India’s New Data Law to Unlock ₹10,000-Crore Compliance Market as Firms Boost Privacy Investments

India’s newly operational Digital Personal Data Protection (DPDP) Act is expected to create a massive ₹10,000-crore compliance and privacy-tech market over the next three years, according to estimates by consulting firm EY India. With the government notifying the administrative rules needed to implement the law, enterprises across sectors are now gearing up to overhaul their data protection frameworks.

The DPDP Act, passed in 2023 and formally activated through new rules on Friday, mandates businesses to deploy clear consent mechanisms, strengthen data governance, and adopt secure processing systems. As organisations accelerate spending on privacy automation, cybersecurity, and compliance services, analysts say that consent management alone could represent nearly 10% of the total market opportunity.

“Consent management will be a critical area of investment as large enterprises embed robust digital consent systems into their infrastructure over the next 12–18 months,” said Tiffy Isaac, Partner, Cybersecurity Consulting at EY India. The spend, he noted, may be partially offset depending on how the commercial model for registered consent managers evolves.

Global and Indian players eye the market

Leading global vendors including ServiceNow, IBM, OneTrust, and TrustArc are already positioning themselves to capture early market share in India’s emerging privacy-tech ecosystem.

• ServiceNow is working with four of India’s top five banks on consent and privacy solutions.

• IBM Verify is gaining traction in enterprise security deployments.

• OneTrust, valued at $4.5 billion, recently expanded into Singapore to strengthen its APAC and India presence and has partnered with Deloitte and KPMG to support Indian enterprises.

• TrustArc is expected to scale up in India following its acquisition by private equity firm Main Capital Partners.

Meanwhile, India’s Ministry of Electronics and IT (MeitY) recently selected six firms under its Code for Consent Challenge to explore interoperable, privacy-safe consent solutions: Jio Platforms, Baldor Technologies (IDfy), VertexTech Labs (Redacto), Quagga Tech (Zoop), Concur, and Aurelion Future Forge.

What is a Consent Manager?

Under the DPDP Act, a registered consent manager (CM) is an entity that provides a neutral, privacy-enabled platform allowing users to give, review, withdraw, or modify consent across various data fiduciaries. To qualify, companies must be incorporated in India with a minimum net worth of ₹2 crore, ensuring only credible entities participate in managing user consents at scale.

A new era for India’s data economy

Industry experts believe the DPDP Act will reshape how organisations handle personal data, similar to the impact of Europe’s GDPR. The law is also expected to fuel demand for privacy engineers, compliance auditors, data protection officers, and cybersecurity specialists.

“The DPDP will create a significant compliance ecosystem in India,” EY’s Isaac said. “The next three years will see accelerated investment as organisations build privacy-first architectures to meet regulatory expectations.”

As digital adoption rises and India strengthens its data governance posture, the DPDP Act is poised to become a landmark driver of innovation, responsibility, and economic activity in the country’s expanding data economy.