India's DPDPA and CTV advertising: what digital personal data protection means for planners

India's Digital Personal Data Protection Act (DPDPA) was enacted in 2023 and its implementing rules were being finalised through 2025–2026. The Act creates a formal consent and processing framework for personal data in India — one that applies directly to CTV advertising, audience targeting, and data activation. Here is what practitioners need to understand.

What DPDPA covers

DPDPA applies to the processing of digital personal data of individuals in India, regardless of where the processing entity is located. "Personal data" includes any data that can identify an individual — phone numbers, email addresses, device IDs linked to a person, and audience profiles derived from personal data all fall within scope.

For CTV advertising, this covers:

• Collecting viewing data from CTV devices for ad targeting
• Matching advertiser first-party data (CRM) against platform subscriber databases
• Building audience segments from behavioural or demographic signals
• Using household IP data for frequency capping and attribution
• Cross-device identity resolution that links personal data across screens

Consent requirements

DPDPA requires that personal data processing for purposes beyond what is strictly necessary for the service be based on explicit, informed, and revocable consent. For CTV advertising this means:

• Streaming platforms must obtain consent from subscribers to use their viewing data for advertising purposes (beyond just serving the content they subscribed for)
• Advertisers using CRM data for CTV targeting must have collected that data with consent that covers advertising use — "we may use your data to personalise advertising" or equivalent
• Consent must be revocable — users must be able to withdraw consent and platforms must honour withdrawal
• Consent cannot be bundled as a condition of service in most cases — users cannot be required to consent to ad targeting as a condition of accessing streaming content they pay for

What this means in practice

The practical implications depend on implementation, which was still being clarified by the Data Protection Board of India in 2026:

• Platform consent flows: Major platforms (JioHotstar, SonyLIV, Netflix, Amazon) are updating their subscriber consent flows to be DPDPA-compliant. Advertisers buying through these platforms should verify that the platform has appropriate consent for the data use you are purchasing against.
• First-party data audits: Advertisers activating CRM data for CTV targeting should audit their consent capture. Data collected pre-DPDPA with ambiguous consent language may need re-consent before being activated for advertising.
• Children's data: DPDPA has strict rules on data of children (under 18). CTV campaigns targeting content popular with children must not use personal data targeting, and platforms serving children's content must implement parental consent mechanisms.
• Significant data fiduciaries: DPDPA designates certain large data processors as "Significant Data Fiduciaries" with additional obligations. Large CTV platforms may be classified as such, adding audit, data localisation, and impact assessment requirements.

What advertisers should do now

• Audit your first-party data collection points — ensure consent language covers advertising use explicitly
• Ask platform partners to confirm their DPDPA compliance for data used in ad targeting
• Review your DMP or audience data vendor contracts — third-party audience segments must be built from DPDPA-compliant data sources
• Build opt-out mechanisms into your CTV-adjacent digital touchpoints
• Consult your legal team on whether your organisation qualifies as a Data Fiduciary under DPDPA and what obligations apply

The honest uncertainty

DPDPA enforcement timelines, implementing rules, and specific sector guidance were not fully finalised as of mid-2026. The advertising industry in India was engaged with the Data Protection Board in developing category-specific guidance. The direction of travel is clear — consent-based, purpose-limited data use — but specific compliance thresholds for ad targeting were still being established. Work with legal counsel and monitor Data Protection Board announcements rather than treating any single industry source (including this one) as authoritative legal guidance.

Related concepts

• First-party data for CTV India -- Activating your own data compliantly
• Data clean rooms for CTV India -- Privacy-preserving alternatives to raw data sharing
• Identity resolution for CTV India -- How DPDPA affects cross-device identity
• CTV audience targeting in India -- Targeting options and their data dependencies
• CTV attribution in India -- Attribution approaches that work within privacy constraints