This is a special edition of the RizingTV newsletter, where we bring you highlights from the Digital Renaissance Summit 2025—our recently concluded event in Mumbai on the future of innovation and regulation. In this insightful session, Anirban Mohapatra, Partner – TMT at Cyril Amarchand Mangaldas, unpacks the legal frameworks, compliance challenges, and strategic risks that every startup and digital business must understand in today’s fast-moving tech environment.
From navigating data privacy laws and IP protection to understanding the legal implications of AI tools and platform scalability, this is essential reading for founders, product leaders, and digital-first teams looking to build responsibly and scale smartly.
The beating heart of every start-up’s growth story in today’s tech-forward India, is the word “digital”. As start-ups become more and more data reliant and digitization reshapes the Indian economy, regulatory frameworks are acclimatizing fast. And at the center of this legal transformation is the Digital Personal Data Protection Act (DPDPA) of 2023, a law that no modern entrepreneur can afford to ignore.
As India’s first comprehensive and contemporary attempt to regulate personal data the DPDPA replaces the outdated Sensitive Personal Data Rules of 2011 under the IT Act, which most companies complied with superficially by including generic privacy policies. The new law, in contrast, is negligible in length at around 30 pages, but utmost in impact. It’s clearly written, filled with illustrations, and designed not just for lawyers but for every individual whose data is at stake. This marks a shift in India’s legislative attitude, from dense prescriptions to principle-based, tech-aware regulation.
Though the law was enacted in 2023, it hasn’t yet come into force as of yet. The central government is expected to roll out implementation rules later this year. These rules, once notified, will apply to nearly every digital interaction involving Indian citizens’ personal data—whether handled by Indian startups or processed overseas. If you’re storing even a name, email address, or CV on a server, you’re part of the data economy—and this law affects you.
There are three fundamental roles under the Act: the Data Principal (the individual), the Data Fiduciary (the entity determining data usage), and the Data Processor (the entity processing data on the Fiduciary’s behalf). For startups, understanding where you fall on this spectrum is crucial. If you’re a B2B service merely handling data on behalf of a larger partner, you’re a Processor. This status can shield you from direct legal responsibilities, provided your contracts are crystal clear. However, you cannot use any of that data for your own purposes—not even for training AI models, unless your contract explicitly allows it.
The DPDPA is firmly rooted in the concept of consent. Consent isn’t just a checkbox anymore, it must be meaningful, recorded, and traceable. Startups must deploy consent notices that are simple, precise, and detailed. These notices should outline the kind of personal data collected, how it will be processed, the user’s rights (like withdrawing consent, correcting data, or requesting deletion), and must include a clear affirmative action from the user, logged electronically. Historical data may still be usable, provided valid consent was captured when it was collected. But if a user opts out, processing must stop.
Many businesses assume the law only applies to customer data, but that’s a dangerous misconception. The Act applies equally to employee data, job applicant CVs, vendor contacts, and even internal communication archives. HR departments often retain hundreds of old resumes—often without consent or necessity. In a breach scenario, such dormant data becomes a liability. So the first step toward compliance isn’t legal paperwork—it’s a data mapping exercise.
Data mapping means creating a detailed inventory of what personal data you possess, where it is stored, how it is shared internally and externally, and whether it’s truly necessary. This isn’t just about storage hygiene—it’s about risk management. Many startups are unknowingly drowning in redundant or outdated personal data. As one expert put it: data is no longer oil—it might be toxic waste if kept unnecessarily.
Startups in sectors like fintech, healthtech, and education tech should be especially vigilant. These may be classified as handling “significant” data, triggering advanced compliance requirements. If your startup is labeled a Significant Data Fiduciary, you’ll be required to conduct regular audits, perform Data Protection Impact Assessments, appoint a full-time senior- level Data Protection Officer, and report data breaches quickly and transparently.
Now let’s address AI—a hot topic, yet a legal grey zone in India. Currently, there’s no specific legislation regulating AI. But this doesn’t mean you’re off the hook. The legal pitfalls lie in two areas: data provenance and intellectual property. If you’re building AI models trained on scraped content, PDFs, or copyrighted books, and if your use-case crosses into commercial territory, you may be infringing IP laws. Consent and licensing matter. The risk intensifies as your company grows—making you more visible and more litigable.
One startup, for instance, attempted to democratize IIT coaching via an AI-driven platform. The idea was noble: use digitized books and online training to help students in Tier 2 and Tier 3 cities. However, because they didn’t own or license the books used to train their AI—and because they charged a fee for the service—they opened themselves to potential copyright lawsuits. In India, fair use is not a blanket license for monetization.
Meanwhile, targeted advertising is heading toward a storm of complexity. Under the new law, every targeted ad shown must have three layers of consent: one for processing the data, one for tracking, and one for delivering the ad. Consent can be withdrawn at any moment, making real-time ad delivery and retargeting a technical and legal minefield. The implications are big: startups may see increased server costs, rising compliance expenses, and higher legal risks, especially as customers toggle their privacy preferences dynamically.
To make matters more sobering, the law’s penalty provisions are not based on a percentage of revenue like Europe’s GDPR. Instead, they are flat and absolute—with fines going up to ₹250 crores. For a bootstrapped or early-stage startup, that’s enough to wipe out operations. The silver lining is this: enforcement is expected to be proportional. Regulators will judge you not just by your errors but by the effort you’ve taken to comply. As the speaker summarized: “You can be hanged for murder, but not everyone gets hanged.”
The DPDPA is not the only legislation on the horizon. The IT Act is being reimagined entirely—ironically, it never even mentioned the word “Internet.” The government is preparing a more modern Digital India Act, though its release timeline remains uncertain. Other laws, like the new telecom regulations and intermediary rules, are already affecting platform and app businesses. Founders, especially those offering SaaS or platform-as-a-service products, must stay alert.
If your startup deals with personal data, digitized content, or AI-driven products, now is the time to act. Begin with a data audit. Redraft your privacy notices. Reassess your contracts—especially with partners and vendors. Evaluate your AI and analytics stack for IP and data risks. Don’t wait for enforcement to scramble for compliance.
Legal compliance is no longer a luxury reserved for funded startups—it’s a core feature of responsible business-building. In a country where both AI and litigation are on the rise, startups that stay ignorant of these developments do so at their own peril. Knowing your data, documenting your policies, and refining your consent flows are not just good practice—they are existential necessities.
India’s digital economy is booming. Let’s make sure its legal infrastructure—and your startup—can keep up.
Catch the full episode on YouTube: https://www.youtube.com/watch?v=uLgezPaeW3c