#e4mXplains:  Why DPDP could threaten India’s retail media boom

The DPDP Rules 2025 tighten data flows in retail media, signalling the end of the Wild West era and establishing privacy as a premium feature

e4m by Shantanu David
Published: Nov 26, 2025 9:22 AM  | 8 min read
DPDP Rules 2025 x Retail Media
  • e4m Twitter

For two years now, retail media has been Indian advertising’s favourite economic fairy tale. A US$2.10 billion line in 2025, growing at a healthy 10.2 percent through 2030, built on the idea that if you have the data, the advertisers will come. And in India, retailers have had more data than they knew what to do with. Quick commerce, e-commerce, pharmacies, fashion, electronics: everyone decided they were actually media companies who just happened to sell groceries, sarees, or skincare on the side.

With global retail media headed to US$175.6 billion by 2028 and India’s ad market itself swelling to about US$15.78 billion in 2025, it felt like the closest thing to inevitability this industry ever allows. Digital is inching toward dominating the pie. Video is king. Investment keeps flowing. Retail media became the golden child; everybody wanted one.

And then, on November 14, the Digital Personal Data Protection (DPDP) Rules 2025 dropped into this party with all the subtlety of a power cut at a wedding. Everyone reported the obvious bits: consent banners, fines, “please update your privacy policy.” What almost no one clocked is the simple fact that the rules land squarely on the two pillars retail media stands on. Loyalty data that goes back a decade. And off-site monetisation, the shiny new engine everyone was gearing up to scale.

Read On: DPDP Rules 2025: Third-party data–fuelled ad-tech faces a tough challenge

The off-site piece is the one that will hurt first. Indian retail media platforms do not have infinite in-app inventory. After a point, you cannot squeeze more ads onto a grocery checkout page. The real money was always going to come from exporting retailer data into the wider ad ecosystem, Amazon-style: YouTube, CTV, open web, DSPs.

That whole expansion depends on being able to take a shopper who consented to “get product recommendations” and decide that this obviously includes serving them an ad during a cricket match on a streaming app.

The DPDP framework takes one look at that logic and quietly says no.

Purpose limitation is not a suggestion.

Under the new regime, if you want to chase your users across the internet, you need them to explicitly say yes, or you need another lawful ground under the Act that can actually support that purpose. And the problem is that whenever you ask users cleanly and plainly whether you can share their data with third-party advertising partners, they tend not to reward your honesty.

Teams working on off-site are already bracing for the inevitable shrink. Consent-specific pools mean fewer loyalty IDs can legally travel across contexts. Fewer eligible IDs mean weaker match rates. Weaker match rates mean your off-site narrative starts looking less like Amazon DSP and more like a slightly embarrassed cough.

And this is before you factor in the additional obligations around logs, auditability, and vendor alignment. Retail media already has a complex data supply chain. Add DPDP to the mix and even simple retargeting looks like a regulatory group project.

Read On: How DPDP will rewrite growth playbooks for Indian brands

The second pillar, loyalty data, is where things get properly existential. India’s loyalty market stood at US$5.37 billion in 2024 and is growing toward US$8 billion by 2028.

For years, retailers have been collecting phone numbers at checkout, linking invoices to IDs, and piping everything into CRM systems that don’t always talk to each other. Vendors in the loyalty space themselves expect revenues to double from US$671 million in 2024 to about US$1.30 billion by 2030.

All of this has created sprawling reservoirs of historical behaviour.

It has also created an equally sprawling gulf between what users actually consented to and what retailers assumed they meant. Most of this data was picked up in a time when “privacy” was something you clicked past to get a coupon.

Under DPDP, ongoing processing requires fresh, informed, documented consent unless another lawful ground applies. There is no magical grandfathering that saves a decade of grey-area data collection. If the original consent does not hold up under the new standards, the data becomes questionable for targeted advertising.

Retailers know what this means. Some segments will need to be quarantined until the user re-consents. And users do not exactly leap to respond to “please update your consent” emails. I certainly don't. Do you?

Read On: India’s retail media boom now runs on fulfilment, not discounts

For retail media, where high-value segments depend entirely on historical behaviour (premium shoppers, long-gap repeat buyers, high-margin replenishment clusters) this is not a minor inconvenience.

It is the risk of millions of profiles going dark. Dark data earns nothing. Dark data cannot be modelled. And rebuilding compliant pools is not free.

Then there is the inactivity clause, which has been under-discussed mostly because people have not read the fine print. The deletion requirement applies to large intermediaries. That means e-commerce and social media platforms with twenty million users and gaming platforms with at least five million.

These entities will have to delete inactive user data after up to three years unless the relationship is actively maintained. They must warn the user 48 hours in advance. In simple terms, DPDP forces platforms to create automated deletion systems that sweep their data for inactivity.

And in retail media, where the entire value proposition hinges on multi-year patterns, three years is a blink. Retailers use four- and five-year histories to understand everything from refrigerator replacement cycles to the difference between aspirational browsers and actual luxury buyers.

If someone hasn’t opened the app in three years, even if they still shop offline and never scanned their ID at checkout, the digital profile may still have to be erased. That means holes in your most expensive audience cohorts. And holes in your high-value cohorts have a way of showing up in CPM floors. Advertisers do not like paying premium rates for segments that may be missing the very behaviours they were sold on.

Read On: Era of Dark Patterns Ends: DPDP 2025 forces a rethink of UX, consent and digital trust

The Consent Manager situation complicates things further. The new system allows users to manage all permissions from one neutral dashboard that sits above individual apps. If a user revokes marketing consent through that interface, the retailer does not get to negotiate or intercept; the withdrawal simply cascades downstream.

Platforms will have to maintain real-time sync between their own systems and the Consent Manager ecosystem to avoid processing data they no longer have rights to touch. With DPDP penalties going up to ₹250 crore for security and safeguard failures, nobody wants to be the example case.

And we still haven’t hit the administrative load. The rules require at least a year’s worth of logs for every data-processing action. They require verifiable parental-consent flows for anything involving minors.

They require deletion SLAs, breach notifications, and multi-level vendor accountability. Retail media already juggles app analytics, store billing systems, CDPs, CRM partners, supply chain data, adtech vendors, measurement vendors, and content systems. Add DPDP compliance on top, and the overhead starts looking like a full-time job in itself. Big players will automate. Smaller ones will improvise. And improvisation is rarely cheap.

The children’s data clause adds another layer of realism. Behavioural targeting of minors now faces strict prohibitions and heightened obligations. In practice, this pushes any brand selling to kids into contextual and non-personalised formats. For retailers who built kid-heavy categories into their media decks, this is a quiet but significant contraction of inventory.

Read On: India’s DPDP Act reshapes the under-18 digital economy

And yet, the broader ad market is still moving upward. India’s AdEx is growing. Digital has surpassed TV. Video continues to balloon. Nothing here suggests a slowdown in advertiser demand. What it does suggest is that retail media is about to split into two very different businesses.

On one side, the top-tier brands will build privacy-safe clean rooms and sell advertisers the comfort of compliance: buy here, because we are too big to risk being non-compliant. On the other side, Tier-2 and Tier-3 players will face shrinking data pools, rising overheads, falling match rates, and increasing legal exposure.

The DPDP Rules are not the enemy of advertising. But they may well be the first real speed-breaker for retail media. As we've already written earlier, the Wild West era of advertising and stretching data across contexts is ending. The railways are coming in. And they decide who the new sheriffs are going to be.

The rules do not outlaw retail media. They simply tighten the pipes that fed it. When off-site expansion and loyalty reservoirs begin to narrow, the model has no choice but to evolve.

Privacy becomes a premium feature. And only a handful of players can afford to treat it that way.

Published On: Nov 26, 2025 9:22 AM