Skip to content
checkDPDP

Industry guide · #7 most exposed · Medium risk

DPDP Act for Media & Publisher in India

News sites, video platforms, content aggregators and digital magazines run heavy ad-tech stacks (Google Ad Manager, Prebid, header bidding, video pre-rolls) and analytics. Section 6 requires every one of these to honour consent — and most Indian publishers fail their first scan because nothing is gated.

Penalty exposure cap

₹50 cr

Mostly residual ₹50 cr band — Section 6 cookie failures. Section 8 risk if subscriber/payment data leaks; otherwise the dominant exposure is reputational and ad-revenue impact.

Realistic effort

60–140 hrs (4–8 weeks)

AdOps + Engineering + Editorial

Annual budget

₹1.5–7 lakh / yr for CMP, ad-stack reconfiguration

Tooling + DPO retainer + audit

Sector regulators

MIB (broadcasting) · PCI / Press Council · CERT-In

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits Media & Publisher differently

Media is the canonical target for the cookie-consent half of DPDP. The ad-tech stack alone often drops 30–80 third-party cookies before consent. Scanners catch this without logging in; enforcement risk is visible exposure rather than catastrophic breach.

What you must do

Specific DPDP obligations for this sector

Section 6

Consent before any ad-tech tag fires

Header bidding wrappers, Google Ad Manager, Prebid, DSPs — all need IAB-style TCF or equivalent consent signal.

Section 5

Itemised privacy notice covering ad partners

List ad-tech vendors by name (or link to the IAB Global Vendor List) — generic "we use third-party advertising" is not specific enough.

Section 8

Subscription / paywall PII protected

Subscriber email, payment method, reading history — security-baseline obligations apply.

Section 9

Children-targeted content has stricter rules

Any section of your site targeted at minors (kid news, comics, school portal) cannot show targeted ads.

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    TCF v2.2-compliant CMP

    1–2 weeks (Sourcepoint, OneTrust, Quantcast, CookieYes)

  2. 2

    Disable lazy-loaded third-party trackers (YouTube embeds, social shares)

    1 week engineering

  3. 3

    Server-side gating for ad calls until consent

    2 weeks AdOps + engineering

  4. 4

    Itemised privacy notice + IAB GVL link

    2 days

  5. 5

    Paywall security baseline (HTTPS, headers, 2FA admin)

    1 day

  6. 6

    Children-section ad-targeting block

    1 week if you have minor-targeted content

What goes wrong

Real-world enforcement scenarios

Scanner finds 60+ cookies set before consent

Section 6 violation — ₹50 cr band per failure. Reputational hit + advertiser pressure usually moves you faster than the fine.

Subscriber payment table leaks

Section 8 + breach notification — mid-band penalty, mandatory user notice.

Close these first

The three highest-impact gaps for this sector

  1. 1

    Ad-tech fires on first page load

    Move every wrapper behind the CMP consent event — 2-week AdOps sprint.

    Open the fix →
  2. 2

    Vague "we use third-party advertising" notice

    List vendors or link to the IAB GVL.

    Open the fix →
  3. 3

    YouTube / social embeds load before consent

    Click-to-load placeholder until consent.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your Media / Publisher risk →Run a free site scan

Media / Publisher · FAQ

Sector-specific questions, answered

Will gating ad calls behind consent kill our revenue?

Short-term yes (10–30%), long-term it normalises. The cost of an enforcement action plus brand-safety advertiser pull-back is higher than the consent uplift loss.

Does IAB TCF satisfy DPDP?

TCF v2.2 captures consent in a standard way but does not auto-cover the Section 5 notice and Section 11 rights obligations. Combine with a privacy notice + DSR intake.

Are we an SDF as a national news site?

Section 10 cites "risk to electoral democracy" — major news sites are at risk of SDF designation. Plan accordingly.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Diagnostic Labs & Pathology Chains

Critical

Patient PII + lab results + Aadhaar-linked KYC — the most stacked DPDP exposure of any sub-sector inside healthcare.

Healthtech & Pharma

Critical

Health data is the highest-sensitivity category — DPDP overlaps with ABDM and the Clinical Establishments rules.