India's Digital Personal Data Protection Act (DPDPA), passed in 2023 and with rules under development through 2025–2026, is the first comprehensive data privacy law in India. It regulates how personal data — including device identifiers, viewing behaviour, and location signals used in CTV advertising — is collected, processed, and shared. For CTV advertisers, publishers, and ad tech platforms, DPDPA compliance is no longer optional.
DPDPA overview for ad tech
The DPDPA establishes rights for "data principals" (individuals) and obligations for "data fiduciaries" (entities that collect and process personal data). Key provisions relevant to CTV advertising:
- Consent requirement: Personal data can only be processed with the explicit, informed, free, and specific consent of the data principal — or under specified "legitimate uses." Cookie-style implied consent is not sufficient under DPDPA.
- Purpose limitation: Data collected for one purpose (e.g., app registration) cannot be repurposed for another (e.g., audience targeting) without separate consent.
- Data minimisation: Only the data necessary for the stated purpose should be collected and retained.
- Right to erasure: Data principals can request deletion of their personal data. Platforms must have mechanisms to honour this.
- Children's data: Special restrictions on processing data of minors under 18, including parental consent requirements.
The DPDPA rules are still being finalised by the Data Protection Board of India as of mid-2026. Implementation timelines and sector-specific guidance are evolving. Treat current DPDPA compliance as a minimum-baseline exercise while monitoring rule finalisations.
CTV data implications under DPDPA
CTV advertising relies on several data categories that fall within DPDPA's scope:
| Data type | CTV use | DPDPA status |
|---|---|---|
| Device IDs (GAID, TIFA, AFAI) | Frequency capping, audience targeting, attribution | Personal data — requires consent for processing |
| IP address | Geo-targeting, household matching | Personal data — consent required |
| Viewing history / ACR data | Audience segment building, retargeting | Sensitive personal data — higher consent bar |
| Subscriber profile (age, gender) | Demographic targeting | Personal data — must be collected with consent and used only as consented |
| Location data | Geographic targeting | Personal data — location-specific consent needed |
| Content preferences | Contextual and interest targeting | Personal data where linked to an identifiable individual |
Consent requirements for CTV data
Under DPDPA, consent must be:
- Free: Not conditioned on accessing the service (no "consent or pay" dark patterns)
- Specific: Granular to the purpose — consent for viewing history cannot be bundled with consent for advertising profiling without separate disclosure
- Informed: Plain language explanation of what data is collected and how it will be used
- Unambiguous: Active opt-in, not pre-ticked boxes or passive acceptance
In practice, CTV publishers in India (JioHotstar, Zee5, SonyLIV) collect consent through their app onboarding and privacy policy acceptance flows. The key question is whether current consent flows meet the DPDPA specificity standard — many existing flows use broad, bundled consent language that may not satisfy the specificity requirement once rules are finalised.
Legitimate uses (non-consent processing): DPDPA allows processing without consent for "legitimate uses" including state functions, employment purposes, and public interest activities. Commercial advertising does not clearly fall within these carve-outs, so advertisers should not rely on legitimate use as a basis for processing personal data in CTV campaigns.
Advertiser compliance steps for India CTV
1. Map your CTV data flows. Identify every data input used in your India CTV campaigns: device IDs, audience segments, first-party CRM data, third-party data. For each, identify the data source and whether consent has been obtained under DPDPA-compatible terms.
2. Audit first-party data activation. If you are using your own CRM or customer data for CTV audience matching, ensure that the consent obtained from those customers covers use for CTV advertising. Consent obtained for email marketing does not automatically extend to advertising targeting.
3. Assess third-party data. Third-party audience segments purchased through SSPs or data marketplaces for India CTV campaigns should come with documented consent lineage. Ask your data providers for DPDPA consent compliance confirmation — particularly for device ID-based segments.
4. Limit retargeting until rules are clear. Retargeting on CTV (reaching users who visited your website or app, matched via device ID) is the highest-risk use case under DPDPA. Consider restricting cross-device retargeting campaigns to first-party consented audiences until the full ruleset is published and interpreted.
5. Build contractual protections. Include DPDPA compliance warranties in data processing agreements with publishers, SSPs, and data vendors. The advertiser (as data fiduciary) is liable for downstream processing that violates DPDPA even if conducted by a vendor.
Publisher obligations under DPDPA for CTV ad tech
India CTV publishers have the primary obligation to collect and document user consent for advertising data processing. Key obligations:
- Consent notice must be presented before or at the point of data collection — not buried in a privacy policy link
- App consent flows must support granular withdrawal — users must be able to withdraw consent for advertising processing without losing access to the core service
- Publishers sharing user data with SSPs and DSPs must ensure those downstream processors operate under data processing agreements that bind them to DPDPA standards
- Children's data (under 18): CTV apps that have or likely have minor users must implement age verification or parental consent mechanisms — not just a "confirm you are 18+" checkbox
- Data breach notification: DPDPA requires notifying the Data Protection Board and affected users of data breaches — publishers must have incident response processes in place