Audience & Data · First-Party Data

Consent management for CTV advertising in India: DPDPA and data collection

Updated May 2026

India's Digital Personal Data Protection Act (DPDPA, 2023) introduces consent requirements for the collection and processing of personal data of Indian citizens. CTV advertising touches consent at two levels: publishers collecting viewer data for personalised ad targeting, and advertisers onboarding first-party data for campaign activation. Both require a structured consent management approach as DPDPA enforcement ramps up.

DPDPA and CTV advertising: what applies

DPDPA applies to "digital personal data" — information that identifies or can identify a natural person, processed in digital form. In the CTV context, this includes:

  • Registered user profiles (name, email, phone, address)
  • Device identifiers linked to individuals (GAID, IP address used for targeting)
  • Viewing behaviour data used for audience segmentation
  • Location data
  • Purchase history linked to identity

What DPDPA generally does not cover: fully anonymised data where re-identification is not possible, and data processed for purely non-commercial purposes. Contextual advertising based on content metadata alone (not linked to a specific user's profile) falls into a lower-risk category — contextual targeting of CTV content (content genre, language) does not require the same consent infrastructure as behavioural targeting.

CTV apps face a specific UX challenge with consent: TV screens have no touch interface, making standard cookie-consent pop-up flows impractical. Consent collection on CTV typically happens through:

  • App registration consent: When a user registers for a streaming service (JioHotstar, SonyLIV, Zee5), the registration flow includes consent for data processing. This is the primary consent collection point for most India CTV publishers.
  • Account-level settings: Logged-in users can manage ad personalisation preferences through account settings accessible on mobile, web, or TV. This is the "post-registration consent management" path.
  • Remote-based consent UI on TV: Some Android TV apps present a consent dialogue on first launch. Navigation via remote control is functional but creates a significant user experience friction. Most India CTV apps use mobile/web consent management as the primary interface.

Platforms that require account login for CTV access (JioHotstar, SonyLIV, Netflix, Prime Video) are better positioned for consent management than AVOD platforms with anonymous or guest access, where consent is harder to collect and attribute to a specific viewer.

India's CTV publishers are at different maturity levels for consent management:

  • JioHotstar: Jio platform infrastructure includes consent capture at account creation. Given the Jio ecosystem's integration (JioFiber, JioPhone, JioHotstar), Jio has a relatively complete consent chain for its registered user base. Advertising data processing is covered under Jio's privacy policy and terms.
  • SonyLIV: Subscription-based; consent is collected at subscription signup. Privacy policy covers ad personalisation. Relatively clean consent chain.
  • Zee5: Freemium model with both registered and anonymous access. Registered user data is covered; anonymous AVOD viewers have no linked consent. Advertising to anonymous segments relies on contextual targeting or cookie-equivalent signals on device.
  • YouTube CTV: Google's global consent framework applies. YouTube CTV users signed into a Google Account are covered under Google's consent infrastructure. Non-signed-in users on Smart TV YouTube receive contextual ads.

Advertiser obligations under DPDPA

For advertisers activating first-party data for India CTV campaigns, DPDPA creates two primary obligations:

  1. Lawful basis for original data collection: The customer email/phone numbers being uploaded to a DSP must have been collected with a lawful basis (typically consent) that covers their use for advertising targeting. If the original consent was for "order confirmation emails," repurposing that data for CTV retargeting likely requires refreshed consent or a compatible purpose justification.
  2. Data processor agreements with DSPs: When uploading personal data (even hashed) to a DSP for matching, the DSP acts as a data processor. DPDPA requires data processor agreements with parties who process personal data on the data fiduciary's behalf. Most major DSPs (DV360, TTD) have standard Data Processing Addendums that can satisfy this requirement.

For CTV publishers building consent infrastructure:

  1. Implement a consent management platform (CMP) — options include Didomi, OneTrust, and local providers
  2. Map what data is collected at registration, during viewing, and via ad serving beacons
  3. Update privacy notices to explicitly cover CTV ad personalisation and data sharing with DSPs and SSPs
  4. Build consent withdrawal mechanisms accessible on mobile, web, and TV
  5. Maintain consent records with timestamps

For advertisers:

  1. Audit CRM data consent coverage before any first-party data upload to a DSP
  2. Implement consent capture at all digital touchpoints (app, web, in-store if applicable)
  3. Execute Data Processing Agreements with any DSP receiving Indian user data
  4. Review and update privacy policies to cover CTV-specific data uses

DPDPA enforcement is phased — full enforcement is expected from 2025–2026. Organisations that build consent infrastructure proactively are better positioned than those who wait for enforcement guidance before acting.