Sector wise readiness, Day 7
AdTech and data brokers: can you prove where every record came from?
A question I would put to every AdTech, DMP and data broker founder reading DPDP checklists:
Can you prove where each row of your audience data came from, and that someone consented to this use?
For most of the industry, the honest answer is no. And under DPDP, that gap is the core exposure, not a paperwork detail.
A sector map is a superset, not a launch checklist. So start with what applies to everyone here, whatever your size.
What applies to everyone, whatever your size
- ✅ Notice
- ✅ Consent and easy withdrawal
- ✅ Security safeguards
- ✅ Rights handling
- ✅ Grievance mechanism
- ✅ Processor contracts
- ✅ Breach response
What this sector lives and dies on
- ✅ Consent provenance, dataset by dataset. You must be able to show the consent chain behind every list you acquire, enrich or activate. "We bought it from a vendor" is not a basis.
- ✅ A lawful basis for profiling. Audience building and profiling generally need consent. The publicly available exception is narrow and will not cover bought or scraped data.
- ✅ Honest classification of your own role. If you set your own purposes for the data, you are a Data Fiduciary, not a processor, with the full obligations that role carries, whatever your contract calls you.
- ✅ Cross border mapping. Ad exchange data moves globally. You need to map those flows and be able to meet any Central Government restriction.
- ✅ Suppression and withdrawal that actually propagate. When someone withdraws, it has to reach every downstream copy and partner, not just your own table.
The line that catches people
Behavioural targeting of children is absolutely prohibited. No consent cures it. This is not a "get a parent to sign" situation. It is a hard stop.
What may not apply to you yet
- ❌ SDF obligations. Broker scale processors are plausible candidates to assess, but status comes only on Government notification, not from data volume alone.
- ❌ Mandatory DPO, algorithmic risk due diligence, localisation. These attach to SDF status, once notified.
- ❌ Annual DPIAs and independent audits as standalone duties.
The better question
The better question is not "does AdTech have a special regime?"
It is "can I trace every record back to a consent I can prove?"
Law creates obligations. Scale and risk influence implementation. But provenance is a day one discipline. The size of your data pool does not excuse it.
Tomorrow: gaming, and the 50 lakh user line that flips the rules.
Which part of the consent chain do you think breaks first? Drop it in the comments, or send me a message.