How does DPDPA affect CTV advertising in India?

India's Digital Personal Data Protection Act (DPDPA, 2023) requires explicit, informed, specific consent for processing personal data — including device IDs, IP addresses, and viewing behaviour used in CTV advertising.

For advertisers, this means: audience segments built on device IDs must have a documented consent trail; first-party CRM data used for CTV matching must have been collected with consent that covers advertising use; and third-party audience data purchased for CTV campaigns should come with DPDPA-compatible consent documentation. DPDPA rules are being finalised through 2025–2026.

Yes. DPDPA applies to any processing of personal data of Indian residents, regardless of where the processing entity is based. This includes DSPs (DV360, TTD) processing device IDs for India CTV campaigns and SSPs passing user data in OpenRTB bid requests involving Indian users.

Advertisers as 'data fiduciaries' are liable for DPDPA compliance even when processing is done by a vendor. DPDPA responsibility cannot be contracted away — it must flow through to data processing agreements with all vendors in the chain.

Four practical steps:

1. Map data flows — identify every data input in India CTV campaigns (device IDs, audience segments, CRM data) and document the consent basis for each.
2. Audit first-party data — ensure customer consent covers CTV advertising targeting, not just email or app marketing.
3. Ask third-party data vendors for consent documentation — any third-party audience segment used in India campaigns should have documented DPDPA-compatible consent from the data source.
4. Consider contextual over audience targeting for high-risk campaigns — contextual targeting (app-level, content category) does not rely on personal data and is inherently DPDPA-safe.