India’s DPDP Act — the Digital Personal Data Protection Act — changes the regulatory foundation for market research more directly than almost any other industry. Every market research project runs on the same raw material: personal data. Names, phone numbers, purchase habits, income brackets, opinions people share believing they’re anonymous. For years, that data collection sat in a regulatory grey zone in India, governed loosely by IT Act provisions never designed for consumer research. That changes this year. The Digital Personal Data Protection Rules, notified in November 2025, are now being phased in on a strict timeline — and 2026 is the year every research firm, brand, and agency needs to get its data practices in order before enforcement teeth arrive in 2027.
The Timeline You Actually Need to Track
The DPDP Act follows an 18-month phased rollout from the November 2025 notification, with obligations landing in stages rather than all at once:
- Now through late 2026: the “build year” — the Data Protection Board is active and guiding compliance, but enforcement is largely advisory rather than punitive.
- November 13, 2026: the Consent Manager Framework becomes operational, requiring consent architecture to be interoperable with standardised APIs.
- Through early 2027: the soft-enforcement period is expected to end, shifting the Data Protection Board from guidance toward active supervision — including scrutiny of legacy data collected before the Act took effect.
- May 2027: full hard enforcement begins, with penalties reaching up to ₹250 crore for serious violations, including failure to maintain reasonable security safeguards.
For a research firm, the practical implication is straightforward: any panel, dataset, or respondent database being built or expanded today needs to already meet standards that won’t be formally enforced for another year. Retrofitting consent after the fact, once the Board shifts to active enforcement, is a far harder — and more exposed — position to be in.
Why This Hits Market Research Differently Than Most Industries
Most DPDP compliance guidance is written for e-commerce platforms, fintech apps, and SaaS products — businesses where personal data is a byproduct of a transaction. Market research is different: personal data isn’t a byproduct, it’s the entire product. A brand tracking study, a panel recruitment database, a qualitative interview transcript — every one of these is built from data collected specifically because it’s personal and specific to an individual respondent.
That makes a few DPDP provisions especially relevant to research operations that don’t get much attention in generic compliance checklists:
- Purpose limitation and retention. Respondent data collected for a specific study can’t be indefinitely repurposed for future projects without fresh consent, and must be deleted once the stated purpose is fulfilled — a real shift for firms used to maintaining long-running panels.
- Data Fiduciary vs. Data Processor liability. If Maction or any research firm processes data on behalf of a client brand, the client (as Data Fiduciary) carries primary accountability — but the Act requires a proper contract specifying security obligations between fiduciary and processor. Verbal or informal data-sharing arrangements with clients are now a genuine liability gap.
- Children’s data. DPDP defines a minor as anyone under 18 — wider than most global frameworks — which matters directly for any research touching youth, education, or family-purchase-decision studies.
- Cross-border data transfer. Research firms working with global clients or offshore data processing/analytics teams need transfer mechanisms that satisfy DPDP’s requirements, distinct from what may already be in place for GDPR compliance.
The Consent Manager Framework Is the Deadline That Matters Most Right Now
Of everything on the DPDP timeline, the November 2026 Consent Manager deadline is the one research operations should be actively preparing for today. It requires consent collection to be interoperable with a standardised Consent Manager architecture — meaning bespoke, one-off consent checkboxes buried in a survey intro screen won’t hold up as the compliant standard once this framework is live. Panel recruitment flows, online survey tools, and CATI/CAPI consent scripts all need review against this requirement well before the deadline, not after.
What Research Buyers Should Be Asking Their Agencies Right Now
If you’re a brand commissioning research in India, DPDP accountability doesn’t stop at your agency’s door — as the Data Fiduciary, the exposure often sits with you. A few questions worth raising with any research partner this year:
- What does our data processing agreement actually say about security obligations, breach notification timelines, and data retention once a study concludes?
- How is respondent consent captured, stored, and made auditable — not just collected once and forgotten?
- Is our panel or respondent database being retained longer than the original research purpose justifies?
- If we’re running research on a youth or family segment, does our consent process meet the DPDP’s under-18 standard, not just a generic parental-consent checkbox?
Compliance as a Differentiator, Not Just a Cost
Awareness of DPDP among Indian consumers is still low — recent industry surveys suggest a relatively small share of consumers fully understand the law. That gap creates a real near-term opportunity: research firms and brands that can demonstrably show respondents how their data is handled, retained, and protected will stand out in an industry where “we take your privacy seriously” has mostly been boilerplate. As enforcement matures through 2027, that boilerplate stops being enough.
If you’re reviewing panel consent practices, data-sharing agreements, or need a compliant research design ahead of the Consent Manager deadline, talk to our team at Maction.
Frequently Asked Questions
Q: What is the DPDP Act and when does it apply to market research?
The Digital Personal Data Protection Act was notified in November 2025 and is being phased in through 2027. It applies to any organisation collecting, storing, or processing personal data of Indian residents — including market research firms, brand research buyers, and panel operators. Full enforcement with penalties up to ₹250 crore begins in May 2027.
Q: What is a Data Fiduciary under the DPDP Act?
A Data Fiduciary is the entity that determines the purpose and means of processing personal data. In a research context, this is typically the brand commissioning the study — not the research agency executing it. The Data Fiduciary carries primary accountability under the Act, which means brands cannot fully delegate DPDP compliance to their research partners.
Q: Does the DPDP Act affect how research panels are managed?
Yes significantly. Respondent data collected for a specific study cannot be indefinitely retained or repurposed for future projects without fresh consent. Panel databases built before the Act took effect may need consent retrofitting. The November 2026 Consent Manager Framework deadline requires consent architecture to meet standardised interoperability requirements.
Q: How does the DPDP Act define a minor for research purposes?
The DPDP Act defines a minor as anyone under 18 — broader than many global frameworks. Any research involving youth segments, education categories, or family purchase decision studies needs to meet this standard, including obtaining verifiable parental consent rather than a generic checkbox.
