India’s new data laws give individuals much more control over how their personal information is collected, stored and used. Under the Digital Personal Data Protection (DPDP) Act, 2023 and the DPDP Rules, every organisation handling personal data must follow strict rules to protect people’s privacy.
Fines can go up to Rs. 250 crore (US $ 27.76 million) for failing to protect data or for serious breaches with no distinction between fledgling start-ups and big retail giants.
Fashion retailers now have 12 to 18 months to put all compliance systems in place. This includes getting clear consent from users before collecting their data, allowing users to edit or delete their information, protecting children’s data and deleting data when it is no longer needed. Retailers must report data breaches within 72 hours. They must also maintain data logs and build technology that supports safe storage and access. While large retailers may have resources to meet these requirements, start-ups are under far greater pressure.
The penalties under the DPDP Act have caused the most worry, especially for the country’s young start-up ecosystem. Fines can go up to Rs. 250 crore (US $ 27.76 million) for failing to protect data or for serious breaches with no distinction between fledgling startups and big retail giants.
Most Indian fashion start-ups do not have an annual turnover anywhere close to Rs. 250 crore. So even one violation can threaten their survival.
Most of these brands depend heavily on digital channels like online shopping, loyalty programs, targeted ads, influencer-driven marketing, social commerce platforms, mobile apps, chatbots, WhatsApp marketing, SMS and email campaigns, digital wallets and BNPL services, customer feedback portals, AR/VR try-ons, smart in-store kiosks, CRM-based after-sales services, marketplace analytics dashboards and referral/affiliate tracking systems amongst others.
This creates a big challenge. Setting up secure databases, hiring legal and cybersecurity teams and building consent systems – all cost money. Even a simple requirement like reporting breaches quickly needs advanced tools that many start-ups do not have. Privacy experts say every department that touches customer data will need new tools and training. Some may even need to redesign their websites and apps.
This is putting serious pressure on new age founders, driving them to plug the loopholes fast.
| Data retention will be tightened, ensuring we store information only for necessary business purposes. Internally, access to data will be restricted to specific roles, helping reduce exposure. Since we rely on third-party services for ERP and OMS, vendor governance has become a critical pillar of our strategy. Ranganath Kuppur CEO, Globus Fashion |
“Data retention will be tightened, ensuring we store information only for necessary business purposes. Internally, access to data will be restricted to specific roles, helping reduce exposure. Since we rely on third-party services for ERP and OMS, vendor governance has become a critical pillar of our strategy. Each partner is being evaluated for compliance, certifications and infrastructure security,” said Ranganath Kuppur, CEO, Globus Fashion, a D2C fashion retailer, which offers trenddriven and accessible collections for women across westernwear, Indianwear, fusionwear and accessories.
The brand, which closed FY ’25 with Rs. 100 crore (US $ 11.5 million) in revenue, currently operates on a hybrid cloud model. Customer data is stored on secure cloud servers managed by its technology partners, with data centres located in Mumbai, Pune and Bengaluru.
He added, “We are upgrading encryption, monitoring and incident response capabilities to match DPDP expectations.”
Ranganath also mentioned that high penalty thresholds introduced by the DPDP have generated discussion across the industry. “Small businesses may find the scale challenging, but it encourages the adoption of essential hygiene practices that protect consumers and companies alike,” he said.
For Globus, the total compliance cost is estimated to be between Rs. 25-40 lakh, depending on integration complexity and partner-side upgrades. Similarly, UNIREC, a sustainable brand producing formal jackets, sleeveless jackets, trousers, shirts and T-shirts from recycled PET bottles, is addressing the chink in its data armour.
| Our primary focus areas include improving consent management, ensuring strict data access controls, minimising the data we collect along with clear retention and secure deletion processes, enforcing vendor compliance with DPDP guidelines and implementing strong incident-response protocols to address any data breaches quickly. Kapil Bhatia, Founder and CEO, UNIREC |
“Our primary focus areas include improving consent management, ensuring strict data access controls, minimising the data we collect along with clear retention and secure deletion processes, enforcing vendor compliance with DPDP guidelines and implementing strong incident-response protocols to address any data breaches quickly,” said Kapil Bhatia, Founder and CEO, UNIREC.
The brand, which raised US $ 1.9 lakh (Rs. 1.5 crore) from BeyondSeed last
year, estimates its compliance cost to be between Rs. 50–75 lakh, including cloud-security enhancements and third-party compliance verification.
He further mentioned, “The penalties are indeed substantial, especially for smaller businesses. While the intent is to ensure accountability, the high fines could disproportionately impact startups and SMEs.”
UNIREC currently stores data in India on cloud-based platforms provided by reputable third-party service providers.
| Consumers increasingly value brands that are transparent about how their data is used. We see this as an opportunity to improve communication, strengthen the consent process, invest in first-party data and move towards privacy-friendly marketing. Aditya Agarwal, Co-founder, Campus Sutra |
“Consumers increasingly value brands that are transparent about how their data is used. We see this as an opportunity to improve communication, strengthen the consent process, invest in first-party data and move towards privacy-friendly marketing,” said Aditya Agarwal, Co-founder, Campus Sutra, the D2C men’s clothing brand for youth which has an annual revenue of nearly Rs. 400 crore (US $ 44.42 million).
Aditya explained that the company is ensuring compliance across every customer data touchpoint including website, WhatsApp, online marketplaces and loyalty programs. It is also reviewing all third-party partners such as payment gateways, logistics companies, analytics providers and communication platforms to ensure they meet the standards set under the law.
The brand relies on trusted cloud partners rather than maintaining its own physical servers. It uses platforms like BigQuery and AWS, with data hosted in India-based data centres depending on the partner’s available infrastructure.
Founders also said 18 months is a reasonable timeline to implement the required changes, provided companies adopt a structured approach.
