India's Digital Personal Data Protection Act (DPDPA) 2023 applies to any processing of personal data — including phone numbers, email addresses, and device-linked profiles used for CTV audience targeting. The core requirement: explicit, informed, and revocable consent is needed before personal data can be processed for advertising purposes beyond what is necessary for service delivery.
For CTV advertisers this means: (1) Your CRM data used for targeting must have been collected with consent that explicitly covers advertising use — if your signup form said "we'll send you order updates" but not "we'll use your data for targeted advertising", you may need to re-consent before activating for CTV; (2) Streaming platforms must have appropriate subscriber consent for using viewing data in ad targeting — ask your platform partners to confirm DPDPA compliance; (3) Children's data (under 18) requires parental consent and cannot be used for ad targeting; (4) Users must be able to revoke consent — build opt-out mechanisms into your data capture points. DPDPA enforcement timelines and sector-specific guidance were still being finalised in 2026. The direction is clear — consent-based, purpose-limited data use — but specific compliance thresholds for ad tech require legal counsel, not just industry guidance.
Full guide
For a complete explanation, read: India's DPDPA and CTV advertising: what digital personal data protection means for planners