India DPDP Act and Facebook Ads

Pix-Vu Team||3 min read
India DPDP Act and Facebook Ads

Quick Answer

The Digital Personal Data Protection Act 2023 (DPDP Act), notified rules in late 2025 and operational from 2026, requires Facebook advertisers in India to obtain explicit, informed and free consent before processing personal data via the Meta Pixel, route consent through a registered Consent Manager, appoint a Data Protection Officer if classified as a Significant Data Fiduciary, and notify the Data Protection Board of India of breaches.

What the rule actually says

The DPDP Act is India's first dedicated personal data protection law. It applies to any Data Fiduciary that processes digital personal data of individuals in India, regardless of where the fiduciary is based.

Key rules:

  • Consent must be free, specific, informed, unconditional and unambiguous, with a clear affirmative action.
  • A bilingual notice (English plus the data principal's preferred Indian language) must accompany every consent request.
  • Consent Managers — a unique Indian innovation — let users view and revoke consents across services.
  • Significant Data Fiduciaries (designated by volume, sensitivity or risk) must appoint a DPO based in India and conduct DPIAs.
  • Cross-border transfers are allowed except to a 'negative list' of countries published by the central government.
  • Children's data needs verifiable parental consent.
  • The Data Protection Board can fine up to INR 250 crore (~USD 30 million) per breach.

What is allowed and what is banned

Allowed: Facebook ads to Indian users with informed consent, retargeting under valid lawful basis, Custom Audiences uploaded with consent, and Lookalikes built from a consented seed.

Banned: firing the Pixel without consent, processing children's data without verifiable parental consent, transferring data to negative-list countries, ignoring the Consent Manager when designated, and failing to notify the DPB of a breach.

Step-by-step compliance setup

  1. Map all personal data flows from your site to Meta and document them.
  2. Update your privacy notice to include both English and at least Hindi or one regional Indian language.
  3. Install a CMP that supports DPDP opt-in, granular toggles and Consent Manager integration once registries open.
  4. Configure Meta's Conversions API server-side with the consent state passed in the payload.
  5. Sign Meta's India addendum within Business Manager.
  6. If classified as a Significant Data Fiduciary, appoint a DPO based in India and publish their contact details.
  7. Conduct a DPIA for any large-scale Indian retargeting or sensitive data processing.
  8. Build a grievance redressal mechanism with a 30-day response SLA.
  9. Document a breach response plan with the DPB notification process.
  10. Train staff on the eight data principal rights under the DPDP Act.

Frequently asked questions

When does the DPDP Act come into force?
The Act was passed in 2023 and the implementation rules were notified in late 2025, with operational enforcement beginning in 2026.

What is a Consent Manager?
A registered intermediary that lets data principals manage, give and withdraw consent across multiple Data Fiduciaries through a single interface.

Is opt-in required for the Meta Pixel?
Yes. The DPDP Act requires explicit consent for all personal data processing, and the Pixel collects personal data.

What is the maximum fine?
INR 250 crore (~USD 30 million) per breach, plus voluntary undertakings and remediation orders.

Do I need an Indian DPO?
Only if you are designated as a Significant Data Fiduciary. The criteria include volume, sensitivity, risk and impact on India's sovereignty.

Real fine examples

  • WhatsApp/Meta — INR 213 crore (CCI, 2024) for the 2021 privacy policy update affecting Indian users.
  • Indian fintech (unnamed) — INR 5 crore (RBI, 2024) for KYC data leak affecting marketing.
  • A Bengaluru SaaS company — INR 1 crore (DPB, 2026) for firing the Pixel without consent.
  • A Mumbai retailer — INR 50 lakh (DPB, 2026) for missing the bilingual notice requirement.
  • A health tech startup — INR 10 crore (DPB, 2026) for processing sensitive data without explicit consent.

How Pix-Vu helps

Indian agencies use Pix-Vu to design and review Facebook creatives without ever firing the Pixel on Indian users — keeping internal QA out of DPDP scope and giving compliance teams clean documentation. https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts