Marketing and advertising are built on personal data — email lists, phone numbers, behavioural profiles, ad-targeting segments. The DPDP Act directly reshapes how that data can be collected and used, and marketing teams that ignore it risk both penalties and the loss of the data practices they rely on. Bringing marketing into dpdp compliance is therefore one of the more consequential parts of any programme.
The instinctive fear is that the Act will cripple marketing. In reality it pushes marketing toward a consent-first model that, while requiring change, tends to produce more engaged audiences and more durable trust.
This guide explains how the DPDP Act applies to marketing and advertising, the consent requirements for outreach, the rules on tracking and targeting, and how to build growth practices that are compliant by design.
The sections below cover consent for outreach, the rules on tracking and targeting, the risks of purchased data, and how to build personalisation and growth practices that are compliant by design and, in the end, more effective.
Marketing is consent territory
Most marketing uses of personal data — sending promotional messages, building profiles, targeting ads — are not necessary to deliver a requested service, so they generally require consent under the DPDP Act rather than fitting a legitimate use.
This is the central reality marketing teams must absorb: the default basis for marketing is consent, and that consent must meet the Act's standard of being free, specific, informed and easily withdrawable.
Practices built on assumed or bundled consent need to be redesigned around genuine, opt-in permission.
The shift to consent-first is less a restriction than a reset of incentives: it rewards earning attention honestly over harvesting it, which is the direction reputable marketing has been moving for years independently of the law.
This reframing matters because marketing teams often fear the Act will gut their reach. In reality it mainly ends practices — bought lists, hidden tracking, bundled consent — that were already producing low-quality engagement and rising complaints, and it channels effort toward audiences that actually want to hear from the brand.
Email, SMS and push outreach
Promotional email, SMS and push notifications based on personal data require valid consent, freely given and not bundled into another transaction. Customers must be able to withdraw — unsubscribe — as easily as they opted in, and withdrawal must be honoured promptly across channels.
This rules out adding customers to marketing lists by default and making opt-out difficult. It rewards clear opt-in, preference centres and reliable unsubscribe handling.
A consent-based list is also more effective: engaged, willing recipients open, click and convert more, and generate fewer complaints.
Reliable, fast unsubscribe handling across every channel is a deceptively important control, because continuing to message someone after they opt out is both a clear breach and one of the fastest ways to generate a complaint to the Board.
Tracking, cookies and profiling
Behavioural tracking and profiling that rely on personal data engage the Act's consent and transparency requirements. Marketers should be clear about the tracking they do and offer genuine choices rather than covert or assumed profiling.
Special care is required where children may be in the audience, since tracking, behavioural monitoring and targeted advertising directed at children are prohibited outright, regardless of consent.
The broader industry shift toward privacy-respecting measurement aligns well with the Act, so adapting now prepares marketing for where digital advertising is heading anyway.
Auditing your current tracking and tag setup against consent is a worthwhile early exercise, since many sites fire trackers before any consent is given — exactly the kind of practice the Act's transparency expectations target.
A practical first move is a consent and tag audit: catalogue every tracker, pixel and data flow on your properties, confirm each has a basis and fires only after appropriate consent, and remove the ones that cannot be justified. This single exercise resolves much of the tracking risk and usually tidies up a cluttered analytics stack as a bonus.
Lead generation and purchased data
Acquiring leads through third parties or purchased lists is high-risk under the Act, because you must have a valid basis to process that data and the individuals may never have consented to hear from you.
Relying on someone else's claimed consent is fragile; you remain the fiduciary and must be able to demonstrate a lawful basis. Building your own first-party, consented audience is far safer and more sustainable.
The Act effectively penalises spray-and-pray outreach and rewards genuine, permission-based audience building.
Investing in first-party data — audiences who knowingly share their information in exchange for value — is both the safest basis under the Act and the most resilient marketing asset as third-party data sources continue to erode.
Personalisation done responsibly
Personalisation can be powerful and compliant if built on consented data and clear purposes. The key is transparency about what data drives personalisation and giving people meaningful control over it.
Responsible personalisation avoids creepy, opaque profiling and instead uses data people have knowingly shared to provide value they would recognise and welcome.
Done this way, personalisation strengthens rather than erodes the trust the Act is trying to protect.
The line between helpful personalisation and creepy profiling is largely about consent and transparency: use data people knowingly gave you, for purposes they would recognise, and personalisation reads as service rather than surveillance.
The clearest test of responsible personalisation is whether you would be comfortable explaining it to the customer to their face. Recommendations based on their own purchases pass easily; inferences drawn from covert cross-site tracking do not. Designing to that standard keeps personalisation on the right side of both the Act and customer expectations.
Free resource
Free DPDP Policy Templates
Privacy notice, consent and core DPDP policy documents you can adapt to your business.
Honouring preferences and withdrawals
Marketing must be able to honour consent withdrawals and preference changes reliably and quickly, across every channel and system. A withdrawal that is acknowledged but not actually propagated leaves you processing without a basis.
Preference centres that let people control what they receive, and clean suppression of those who opt out, are both compliance requirements and good practice.
Treat the marketing database as something individuals control, not something you own outright, and your processing stays lawful as preferences change.
Treating the marketing database as something customers control — with easy preference management and reliable suppression — keeps you lawful as choices change and signals a respect for the audience that itself builds brand equity.
Consent-first growth as an advantage
The marketing teams that thrive under the Act treat consent-first as a strength, not a constraint. A genuinely opted-in audience is more engaged, more loyal and more valuable than a large list assembled without permission.
Transparent, respectful data practices also build the brand trust that underpins long-term growth, in contrast to the short-term gains of aggressive, non-compliant tactics.
Reframed this way, the Act nudges marketing toward exactly the practices that build durable customer relationships, making compliance and good marketing largely the same thing.
The marketers who internalise this shift — from chasing volume to earning permission — tend to come out ahead, with smaller but far more responsive audiences and a brand reputation that compounds rather than erodes over time.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.