There is a conversation I keep having with brand and marketing leaders across India. It usually starts with anxiety — about consent notices, compliance deadlines, and penalty clauses. But by the time we finish talking, something shifts. Because once you look carefully at what the Digital Personal Data Protection Act actually demands of businesses, you start to realise something counterintuitive: this law, if approached with the right mindset, is not a constraint on customer communication. It is a blueprint for doing it better.
I have spent over two decades in business communications — from the early days of SMS and IVR to where we are today, with AI-powered messaging across WhatsApp, RCS, voice bots, and email. I have watched Indian brands go from sending one bulk SMS to an entire database, to attempting personalisation at scale through third-party data and probabilistic targeting. The DPDP Act, in many ways, is a reckoning with where that journey led us. And the answer it offers is not restriction — it is intention.
The End of the Spray-and-Pray Era
For years, the default in Indian digital marketing was volume. Bigger lists meant bigger reach. Scraping data, buying third-party databases, sending unsolicited messages under vague opt-in clauses — these were not fringe practices. They were industry norms, even if uncomfortable ones.
The DPDP Act, passed in August 2023 and operationalised through the DPDP Rules notified in November 2025, changes this calculus fundamentally. The law requires explicit, purpose-specific consent before any personal data can be collected or processed. It demands clear privacy notices. It gives individuals the right to withdraw consent at any point and the right to have their data erased. Penalties for violations can reach up to Rs. 250 crore per breach, and the Data Protection Board of India has been established specifically to adjudicate complaints and enforce accountability.
The message to businesses is plain: you cannot communicate with people who have not told you they want to hear from you, and you cannot use their data for purposes beyond what they specifically consented to.
That sounds restrictive until you think about it from the other side of the message.
Consent Is a Signal, Not a Hurdle
When a customer explicitly consents to receive communication from a brand — for a specific purpose, through a specific channel — that consent carries meaning. It tells you something the algorithm never could: this person has raised their hand.
Compare that with the pre-DPDP norm: a database of millions of contacts, assembled through various means, blasted with promotional messages, and measured by open rates so low that marketers needed volume just to make the numbers work. The economics of that model were always built on attrition — most people ignored the message, a few converted, and the brand absorbed the reputational cost of being perceived as noise.
A consent-driven audience is, by definition, a smaller but warmer one. The conversations that happen within that relationship are categorically different. A customer who has opted in to hear about offers from a brand on WhatsApp is not the same as one who has been cold-messaged from a purchased list. The former is a dialogue. The latter is an interruption.
This is where the DPDP Act, far from narrowing the opportunity for customer engagement, actually elevates it. When consent becomes the entry point to every customer conversation, the conversation itself changes. Brands that treat consent as a meaningful signal — and build their communication strategy around that signal — will find themselves talking to people who actually want to listen.
Purpose Limitation Forces Creative Discipline
One of the most consequential requirements in the DPDP framework is purpose limitation — the principle that data can only be used for the specific purpose for which consent was obtained. You cannot collect data for a transactional notification and then use it for upselling campaigns. You cannot gather a phone number for OTP verification and later enrol that number into a promotional list.
This will force a discipline that has been missing from many organisations’ data practices. It requires marketing teams, product teams, and CRM teams to be explicit about what they are collecting data for, and to be honest about communicating that to users.
What it also does — and this is the part that often gets missed — is push brands to earn the broader relationship rather than assume it. If you want to communicate with a customer across multiple purposes, you need to ask them across multiple purposes. That process of asking, done well, is itself a form of customer engagement. A well-crafted consent journey can double as a preference centre, a first-party data collection touchpoint, and a trust-building exercise — all at once.
We have seen this play out with GDPR in Europe over the past several years. Initial fears of mass opt-out and communication collapse did not materialise at the scale predicted. What happened instead was a sorting — brands with genuinely valuable communication retained their audiences; brands built on noise lost theirs. India is about to go through a version of the same sorting.
Contextual Conversations at Scale Are Now the Only Viable Path
There is a convergence happening that makes this moment particularly significant. On one side, you have the DPDP Act tightening the conditions under which data can be collected and used. On another, you have the global phase-out of third-party cookies and the erosion of probabilistic audience targeting. And threading through both is the emergence of AI-driven messaging that makes truly contextual, one-to-one communication scalable in a way that was not possible even five years ago.
The opportunity, if you can navigate the compliance curve, is genuinely exciting. Brands that build strong first-party data architectures — grounded in explicit consent, enriched by declared preferences, and activated through intelligent messaging — will have a durable competitive advantage over those still chasing third-party signals.
Think about what a contextual customer conversation actually looks like. A customer who has consented to receive updates from a financial services brand, specified they prefer WhatsApp, and indicated interest in home loan products — that person, when they receive a well-timed message tied to their purchase journey, experiences it as service, not marketing. The channel, the timing, the content, and the purpose are all aligned. That alignment is what contextual communication means. And the DPDP Act, by requiring you to know your audience’s preferences explicitly, is essentially mandating the infrastructure for it.
What Brands Need to Do Right Now
The compliance deadline for most DPDP provisions sits at May 2027. That is close enough to require action now, and far enough that brands who start early will be building capability, not scrambling to plug gaps.
The first step is a data audit — every touchpoint where customer data enters the system, every consent mechanism that currently exists, and every way that data is currently being activated in communication. Most organisations will find inconsistencies. Some data will have been collected without adequate consent records. Some channels will be operating with implicit opt-ins that will not pass muster under the new rules.
The second is to build consent infrastructure — not as a legal checkbox, but as a communication layer. How are you asking customers for consent? Is the privacy notice readable or buried in legalese? Does the preference centre reflect how customers actually want to be reached? These are design questions as much as compliance questions.
The third — and this is where the real opportunity lives — is to redesign your customer communication strategy around the consented, first-party audience you are building. That means investing in segmentation, in personalisation logic, in channel orchestration, and in the quality of individual messages. It means treating every message as something that needs to earn its place in a customer’s day, rather than something that just needs to get sent.
The Brands That Will Win Are Already Thinking Differently
When I talk to progressive CMOs and digital heads today, the ones leaning into this shift share a common perspective: they never really believed the old model was sustainable. They knew that flooding inboxes and WhatsApp chats with untargeted messages was eroding the very channel trust they needed. The DPDP Act is, for them, a permission to do what they already knew was right.
Customer communication in India is entering a new phase. The volume era is ending. The contextual era — where every conversation is grounded in consent, shaped by preference, and measured by genuine engagement — is beginning.
The DPDP Act did not create this shift. It just made it impossible to ignore
(Views are personal)
