The rise of the trust stack in India’s digital economy
As India's DPDP Act reshapes the data economy, consent is quietly becoming a balance sheet asset and the companies building the architecture around it may define the next decade of digital commerce
by
Published: Jun 2, 2026 8:44 AM | 8 min read
- India's digital economy is undergoing a transformation towards a "trust stack," focusing on AI-led governance, identity verification, consent orchestration, and fraud intelligence as foundational elements for customer interactions and transactions.
- The Digital Personal Data Protection (DPDP) Act is a key driver of this shift, converting compliance obligations into market signals and requiring significant investments from businesses to meet new data governance standards.
- Compliance costs are substantial, with estimates ranging from Rs 1.8 crore for direct-to-consumer brands to Rs 19.36 crore for large enterprises, leading to an overall investment requirement of Rs 15,000 crore to Rs 25,000 crore across the industry.
- The evolving landscape emphasizes the importance of consent-driven data practices, creating a competitive advantage for companies that prioritize trust and transparency in their customer relationships, while also reshaping the advertising economy with a focus on identity-rich inventory.
There is a moment in every industrial revolution when a utility stops being a feature and becomes the foundation. Electricity was once a novelty; it became the grid. The internet was once a service; it became the operating system. India's digital economy may be approaching a similar inflection point, except this time the utility being laid beneath everything is not compute or connectivity. It is trust.
Five years from now, the companies that win in India's digital marketplace will not necessarily be those with the largest data lakes or the most sophisticated algorithms. They will be the ones that have built what industry architects are beginning to call the "trust stack" — a layered infrastructure of AI-led governance, identity verification, consent orchestration, and fraud intelligence that runs quietly beneath every customer interaction, every advertising decision, and every enterprise transaction.
This shift is not hypothetical. It is already underway, and the Digital Personal Data Protection Act is its catalyst.
Read On: Govt establishes data protection board under DPDP Act
When Compliance Becomes Capital
The DPDP Act, India's most consequential data legislation, is doing something that regulations rarely accomplish: it is converting a governance obligation into a market signal.
Malcolm Gomes, Chief Operating Officer at Privy by IDfy, says, “Payment gateways solved one problem by making transactions trustworthy between two parties who don't know each other. Cloud providers solved another problem by making compute and storage reliable, scalable, and accessible. Trust-tech solves the next version of that same fundamental challenge — making data relationships trustworthy at scale, across an increasingly fragmented and regulated ecosystem.”
The first-year financial shock to India's advertising economy alone is projected to reach Rs 12,000 crore, with programmatic pipelines bearing the sharpest impact. But behind that headline number lies a more durable transformation, one that is reorganising how enterprises think about data, identity, and customer relationships from the ground up.
The compliance cost curve is steep and non-negotiable. Industry benchmarks now show that a D2C brand needs approximately Rs 1.8 crore to become DPDP-compliant, a mid-market retailer requires closer to Rs 7 crore, and a large enterprise with meaningful digital scale is looking at investments between Rs 15 crore and Rs 19.36 crore over 18 months. Across advertisers, publishers, and agencies, the aggregate investment required to meet DPDP-era requirements is estimated between Rs 15,000 crore and Rs 25,000 crore. These figures cover consent management platforms, customer data platforms, breach response workflows, legal documentation, and the reconstruction of attribution systems that have been foundational to performance marketing for over a decade.
What is less discussed, but arguably more consequential, is what these investments are actually building. They are not merely compliance infrastructure. They are, in effect, the early scaffolding of a trust economy.
Read On: Can telcos become the new data powerhouses in India?
From Checkbox to Competitive Advantage
For most of the last decade, consent in India's digital economy was, at best, a formality. Cookie banners existed to be dismissed. Privacy policies were written for regulators, not users. Data collection was frictionless by design, and the advertising industry built an entire performance infrastructure on top of inferred behavioural signals that users neither knowingly provided nor could easily revoke.
Amit Relan, CEO and co-founder of mFilterIt, puts it plainly. "Retail media, fintech, OTT, D2C, healthcare — consent-driven ecosystems are already proving that transparency isn't a compliance requirement. It's a competitive advantage. The brands that will lead through 2030 won't be the ones with the most data. They'll be the ones with the most trusted data."
DPDP changes that architecture fundamentally. With non-consented identifiers, cross-site behavioural tracking, retargeting pools, and lookalike modelling sharply restricted, the industry is confronting what it calls a "blind-ads era" — a period in which targeting precision could fall by 60 to 80 percent across behavioural and cross-site segments, and addressability may contract from near-universal reach to somewhere between 25 and 40 percent depending on the environment.
But the disruption cuts two ways. Publishers with authenticated, logged-in audiences are already seeing CPM premiums of two to three times over non-consented inventory. Retail media, which operates on first-party purchase data and closed-loop attribution, is expected to grow from roughly 15 percent of digital budgets to nearly 30 percent as brands migrate spend toward environments where consent is built into the customer relationship rather than bolted on afterwards. Contextual advertising, long overshadowed by precision behavioural systems, is now projected to offset up to 40 to 44 percent of the conversion losses caused by the disappearance of behavioural signals.
The pattern is consistent. Consent is not shrinking the market. It stratifies inventory, creating a high-value tier of identity-rich, permission-verified inventory and a lower-priced residual pool of non-consented reach. The companies positioned in the first tier are not just compliant. They are structurally advantaged.
Read On: EU wants Google to allow third-party search engines to access search data
The Architecture of a Trust Stack
Understanding what a trust stack actually consists of matters because the term risks becoming a buzzword before it becomes a standard. At its core, a trust stack integrates four distinct but interdependent layers. Identity verification ensures that the person on the other end of a digital interaction is who they claim to be. Consent orchestration determines what data can be collected, activated, and shared, and with whom. AI-led governance ensures that the models built on that data are auditable, fair, and legally traceable. Fraud intelligence protects the integrity of the entire system by detecting and neutralising bad actors in real time.
Gomes describes, "Verified, consented first-party identity can enable more reliable audience targeting as dependence on third-party cookies declines. Consent orchestration determines what data can be activated, and for whom. Fraud intelligence protects the integrity of the transaction layer."
Chiraj Taneja, Co-Founder and CEO of GoKwik, sees the same architecture playing out across merchant networks. "When brands combine checkout intelligence with consent-led engagement, their acquisition and retention loops perform meaningfully better — not marginally. Categories like wellness, apparel, and personal care are moving fastest here, not just because DPDP is forcing the shift, but because AI-powered personalisation is their primary growth lever and that lever only works with clean, consented data."
The fraud dimension deserves particular attention. As Taneja notes, "Fraud always migrates, and DPDP won't change that. But first-party pipelines built with AI-powered consent verification and anomaly detection give brands a dynamic, self-improving defence that cookie-based systems structurally never could."
The Board Has Already Been Called In
Perhaps the clearest signal that trust infrastructure is maturing into a boardroom priority is the speed at which it has moved up the governance hierarchy. Cybersecurity spent roughly a decade migrating from the IT department to the executive suite. Trust stack readiness is making that journey faster, and DPDP has provided the structural mechanism.
With penalties of up to Rs 250 crore per instance and a mandatory Data Protection Officer reporting line to the board, the Act has formally made data governance a fiduciary responsibility. Gomes has observed this shift directly in conversations with board members. "Unlike other regulations, the penalty is very severe. It is a material financial risk which sits squarely with the fiduciary's board. The law wants the board to take responsibility." One board member Gomes spoke with noted that "things are becoming so digital that it is very easy to catch and penalise. Organisations are going for the right solutions upfront to avoid rework costs and eliminate risk."
The implication is significant. By 2030, trust stack readiness may be evaluated alongside credit ratings, cybersecurity audits, and ESG scores as a measure of enterprise reliability. Investors, advertisers, and enterprise customers will increasingly want to know not just whether a company has data, but whether it has earned the right to use it.
Read On: Drowning in data, starved of insight
The New Data Relationship
Underneath all of this infrastructure lies a shift in the fundamental relationship between businesses and consumers. The outgoing model was built on passive collection, harvesting data through behavioural exhaust, location trails, and third-party inference without the consumer's meaningful awareness. The incoming model is built on active exchange, where consumers share data because the value proposition is clear and governance is visible.
Gomes articulates where this leads. "Not only is it realistic to deliver hyper-personalised experiences without invasive tracking, it will be the only legally viable path forward within this decade. A customer explicitly telling a brand what they care about is ultimately more valuable than an algorithm making probabilistic assumptions from clicks, scrolls, or location trails."
The implications for AI are direct. Relan identifies the core tension in how enterprises are currently building AI systems. "The signals we act on are only as reliable as the systems verifying them. As the ecosystem grows more complex, so does the gap between data that looks right and data that actually is. Leaders who build on unvalidated inputs aren't scaling, they are compounding risk with every decision."
Taneja arrives at the same conclusion from the commerce side. "Third-party data, built on inferred behaviour and opaque sourcing, gives you AI that's essentially guessing. First-party data, captured at the point of purchase or through direct consent, gives you AI that's working with ground truth."
By 2027, India's digital advertising economy is expected to stabilise at five to ten percent below its pre-DPDP baseline — smaller in scale but operating with substantially higher signal quality, more intentional audiences, and more defensible infrastructure. The companies that understand this not as a revenue problem but as a design problem, one that requires rebuilding the architecture of digital trust from the customer relationship outward, will be the ones that define what India's digital economy looks like in the decade ahead.
Trust, it turns out, was always the infrastructure. It just took a regulation to make it legible.
Read more news about Digital Media, Internet Advertising, Marketing News, Television Media, Radio Media
For more updates, be socially connected with us onInstagram, LinkedIn, Twitter, Facebook, YouTube & Google News
