India’s business ecosystem is bracing for a paradigm shift with the imminent rollout of the Digital Personal Data Protection Act, 2025 (DPDP Act). Currently in draft form and open for public consultation, the legislation aims to enhance consumer trust and align India’s data privacy standards with global benchmarks. However, for advertising and marketing (A&M) agencies, compliance comes with a hefty price tag—one that could disrupt business dynamics across the industry.
At the heart of the draft DPDP rules lies a mandate for data localisation, which requires organisations to store personally identifiable data (PID) of Indian citizens within the country. While touted as essential for enforcing data sovereignty, localisation carries significant financial implications.
“Localisation will require investments in IT infrastructure, strong encryption-decryption mechanisms, and continuous monitoring of systems. It simply means additional costs for agencies,” remarked Karan Khanna, co-founder and COO of Huella Services, a marketing agency with global operations.
For smaller agencies operating on tight budgets, these additional expenses could be crippling. Hemal Majithia, founder and chief oktomind at Mumbai-based Oktobuzz, estimated a 10-15% rise in operational costs for mid-sized firms. Larger networks, handling extensive client portfolios, are also likely to experience significant cost escalations due to the sheer scale of their operations.
Software compliance: A steep investment
Beyond infrastructure, agencies will need to invest in compliance-specific software solutions to manage consent workflows, log data usage, and ensure adherence to regulatory norms. Such tools are indispensable for global compliance, whether under Europe’s General Data Protection Regulation (GDPR) or various US data privacy laws. The DPDP Act adds yet another layer of complexity to this.
According to industry insiders, the annual licences for comprehensive compliance stacks can cost several lakhs. For instance, OneTrust, a prominent data privacy software, charges upwards of INR 8,00,000 annually for a full compliance suite in India. For small agencies, such recurring costs could further strain already limited resources.
Independent agencies are likely to feel the pinch as they operate on wafer-thin margins and already face challenges in ensuring client stickiness. At the same time, larger agencies won’t get off the hook either. Given the global scale of their operations and large client portfolios, they will have to invest even more to ensure they comply with all the rules laid out.
Cloud providers see an opportunity
While A&M agencies will struggle with rising expenses, cloud service providers (CSPs) like Amazon Web Services (AWS), Google Cloud, and Microsoft are set to benefit. Many agencies are expected to explore cloud-based and shared tenancy models to minimise costs.
AWS, for instance, expanded its data centre network in India with a second facility in Mumbai, following an investment of $4.4 billion in late 2022. Similarly, Microsoft has announced plans to invest $3 billion in its cloud and AI infrastructure over the next two years. Google, too, has ramped up its India-based cloud and data centre capacities.
Khanna of Huella Services noted that such infrastructure expansion by global CSPs could help smaller agencies address localisation mandates efficiently. However, reliance on third-party solutions introduces its own challenges, including dependency and long-term cost considerations.
Many large agencies have also started setting up their own data centres and build customised software solutions ground-up. These feed their global networks, and work in a seamless fashion. Hence, confusion is afoot on how localisation guardrails could impact their business processes.
Manpower costs: A double-edged sword
Another significant cost driver under the DPDP rules is manpower. Agencies may need to hire ‘consent managers’ who will serve as single points of contact for enabling users (or Data Principals) to give, manage, review, and withdraw consent through transparent, interoperable platforms.
“Consent managers must be Indian-incorporated entities with a minimum net worth of INR 2 crores, which could be a significant financial barrier for many. The rules also impose stringent governance standards, requiring directors and senior management to maintain a strong reputation for fairness and integrity,” explained Supratim Chakraborty, partner at corporate law firm Khaitan & Co.
While it remains unclear whether all agencies will need to hire consent managers or if this requirement applies exclusively to data fiduciaries, there also exists ambiguity around the definition and scope of data fiduciaries has left many industry leaders concerned.
Agencies will also need to onboard data privacy professionals and conduct regular training sessions to ensure employees are well-versed in the nuances of the DPDP rules. Chakraborty added, “The need for continuous training will further add to operating expenses.”
Most agencies are already reeling under the challenge of hiring and retaining top-notch talent. The imminent rollout of DPDP Act and the possible onus of having more data privacy experts, will only result in shooting up their existing manpower costs. What makes it an even more onerous task is the limited pool of these expert talent, which makes poaching a big hurdle.
Cultural shifts and IT upgrades
The DPDP rules demand strict consent systems and deadline-driven data retention protocols. Agencies accustomed to indefinite data storage practices must now adopt precise data collection, retention, and deletion strategies. This will necessitate substantial IT upgrades and cultural shifts within organisations.
“Brands and advertisers will need to clearly define how much data to collect, how long to retain it, and ensure its periodic deletion,” said Chakraborty. Such practices may benefit consumers but will require significant investment from businesses.
Many agencies will have to play the role of friend, guide and counsellor to their clients, outlining how their campaigns collect and store data, ensuring it stays within the ambit of the Act. At a time, when agencies are on a juggernaut of launching social media campaigns, this can slow down the pace of the rollouts.
While concerns about rising costs dominate discussions, some industry stakeholders view the DPDP Act as a long-overdue alignment with global standards. Hemal Majithia described the rules as “a much-needed push for India to align with global data protection standards, similar to GDPR in the EU.” He added that India had lagged behind, noting GDPR’s 2008 introduction and California’s Consumer Privacy Act’s rollout in 2018.
Other industry leaders believe the law presents opportunities for agencies to adopt ethical practices and build consumer trust. Dr Ravinder Varma, senior brand manager at Max Protein, remarked, “The DPDP rules mark a significant shift in how brands engage with consumers, emphasising privacy and consent. We view this as an opportunity to build trust and credibility with our audience.”
Shubham Khurana, founder of Webkik Services, agreed, highlighting the impact on marketing strategies. “With the draft DPDP rules emphasising privacy, transparency, and accountability, marketers will need to design transparent communication strategies about data usage, fostering trust among users,” he said.
What lies ahead?
As the DPDP Act inches closer to implementation, the advertising and marketing industry faces a dual-edged sword. On one side, compliance costs threaten to squeeze profit margins, particularly for smaller agencies. On the other, the law offers an opportunity to strengthen consumer trust and align with global best practices.
While tech providers and compliance consultants stand to gain, agencies must navigate an increasingly complex regulatory landscape. Whether the DPDP Act proves to be a burden or a boon will depend on how effectively the industry adapts to these sweeping changes.
In a market where consumer data is the currency of marketing strategies, the DPDP Act’s rollout is poised to redefine how agencies operate—for better or worse.
.jpg&h=334&w=500&q=100&v=20250320&c=1)
.jpg&h=334&w=500&q=100&v=20250320&c=1)
.jpg&h=334&w=500&q=100&v=20250320&c=1)
.jpg&h=334&w=500&q=100&v=20250320&c=1)
.jpg&h=268&w=401&q=100&v=20250320&c=1)
.jpg&h=268&w=401&q=100&v=20250320&c=1)
