The first working Monday of 2026 has a familiar feel to it. Boardrooms are full again, inboxes have refilled, agency calendars are suddenly urgent, and everyone is speaking about the year ahead in reassuringly confident terms. But sitting quietly beneath the optimism is a deadline most brands know is coming, even if few are keen to discuss it openly.
India’s Digital Personal Data Protection (DPDP) Rules, notified on November 13, 2025, triggered phased compliance immediately, with core obligations around consent redesign, grievance redressal mechanisms, retention clarity, and data minimisation due by November 13, 2026.
DPDP Act: Indian advertising bids goodbye to the Wild West
For marketers, that date matters less as a legal milestone and more as an operational reckoning. It is when years of accumulated loyalty and CRM data stop being an unquestioned asset and start behaving like something closer to expiring inventory.
DPDP does not mandate the mass deletion of old customer data. What it does instead is more disruptive. It introduces purpose limitation, retention boundaries, and consent standards that many legacy loyalty programmes were never designed to meet.
Data collected for one purpose cannot simply linger forever and be repurposed at will. Retention without clarity becomes a risk, not a convenience. And consent taken in a very different era of marketing expectations suddenly looks fragile.
A senior marketing leader at a large FMCG company acknowledged that reality quietly. “If you’re sitting on years of loyalty data collected across stores, call centres, paper forms and early apps, you already know a portion of it won’t survive what DPDP now expects,” the executive said, requesting anonymity.
“The challenge isn’t intent, it’s volume. You can’t realistically go back to tens of millions of customers and recreate perfect consent journeys, especially when the original purpose itself has evolved. So the real work right now is deciding what data is worth defending, and what we need to let go,” they pointed out.
All brand leaders spoken to for this story requested anonymity, citing that their DPDP playbooks and consumer data reset strategies are still being actively designed ahead of the 2026 enforcement timeline.
That tension sits at the heart of DPDP’s impact on legacy loyalty systems. Most large Indian brands are not worried about fines arriving tomorrow morning. What they are worried about is something slower and more corrosive: data that technically exists but can no longer be used with confidence.
Why DPDP could threaten India’s retail media boom
Phone numbers collected for billing, points accrued through offline purchases, behavioural histories stitched together over a decade, all begin to fall into a grey zone once purpose limitation and retention rules are taken seriously.
For high-volume retailers and consumer brands that are likely to be classified as Significant Data Fiduciaries, the stakes rise further. DPIAs, stricter governance expectations, and breach reporting obligations change how risk is perceived internally.
Marketing teams accustomed to aggressive CRM activation start encountering more internal friction, more legal review, and more questions about whether a campaign is worth the exposure.
This is where DPDP’s impact starts to feel less like a compliance exercise and more like a structural shift in India’s marketing ecosystem.
According to Amit Verma, Founder and CEO of DigitUp, the law is not really about paperwork at all. “The law is always about intent,” he said, pointing to conversations he has had with very senior IAS officers involved in policy thinking. “You might have taken consent earlier, but if that consent was taken in a way where the user was not consciously aware of what they were agreeing to, then the act is violated. That distinction is going to matter a lot going forward.”
Verma argues that DPDP also corrects a competitive imbalance that crept into India’s digital economy during its growth-at-all-costs phase. “There has been a lot of shortcut-driven personalisation in the market,” he said, referring to aggressive data capture layered into checkout flows and engagement journeys. “PII-based targeting creates value because someone put in the hard work to earn that relationship. When shortcuts distort that, it creates an uneven competitive environment. DPDP helps reset that.”
In other words, the law does not just penalise poor data hygiene. It slows down businesses that relied on opacity and volume as substitutes for trust. Incumbent brands with cleaner systems and more disciplined data practices may actually find the playing field tilting back in their favour, even as their usable datasets shrink.
That shrinkage is already being felt in performance marketing teams. A digital marketing lead at a fast-growing beauty brand said DPDP has changed behaviour well before enforcement deadlines arrive. “Even before enforcement really tightens, there’s a lot more internal caution about using older cohorts for personalisation or retargeting,” the executive said, also requesting anonymity. “When you’re unsure about purpose limitation or how clean the consent trail is, teams naturally pull back. That has a direct impact on how much value you can extract from loyalty and CRM-led campaigns.”
How India became Big AI's favourite data mine
This hesitation is one of DPDP’s least visible but most powerful effects. Marketing teams self-regulate long before regulators intervene. Campaigns that once felt routine are now re-evaluated. Retargeting pools quietly shrink. Lookalike models lose determinism. CRM stops behaving like a bottomless well and starts behaving like a managed resource.
Re-consent campaigns are often presented as the solution, but brands privately admit they are a filter, not a reset button. Response rates are uneven. Consent fatigue is real. Many customers reasonably ask why permission needs to be granted again for data they shared years ago. The result is that what survives re-consent tends to be smaller, more intentional, and more valuable, but never as large as what existed before.
That is where the opportunity lies, if brands are willing to accept it. DPDP forces loyalty programmes to move away from hoarding behaviour and toward explicit value exchange. Consent becomes something that has to be earned repeatedly, not assumed indefinitely. Loyalty stops being about points accumulation alone and starts being about clarity, relevance, and trust.
From an infrastructure perspective, this also pushes brands to clean house. Mapping legacy data, auditing consent trails, minimising retention, encrypting what remains, and renegotiating vendor responsibilities all become unavoidable.
Data processors can no longer sit in the background. They must support rights requests, breach disclosures, and ongoing audits. Dashboards that track consent status and risk exposure become as important as campaign performance metrics.
Navkar Jain, co-founder of Plus91Labs, sees this shift playing out across CRM systems. “DPDP creates an expiry-like effect on older loyalty and CRM records,” he said. “That may lead to some shrinkage in legacy datasets, but it also creates an opportunity to clean, validate, and strengthen the quality of information businesses depend on. What remains or is recollected through proper re-consent is far more reliable and high intent.”
The uncomfortable truth for marketers returning to work in January 2026 is that this transition cannot be postponed indefinitely. November 2026 is not far away in operational terms.
The brands that treat DPDP as a legal problem to be handled later will find their marketing capabilities quietly constrained long before penalties are ever discussed.
Those that accept smaller but cleaner datasets, redesign consent journeys, and rebuild loyalty around trust rather than inertia may discover that compliance is not the end of marketing value, but a different kind of beginning.
The break is over. The data is older. And the clock, this time, is real.