As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden?
The advent of India’s Digital Personal Data Protection Act (DPDPA) 2023 is reshaping the landscape for startups, bringing a significant compliance challenge that many may not be fully prepared to tackle. As digital infrastructure and data availability have surged, so too has the need for robust data protection laws. The DPDPA is India’s first comprehensive data protection legislation, aligning with global standards like the EU’s GDPR, and it is set to impact startups across sectors.
India’s Growing Compliance Ecosystem
The DPDPA, 2023, and its accompanying DPDP Rules 2025, establish a robust legal framework for personal data protection. These regulations require data fiduciaries to process data transparently, with data principals’ rights at the forefront. The phased rollout, starting from November 2025, gives companies 18 months to adapt. However, an EY survey indicates that while awareness is increasing, many startups still lack the necessary depth of understanding and operational maturity to comply effectively.
Startups like IDfy are seizing the opportunity to bridge these gaps. Known for its verification services, IDfy has ventured into privacy solutions with its platform, Privy. This move aligns with the anticipated ₹10,000 crore compliance-as-a-service market, driven by investments in privacy automation and data governance.
A Bet on Privacy Infrastructure
IDfy, backed by investors such as Blume Ventures and IndiaMART, is among several companies eyeing the burgeoning privacy market. Its focus on data governance and consent management positions it well within the DPDPA framework. Cofounder Ashok Hariharan notes that while Privy currently contributes 10% to the business, it is expected to grow significantly. The company’s revenue from operations has already surpassed the ₹200 crore mark in FY26.
Other players, like fintech unicorn Perfios and Cross Identity, are also launching platforms tailored to DPDPA compliance. These developments indicate a growing ecosystem of privacy-focused solutions, with established firms like Tata Consultancy Services seeking consent manager permits under the Act.
The Compliance Burden on Startups
Despite the uniform application of DPDPA, smaller enterprises face unique challenges. Limited resources and expertise make compliance disproportionately burdensome for SMEs compared to larger firms. This could slow technology adoption and hinder startup growth, potentially leading to a talent drain to less regulated markets.
To address these challenges, solution providers are crafting offerings for SMEs. Cross Identity’s Vishwaas AI, for instance, offers zero license fees initially, while IDfy plans to open-source parts of its technology to assist smaller businesses in achieving compliance.
Looking Ahead
As the DPDPA takes full effect, the compliance landscape will continue to evolve. Startups must prioritize establishing control and response readiness, focusing on data discovery, classification, and basic governance. With integrated SaaS solutions, they can navigate the compliance maze more efficiently, ensuring they remain competitive in India’s dynamic tech ecosystem.
