Daybreak - India’s data law is giving rise to a new consent economy for banks
Episode Date: January 26, 2026India’s new data protection law is reshaping how companies talk to customers on WhatsApp. Messages that once felt routine now carry legal weight and are tied to consent, security, and user ...rights. Since the Digital Personal Data Protection Act became operational, businesses have begun reworking how they collect and manage personal data. That shift has created a fast-growing market for compliance tools, drawing startups and established firms into the same space. As companies rush to avoid heavy penalties, disagreements are emerging over who should manage consent and how independent they need to be. The bigger question is how much control users will really have over their data.Tune in.Daybreak is produced from the newsroom of The Ken, India’s first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories.
Transcript
Discussion (0)
Hi, this is Rohan Dharma Kumar.
If you've heard any of the Ken's podcasts, you've probably heard me, my interruptions, my analogies,
and my contrarian takes on most topics.
And you might rightly be wondering why am I interrupting this episode too?
It's for a special announcement.
For the last few months, I and Sita Raman Ganesh, my colleague and the Ken's deputy editor,
have been working on an ambitious new podcast.
It's called Intermission.
We want to tell the same.
secret sauce stories of India's greatest companies.
Stories of how they were born, how they fought to survive, how they build their
organizations and culture, how they managed to innovate and thrive over decades, and most
importantly, how they're poised today.
To do that, Sita and I have been reading books, poring over reports, going through financial
statements, digging up archives, and talking to dozens of people.
And if that wasn't enough, we also decided to throw in video into.
to the mix. Yes, you heard that right. Intermission has also had to find its footing in the world of
multi-camera shoots in professional studios, laborious editing, and extensive post-production.
Sita and I are still reeling from the intensity of our first studio recording.
Intermission launches on March 23rd. To get an alert, as soon as we release our first episode,
please follow Intermission on Spotify and Apple Podcast.
or subscribe to the Ken's YouTube channel.
You can find all of the links at the ken.com slash I am.
With that, back to your episode.
If you use WhatsApp, you have probably received messages from companies.
Delivery updates, payment reminders, promotional offers.
Sometimes it's a brand that you remember interacting with.
Sometimes it isn't.
The messages, though, still arrive and most of the time you ignore them
or you delete them without much thought.
But behind those messages
sits a growing legal question in India.
When is a company allowed to contact you
and what permission did you actually give them to do so?
That question has become harder to answer
since India's Digital Personal Data Protection Act
became operational in November last year.
The law reshapes how companies can collect,
store and use personal data,
including something as basic as your phone number.
Consent now has specific requirements.
It has to be free, informed, specific and unambiguous.
Users can ask companies what data they hold, correct it, delete it, or withdraw consent entirely.
And companies are required to build systems that make these rights usable, not theoretical.
For businesses, this has changed how everyday communication works.
Even something as familiar as a WhatsApp promotion can trigger internal debates about compliance.
Founders and compliance teams are spending hours discussing who initiated a conversation,
what permissions exist and how those permissions are recorded.
One of the people fielding these questions is Gora Vmehta, the founder of Conquer,
a startup working in compliance management.
Since the law took effect, his role.
has involved translating legal language into operational decisions companies can follow across
teams and platforms. And the deadline for full compliance is mid-20207. But preparations are already
underway. Companies are investing significant sums to avoid penalties that can run into hundreds of
crores of rupees. At the same time, an entire industry seems to be forming to help businesses manage
consent at scale. Now, as that industry grows, a larger issue is slowly coming into focus.
The systems being built today will decide how much control users really have over their data,
including who gets to speak to them and under what terms. Welcome to Daybreak, a business podcast
from the Kent. I'm your host, Nekhah Sharma, and I don't chase the new cycle. Instead, every day of the week,
colleague Rachel Varghees and I will come to you with one business story that is worth understanding
and worth your time. Today is Tuesday, the 27th of January. Once the data protection law became
operational, companies quickly realized that compliance was not going to be a simple checklist. It
required new systems, new roles and new budgets. Enterprises began asking what compliance
actually looks like on the ground
and many of those questions
started landing with a new class
of startups.
One of them is Concur,
which I mentioned earlier,
founded by Gorov Mehta.
His work involves translating the law
into something that companies can execute
across teams and technologies.
That translation has value.
For large enterprises,
compliance services can cost up to
18 crore rupees in the first two years
and about 10 crores every year after that.
Penalties for non-compliance, meanwhile,
can go up to 250 crore rupees
with higher exposure when children's data is involved.
Raguir Kanjarla,
the co-founder of governance and compliance
at firm Sprinto,
spoke to my colleague,
the Ken reporter Indirpal Singh.
And he compared compliance to finance.
In the same way that finance teams maintain accounts,
compliance teams now have to manage consent frameworks and privacy obligations.
And this shift has helped create a market that Shishang Karinjati, the co-founder of Consent Management
Startup Redacto, estimates to be worth at least 2,000 crore rupees in India.
Still, building the space is not straightforward. Consent, at some point, stops becoming a
legal question and becomes a systems problem. It has to work across,
channels, vendors, and internal teams, and it also has to be enforced through technology.
Large enterprises often gravitate towards established players.
Some work with Indian KYC companies like IDFI, while others rely on multinational governance
companies that bring experience from Europe's GDPR regime.
Platforms such as Privy by IDFE integrate consent and data governance directly into
enterprise systems. But what happens as a result is a tension around definitions. The law specifies
that a consent manager must be incorporated in India and avoid conflicts of interest with data
fiduciaries. Startups like concur and redacto argue that this excludes KYC firms and foreign
headquartered companies and KYC firms do not agree. If the market cannot resolve this disagreement,
it will fall to the Data Protection Board of India,
which is expected to begin registering consent managers in November.
Until then, companies are still moving ahead,
even as the rules continue to take shape.
For more on this, stay tuned.
Some of the risks that the law is trying to address are already visible.
For example, in early 2025, a large trading platform
hired the data security firm Matters.AI to audit its systems.
The audit uncovered something quite troubling.
A former employee who had left three years earlier
had set up a script that siphons sensitive information to a telegram channel.
Under the current law, such a breach would need to be reported to the data protection board
within 72 hours.
Affected users would have to be informed and penalties like a
said could reach into hundreds of crores.
Matters.aI has since started offering tools that help companies accurately delete data
when users revoke consent alongside its other cybersecurity services.
Other startups are choosing different areas of focus.
Redacto, for example, concentrates on tracking where personal data flows and where it is stored.
The company positions itself as a privacy-only layer that does not
collect data itself, which it says helps avoid conflicts of interest.
Redacto sees early demand from healthcare and financial services.
Industries that handle large volumes of sensitive data and are likely to face closer regulatory
scrutiny.
Sprinto, meanwhile, which initially worked with startups now focuses on large enterprises and
estimates recurring compliance costs of four to five crore rupees a year for mid-sized
companies.
Established players, on the other hand, argue that consent is only one part of compliance.
Ashok Hariharan, the founder of IDFI, points that areas like third-party risk management,
cookie controls and data discovery often receive less attention but carries significant exposure.
ID fee sells consent governance as a part of a broader compliance offering.
The sharpest debate, though, centers on conflicts of interest.
GRC companies argue that KYC firms should not act as consent managers because their business
depends on continuous access to data.
Yashu Bansal, who is assistant professor at Manipal Law School, illustrates the concern.
He says, if a KYC firm verifies users and also manages consent, every revoked permission
affects its own onboarding and verification workflows.
Hari Haran, though, disagrees with that framing.
He distinguishes between a consent manager acting on behalf of users and enterprise-facing systems
that help fiduciaries implement consent at scale.
From his perspective, governance platforms operate on behalf of companies and the law does not
prohibit KYC firms from offering such systems.
The Information Technology Ministry has shortlisted IDFE, redacto and geo-platforms to help develop a modular consent.
framework. While this is not authorization to act as consent managers, it does signal confidence in
their technical capabilities. Still, some observers, including Internet Freedom Foundation
Director Apar Gupta, warn that government-backed innovation efforts can influence who eventually
receives registrations. But beyond the market structure, there is a deeper question about what
compliance ends up prioritizing.
Gupta argues that the real test is whether companies trend in user agency or focus primarily on limiting liability.
A case described by matters.aI founder Keshav Murthy actually is a good example of this.
At one of India's largest banks, a senior executive downloaded sensitive customer data before leaving the company.
He disguised the file as a medical report and shared it on WhatsApp.
No customer harm was reported, but the bank's immediate concern,
was identifying and containing the breach.
That response reflects how the law is weighted.
According to Murthy, the Data Protection Act places more emphasis on security than on privacy.
Preventing data leaks and misuse sits at the center of enforcement.
Kanjela believes that the headline penalty figure of 250 crore rupees exists to force attention.
Whether it remains notional or becomes routine will actually depend on the enforcement.
For now though, it is enough to get companies to engage.
And that engagement is already reshaping how businesses think of something as ordinary as a WhatsApp message
and how much control users truly have over the data behind it.
Daybreak is produced from the newsroom of the Ken India's first subscriber-focused business news platform.
What you're listening to is just a small.
sample of a subscriber-only offerings and a full subscription offers daily, long-form feature stories,
newsletters and a whole bunch of premium podcasts. To subscribe, head to the ken.com and click on the red
subscribe button on the top of the website. Today's episode was hosted and produced by my colleague
Snithashy.