A Project by Meridian Bridge Strategy
Compliance Guide

DPDP & Digital Marketing: Expert Advisory

Learn how DPDP changes lead collection, ad targeting, campaign consent and email marketing workflows.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Digital Marketing DPDP Action Sheet

Use this before your next campaign goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

Digital marketing includes lead forms, landing pages, email campaigns, WhatsApp outreach, cookies, analytics, ad pixels, retargeting audiences, CRM uploads and campaign follow-up workflows.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Does DPDP apply to hashed email addresses used for ad targeting?

Yes, because the ad platform uses that hash to identify a specific individual. Hashing is a security measure, but the data remains personal data under the law because it facilitates individual targeting.

Can I still use data bought from third-party lead providers?

Only if the provider can prove they obtained specific consent that mentions your company or category as a recipient. Most bulk lists fail this requirement and create a liability for your business.

Do I need new consent every time I change my ad creative?

No, as long as the purpose of processing—marketing a specific product—remains the same. You only need new consent if you start using the data for a different purpose or share it with new types of third-party partners.

Real-World Examples Companies struggling with this issue

Government

Aadhaar (UIDAI)

55

Aadhaar is unique — it's governed by its own Act and DPDP's Section 17 government exemptions. At 55/100, the system processes 1.3B Indians' biometric data with dedicated legal protections, but the exemptions from DPDP create legitimate questions about citizen data rights, purpose limitation, and the permanence of biometric data.

⚠️ DPDP Section 17 exempts government from some provisions but not all
⚠️ Biometric data (fingerprints, iris scans) security adequacy questions remain
+4 more gaps detected
Feb 2026 View Report
Telecom

Airtel

48

Airtel's privacy policy, updated in June 2024, makes an effort towards transparency but doesn't fully align with the DPDP Act 2023. Key gaps include ambiguous data retention, lack of explicit cross-border transfer details, and broadly defined legitimate uses which could fall short of DPDP's specific consent requirements.

⚠️ Vague data retention periods — 'as long as necessary' language
⚠️ Lack of explicit DPDP Act 2023 references throughout
+5 more gaps detected
Mar 2026 View Report
Fintech

Angel One

68

Angel One is ahead of the curve by explicitly referencing the DPDP Act 2023, but still struggles with 'bundled consent' where using the app implies you agree to everything. While their security is bank-grade, they need to give users more granular control over marketing and nomination rights.

⚠️ Consent is still bundled with general platform access and browsing
⚠️ No specific mention of the Right to Nominate under Section 14
+3 more gaps detected
Mar 2026 View Report
Book clarity call