DPDP’s parental consent chaos: The latest hurdle for marketers

The release of the draft rules for India’s Digital Personal Data Protection (DPDP) Act on January 3, 2025, has sparked intense debate among marketers and advertising agencies. They were aimed to address key elements of the proposed law, including notifications to individuals by data fiduciaries, the roles and requirements for consent managers, and guidelines for managing children's personal data as well as the formation and operational details of the Data Protection Board, including the appointment and terms of its leadership.

While aimed at bolstering data privacy, Section 9 of the draft rules introduces new complexities by mandating verifiable parental or guardian consent for processing the personal data of children and persons with disabilities. It requires data fiduciaries to obtain verifiable consent from a child’s parent or legal guardian before processing the child's or a person with disabilities' personal data. These entities must ensure the individual giving consent is both identifiable and authorised.

Processing of children's data is limited to essential purposes, such as healthcare, education, safety, and transport, strictly within the scope necessary for their welfare. However, the draft lacks clear guidelines on how children's identities will be verified, potentially relying on user self-declaration to indicate their age or status.

It is easy to see why the industry stakeholders are sporting furrowed brows. A study by consultancy firm Redseer pegs the market for childcare products is forecast to grow at an annualised rate of 14 per cent to $60 billion by 2027 from about $31 billion in 2022. Just the cartoon inspired kids wear market in India is expected to reach a projected revenue of $ 9,897.9 million by 2030, growing at a compound annual growth rate of 8.3% from 2023, according to Horizon Grand View Research. Now, tack on other categories food, snacks, toys or apparel and the market pie becomes substantially huge.  

Ramya Ramachandran, founder and CEO of Whoppl

Industry professionals, therefore, warn that the requirements outlined in the draft DPDP rules may inadvertently expand the data collection net to include parents and guardians, presenting significant operational and financial challenges.

Shreya Suri, Partner at IndusLaw, highlighted that obtaining verifiable parental consent might necessitate broader processing of parental or guardian data. “This raises interesting considerations regarding the scale and scope of such data collection,” she remarked. For marketers, this creates a dilemma: while parental data enhances targeting precision, it also increases the responsibility for secure data management.

The rules lean heavily on self-declaration, wherein users identify themselves as minors or adults. Suri flagged this as a potential loophole. “Self-declaration mechanisms could lead to non-compliance, especially in cases where individuals might struggle to disclose their status independently,” she noted.

Chitra Iyer, Co-founder and CEO of social impact consultancy Space2Grow, expressed concerns over the practical challenges of implementing these rules. “Without accessible mechanisms for verifiable consent, many children may resort to falsifying their age to bypass restrictions, widening the digital divide,” she said. Iyer urged platforms to prioritise reliable consent processes, shifting the burden of proof from parents to platforms.

Evolute Global’s co-founder Shaunak Mukherjee opined that larger companies with deep pockets can quickly invest in age verification systems and compliance tech, but for startups or smaller entities, this isn’t as simple.

“The real issue is balancing compliance with maintaining a seamless user experience. Implementing systems to verify ages and get parental consent isn’t just expensive; it also takes time and can disrupt workflows. For businesses with limited budgets or resources, this can feel like a daunting task,” he noted. 

While the initial shift might be tough, this is also where smaller agencies can display the agility that they are known for. This is the ideal opportunity for them get creative "like partnering with compliance experts or using affordable tech solutions," as Mukherjee noted; steps that are absolutely doable.

Operational headaches for marketers

The implications of Section 9 extend beyond compliance. Agencies will need to overhaul existing systems to align with the draft rules.

“For campaigns, this means prioritising ethical practices, obtaining clear consent, and ensuring data security,” said Udit Yadav, founder and director of Satan Digital. “Though challenging, these measures could help build trust and drive personalised campaigns within compliance boundaries.”

Udit Yadav, founder and director of Satan Digital.

Since the DPDP rules emphasise data privacy and consent, agencies will need to be more transparent and careful in how they collect and use customer data. However, these operational shifts come at a cost.

Ramya Ramachandran, founder and CEO of Whoppl, pointed out that startups and smaller agencies may struggle to allocate resources. “Implementing compliance measures like consent management systems and legal teams could strain budgets, diverting funds from core operations,” she cautioned.

Additionally, regular audits and robust grievance redressal mechanisms could slow campaign execution, especially for fast-paced industries like influencer marketing and content production. Similarly, implementing the new rules will require significant investments in compliance teams, legal experts, and technological upgrades. This could strain budgets of independent agencies, especially, forcing them to divert resources from core operations.

Scaling data collection: A double-edged sword

The new DPDP rules could also increase operational costs for marketers due to the need for enhanced data handling and observance measures. According to Mayuran Palanisamy, partner at Deloitte India, “Managing consent necessitates changes at the design and architecture levels of applications and platforms, requiring investments in technical infrastructure and processes.”

To align with these regulations, agencies and marketers might have to implement advanced data management systems, conduct regular privacy impact assessments, and provide comprehensive staff training to ensure all processes align with the new legal requirements. These enhanced data management frameworks and staff training could put a stress on the P&L.

Ayush Nambiar, chief strategist and director at Flags Communications.

Ayush Nambiar, chief strategist and director at Flags Communications, warned that compliance costs could be prohibitive for smaller businesses. “Larger corporations might absorb these costs, but MSMEs will struggle to implement the required legal and technological frameworks,” he said.

He advocated for tiered compliance systems to ease the burden on MSMEs. “Nationwide advocacy and education campaigns are crucial to demystify the bill’s requirements. Without these, compliance will remain uneven, stalling innovation and trust,” Nambiar added.

Fortunately, the government is inviting feedback on the draft rules via the MyGov portal, with the deadline set for February 18, 2025. So, industry stakeholders still have the window to present their recommendations before the Act is presented during the Parliament’s monsoon session for debate.

A glass half-full?

While the challenges are daunting, some industry stakeholders see a silver lining. Stricter data protection rules could foster consumer trust. Ramachandran noted, “With enhanced privacy measures, consumers might feel more secure sharing their data, enabling deeper trust in brands.”

Standardised data protection norms could also level the playing field for smaller companies, providing them with a fair shot at competing against larger players. However, the compliance burden must be addressed to prevent smaller entities from being edged out.

The draft rules also hint at additional oversight on cross-border data sharing, a move that Suri described as “a new dimension to the regulatory landscape.” A proposed committee might restrict certain personal data transfers outside India, complicating international campaigns and data-driven marketing strategies.

Shahana Chatterji, partner at law firm Shardul Amarchand Mangaldas & Co, echoed these concerns. “Data localisation requirements and varying consent processes for adults, minors, and persons with disabilities could create significant compliance challenges,” she said. “The consultation process till February 18 will be crucial for ironing out these issues.”

Despite the hurdles, industry players are exploring innovative ways to adapt. Offline initiatives, such as mall activations and shop-in-shop strategies, could offer alternatives to digital campaigns constrained by stricter consent requirements. Educational influencer campaigns, focusing on trust-building rather than hard selling, might also gain traction.

“Tracking real-time results and quickly adjusting strategies will be key to delivering ROI within the new regulatory framework,” suggested one industry expert. Agencies that prioritise agility and transparency may find themselves better positioned to navigate the evolving landscape.

To ensure smooth implementation, Nambiar emphasised the importance of collaborative governance. “The government must engage industry experts, legal minds, and civil society to refine the bill for a balanced framework. Independent oversight, regular audits, and transparent exemption usage are non-negotiable,” he stated.

Ultimately, the success of the DPDP rules will hinge on their ability to balance privacy protections with operational feasibility. While the draft addresses many concerns, significant gaps remain. Comprehensive public consultations and ongoing government support will be critical to achieving a framework that works for all stakeholders.

As the advertising and marketing industry braces for change, the path forward will require creativity, resilience, and a renewed focus on consumer trust. Whether these rules become a burden or a boon will depend largely on how businesses adapt—and how policymakers address their concerns.