
A new, interoperable technical intermediary. Acting on behalf of the Data Principal, this role enables users to grant, manage, review, and withdraw consent across multiple Fiduciaries through a single dashboard.
The stakes are historic. Non-compliance ranges from penalties of up to ₹250 crore (approximately $30 million) to severe reputational damage. In a market as competitive as India, losing customer trust is a cost no balance sheet can absorb.

With full enforcement expected by mid-2027, forward-thinking brands are treating the next 18 months as a renovation phase. You cannot simply patch an old system to meet these standards; you must rebuild your data architecture with privacy at its core.

1. The inventory of the invisible
You cannot protect what you cannot see. The first step for any brand is a comprehensive data-mapping exercise. By leveraging a Customer Data Platform (CDP) such as Adobe Experience Platform (AEP), you can identify where data enters the ecosystem and tag it with a “purpose”. If a user provides data for a transaction, but not for marketing, your system must be intelligent enough to automatically ring-fence that data.

2. The centralised gatekeeper
Consent cannot live in silos. If a customer opts out of tracking on your mobile app but still receives a promotional SMS ten minutes later, you are in breach. By integrating a Consent Management Platform (CMP) with the Adobe Web SDK, brands can ensure consent signals are federated across the entire stack. AEP acts as the single source of truth, ensuring that if a user says “no” in one place, the entire organisation hears it.

3. Human-centric transparency
The Act requires privacy notices to be accessible. For a nation as diverse as India, this means providing clarity in English and the 22 official languages. Using Adobe Experience Manager (AEM), brands can deploy localised Privacy Preference Centres, giving power back to consumers and allowing them to manage their data rights through a seamless, multilingual interface.

How does this work in practice? Let’s look at the lifecycle of a data request to understand the operational precision required:

Withdrawal
A user decides to withdraw consent via a third-party Consent Manager app.

Propagation
The Data Fiduciary receives this signal and must immediately cease processing for that specific purpose. Crucially, they must also propagate this “stop” signal to all downstream data processors (cloud storage, email vendors, analytics partners).

Erasure
Unless a specific law requires retention (for example, banking regulations), the data must be erased. This follows a strict Service Level Agreement (SLA); indefinite storage is no longer an option.

Breach protocol
In the event of a data breach, the Data Fiduciary must notify the Data Protection Board and the affected users simultaneously. This notification cannot be generic; it must detail the nature of the breach and the specific mitigation actions taken.

As we move into 2026, the goal should be to go beyond compliance and towards privacy-by-design.

Consent as a product
Don’t view consent banners as a legal nuisance. Use Adobe Target to A/B test your messaging. We’re finding that progressive consent, asking for permissions only when they are relevant to the user journey, significantly increases opt-in rates compared to a single, disruptive “Allow all” barrier.

Data sovereignty
For sectors such as BFSI and telecoms, data residency is non-negotiable. Utilising Adobe’s Mumbai data centre ensures that sensitive customer profiles remain on Indian soil, satisfying the strictest interpretations of data sovereignty.

The power of anonymity
Tools such as Adobe Analytics support IP obfuscation and data minimisation, enabling brands to gain the insights they need without capturing PII (personally identifiable information) they don’t actually require.

Navigating the DPDP Act manually is a recipe for failure. The Adobe stack functions as an automated governance engine. Whether it’s the Privacy Service API orchestrating a “right to erasure” request across your entire ecosystem in a single action, or Adobe Journey Optimiser suppressing an email because a consent flag changed five seconds ago, technology is what makes compliance scalable.
The DPDP Act is ultimately a mandate to do better by our customers. Those who embrace this shift will earn long-term loyalty from Indian consumers.