As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden?
Superadmin
When IDfy set out in 2011, its core thesis was to address India’s long-standing trust deficit. At the time, fraud was not a large-scale concern, digital infrastructure was still evolving, and most verification and onboarding processes were manual. Most importantly, India did not have a culture of compliance when it comes to data privacy and protection of user data.
As the Indian tech landscape has evolved, the expectation has changed. India’s Digital Personal Data Protection Act, 2023 is ushering in a new era of compliance, one which may take startups by surprie.
The rise of digital public infrastructure, increasing data availability, and the rapid growth of sectors such as BFSI, ecommerce, and logistics created both opportunity and risk, which forced the Indian government’s hand in many ways to update India’s privacy laws when it comes to digital data.
Startups such as IDfy which began as verification providers for the wider industry have leveraged the DPDP opportunity to venture into privacy. Privy, IDfy’s privacy and data governance platform, is the result of a multi-year bet on India’s regulatory future, cofounder Ashok Hariharan told Inc42.
It’s not just IDfy of course. Even giants such as Reliance Jio Platforms are eyeing a piece of the privacy and compliance market given its deep networks. The market also includes the likes of Zoop.one, Concur, Redacto, NeoKred, Kavach One and Aurelion Future Forge, many of whom were part of the Indian government’s initiative for building consent management systems under DPDPA, 2023.
IDfy emerged as one of the six companies shortlisted to advance to the next stage and was declared the winner of the competition in March 2026, according to a document reviewed by Inc42.
Backed by the likes of Blume Ventures, IndiaMART, Elev8 Venture Partners among others, the startup operates across three core pillars: onboarding, risk, and privacy. While onboarding and risk work closely together to verify identities and assess trustworthiness, privacy has emerged as the newest and most strategic layer, particularly in the context of India’s Digital Personal Data Protection Act, 2023.
To be sure, the DPDPA, 2023 is the country’s first comprehensive data protection law and, in spirit, aligns with global frameworks such as the European Union’s General Data Protection Regulation (GDPR).
India’s Growing Compliance Ecosystem
DPDPA, 2023, and its associated DPDP Rules 2025 (notified on November 14, 2025) represent India’s comprehensive legal framework for personal data protection. The Act mandates that companies (data fiduciaries) process data transparently and securely, placing the rights of individuals (data principals) at the centre of data governance.
The newly issued rules lay down that organisations have an 18-month phased rollout from November 2025 to align systems. Foundational provisions apply immediately, while consent manager obligations start from November 2026 and core operational requirements by May 13, 2027.
As timelines set in, there have been significant gaps in operational readiness. An EY survey in February showed that while awareness of the DPDP Act and Rules is growing, the depth of understanding and maturity of implementation remains highly uneven.
As companies continue to make sense of the rules, the time is ripe for startups like IDFy to fill or attempt to fill in these gaps. In fact, an EY India report showed that the DPDP Act is expected to unlock a ₹10,000 Cr (approx. $ 1.2 Bn) compliance-as-a-service market over the next three years, fueled by urgent investments in privacy automation and data governance.
IDFy is just one of the many players in the DPDPA compliance ecosystem. The company began building in this space nearly five years ago, around the time early versions of India’s data protection framework, such as the Srikrishna Committee report, were taking shape.
Similarly, fintech unicorn Perfios launched Perfios DPDP Suite, a unified platform to operationalise consent and comply with the DPDPA, in March.
Recently, identity and access management company Cross Identity launched Vishwaas AI, a privacy and consent management portal.
There are other players too such as Redacto, Neokred, Seqrite Data Privacy Solution, Concur-Consent Manager, and OneTrust, among others. Last month, ET reported that IT bellwether Tata Consultancy Services is seeking consent manager permit under the Act.
“Currently, the legal, SaaS and cybersecurity players address distinct components of the DPDPA stack. However, over time, consolidation is likely expected as customers would prefer integrated, end-to-end solutions,” said Sachin Yadav, partner, Deloitte India.
A Bet on Privacy Infrastructure
“Privy is built with 80% focus on data governance and 20% on consent. It rests on three pillars: data governance (discovery, flow mapping, safeguards), privacy management (consent, user rights, purpose limitation), and a compliance copilot that continuously tracks regulatory changes and guides enterprises on maintaining and improving compliance,” said Hariharan.
According to the founder, Privy is still in its early stages from a revenue perspective, contributing about 10% of the business today, but is expected to scale rapidly. Over the next two years, the company anticipates a more balanced contribution across its three platforms: onboarding, risk, and privacy.
IDfy’s revenue from operations increased to ₹ 188.5 crore in FY25 from ₹145 Cr in FY24. Hariharan said that for FY26, the company has surpassed the ₹200 Cr mark.
“The opportunity for privacy is substantial. In India alone, the privacy and data governance market is estimated to be around $1–1.5 Bn currently, with the potential to grow to $3–4 Bn over the next decade. When combined with international markets such as Southeast Asia and the Middle East, the opportunity expands significantly,” the IDfy founder added.
The Compliance Burden on Startups
While the DPDPA, 2023 applies uniformly to all organisations processing digital personal data, the reality of compliance varies sharply between small and large enterprises. SMEs, in particular, face disproportionate challenges, including limited resources, lack of in-house expertise, and lower regulatory preparedness, compared to well-resourced Big Tech firms and large enterprises.
Over time, an inability to comply could have broader consequences: slower technology adoption among SMEs, constrained startup growth, potential talent migration to less regulated markets, and a widening gap between large and small players.
In response, solution providers are beginning to tailor offerings for this segment. For instance, Cross Identity has introduced Vishwaas AI with zero licence fees until June 30, with ongoing support priced at roughly half that for large enterprises, at ₹12.5 Lakh.
IDfy, on the other hand, is taking a more ecosystem-driven approach by planning to open-source parts of its technology stack. “We plan to make basic code available publicly to help SMEs achieve minimum compliance. While thousands of enterprises can build or buy full-scale solutions, millions of smaller businesses will also need to comply,” said Malcolm Gomes, the startup’s chief growth officer.
For SMEs, day-one compliance need not be complex but must be focused. The priority should be establishing visibility, control, and response readiness, starting with data discovery and classification, basic DSAR (Data Subject Access Request) automation, and a lightweight governance layer covering records of processing (RoPA), purpose limitation, and data retention policies, said Mohit Srivastava, data protection officer at Perfios.
Foundational security measures such as access controls, encryption, and logging remain essential, while integrated SaaS-based solutions can help achieve compliance efficiently without adding operational burden.
The post As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden? appeared first on Inc42 Media.
