GDPR (EU) and India's DPDP Act 2023 both require explicit consent for email marketing — but differ on extraterritorial scope, penalties, and implementation timelines.
GDPR applies to any org with EU subscribers. DPDP applies to orgs processing data of Indian residents.
GDPR fines: up to €20M or 4% of global turnover. DPDP fines: up to ₹250 crore (~$30M).
Self-hosted email (MisarMail) simplifies compliance under both laws — no cross-border data transfers to third-party processors.
Two major data protection regimes now govern how Indian businesses handle email subscribers. The EU's General Data Protection Regulation (GDPR) applies if you have European subscribers. India's Digital Personal Data Protection Act 2023 (DPDP Act) applies to all Indian data subjects — regardless of where your business is located.
Most Indian email marketers are compliant with neither.
This guide gives you a clear, side-by-side comparison and a practical checklist to bring your email program into compliance with both frameworks in 2026.
You have any EU-based subscribers. It doesn't matter where your company is incorporated. If someone in Germany subscribed to your newsletter, GDPR applies to their data. GDPR has extraterritorial reach — the regulation follows the data subject, not the business.
Indian SaaS companies, e-commerce brands with European customers, and anyone running English-language content that attracts European readers must comply.
Key GDPR enforcement facts:
The EU has issued fines exceeding €4.5 billion since 2018
Indian companies are not exempt from EU enforcement
Google, Meta, Amazon, and hundreds of smaller non-EU companies have all been fined
You process the personal data of Indian citizens — period. This applies to every Indian business and to any foreign business that processes data of people in India.
Key DPDP enforcement facts:
Passed in August 2023, currently in implementation phase
Data Protection Board being constituted (rules expected 2026)
Penalties up to ₹250 crore per contravention
No grace period for large organizations once enforcement begins
Aspect | GDPR | DPDP Act 2023 |
|---|---|---|
Consent standard | Freely given, specific, informed, unambiguous | Free, specific, informed, unconditional |
Pre-ticked boxes | Prohibited | Prohibited |
Bundled consent | Prohibited | Prohibited |
Age of consent | 16 (varies by member state, can be 13) | 18 (parent/guardian for minors) |
Consent form language | Any EU language + one official language | All 22 scheduled Indian languages must be available |
Withdrawal of consent | Must be as easy as giving consent | Same standard |
Consent records | Must be maintained | Must be maintained |
Legitimate interest | Allowed as alternative to consent | Not recognized — consent required |
Critical difference: GDPR allows "legitimate interests" as a basis for processing without consent. DPDP Act does not recognize legitimate interests for marketing purposes. If you're processing Indian subscribers' data for email marketing, you need explicit consent. Full stop.
Right | GDPR | DPDP Act 2023 |
|---|---|---|
Right of access | Yes — must provide copy within 30 days | Yes — must provide summary of processed data |
Right to correction | Yes | Yes |
Right to erasure ("right to be forgotten") | Yes — 30 days | Yes — erasure upon withdrawal of consent |
Right to data portability | Yes | Limited — not fully defined in current Act |
Right to object to processing | Yes | Via withdrawal of consent |
Right not to be subject to automated decisions | Yes | Not explicitly addressed |
For email marketers: Both laws require you to honor unsubscribe requests promptly. Under GDPR, you have 30 days to fulfill data deletion requests. Under DPDP, you must delete data "without delay" when consent is withdrawn.
Aspect | GDPR | DPDP Act 2023 |
|---|---|---|
Retention limit | Only as long as necessary for the stated purpose | Must delete when purpose fulfilled or consent withdrawn |
Retention policy required | Yes | Yes |
Backup deletion | Must be addressed in policy | Same |
Dormant accounts | Must delete or re-obtain consent | Must delete when consent is withdrawn |
Practical implication: You cannot keep unsubscribed email addresses in your database indefinitely. Both laws require deletion when the purpose for processing ends. Build a deletion workflow into your email platform from day one.
Aspect | GDPR | DPDP Act 2023 |
|---|---|---|
Transfer mechanism | Standard Contractual Clauses, Adequacy Decision, BCRs | Government notified whitelist of countries |
Transfer to third countries | Permitted with safeguards | Permitted to notified countries (list not yet finalized) |
Data localization | Not required (with transfer safeguards) | Government may mandate localization for specific data categories |
Current status | Mature framework | Whitelist under development |
What this means now: If you use a US-based email platform (Mailchimp, Klaviyo, etc.), you're potentially transferring Indian subscriber data to the US. DPDP Act transfer rules are still being finalized, but the safe approach is to ensure your email data stays within India — which self-hosted platforms on Indian VPS infrastructure provide naturally.
Aspect | GDPR | DPDP Act 2023 |
|---|---|---|
Security standard | "Appropriate technical and organisational measures" | "Reasonable security safeguards" |
Data breach notification | 72 hours to supervisory authority | "As soon as possible" to Data Protection Board |
DPO requirement | Required for certain organizations | Data Protection Officer required for significant data processors |
Privacy by design | Required | Implied through security obligations |
Aspect | GDPR | DPDP Act 2023 |
|---|---|---|
Maximum fine | €20 million or 4% of global annual turnover | ₹250 crore per contravention |
Basis | Whichever is higher | Fixed maximum per incident |
Enforcement body | National Data Protection Authorities | Data Protection Board of India |
Track record | Active enforcement since 2018 | Enforcement beginning 2025-2026 |
Immediate actions required:
Audit your current signup forms. Remove all pre-ticked boxes.
Ensure consent language is specific to email marketing (not buried in Terms of Service)
Implement double opt-in for all new subscribers
Record consent timestamp, IP address, and form version for every subscriber
Provide consent withdrawal (unsubscribe) mechanism in every email
Make unsubscribe as prominent as subscribe — DPDP and GDPR both require this
Signup form language that complies with DPDP Act:
"I agree to receive [Company Name]'s weekly email newsletter about [specific topic]. I can unsubscribe at any time by clicking the unsubscribe link in any email."
Signup form language that does NOT comply:
"By signing up, you agree to receive communications from [Company Name] and our partners."
The second example fails on multiple counts: it mentions "partners" (scope creep), doesn't specify content type, and bundling partner consent with your own.
Create a data map of your email operations:
What personal data do you collect from subscribers? (name, email, location, behavior data)
Where is this data stored? (email platform servers, CRM, analytics tool)
Who has access to this data? (team members, third-party integrations, email platform employees)
How long do you retain data? (active subscribers, unsubscribed contacts, bounced contacts)
Do you transfer data internationally? (if using non-Indian email platforms)
Under both GDPR and DPDP Act, you must be able to answer all these questions. If you can't, compliance is impossible.
Implement a clear retention schedule:
Active subscribers: Retain as long as they remain subscribed and engaged.
Unsubscribed contacts: Delete within 30 days of unsubscribe request (GDPR) or immediately upon consent withdrawal (DPDP intent). At minimum, retain only the email address for suppression purposes to prevent re-adding them accidentally.
Bounced contacts: Delete hard bounces immediately (invalid addresses). Soft bounces after 3 failed attempts.
Inactive subscribers: Run re-engagement campaigns after 90 days of inactivity. Delete contacts who don't re-engage within 60 days of re-engagement campaign.
Both laws require notification of data breaches. For email marketing specifically, a breach typically means unauthorized access to your subscriber database.
Your plan must include:
Detection: How will you know if your subscriber data is accessed without authorization?
Assessment: How do you determine the scope and severity of a breach?
Notification: Who do you notify? (Data Protection Board under DPDP, supervisory authority under GDPR, affected data subjects)
Remediation: How do you stop the breach and prevent recurrence?
Timelines: GDPR requires notification within 72 hours of becoming aware of a breach. DPDP Act requires notification "as soon as possible" — interpret this conservatively as 72 hours until official guidance is issued.
Using a self-hosted email marketing platform like MisarMail on Indian infrastructure addresses several compliance challenges directly.
When your email platform runs on a VPS in India (AWS Mumbai, Digital Ocean Bangalore), subscriber data never crosses Indian borders. This is the cleanest answer to DPDP's data transfer requirements — there's simply nothing to transfer.
SaaS platforms like Mailchimp process your subscriber data on US servers. Using Indian-hosted infrastructure eliminates this risk entirely. For a full platform comparison, see MisarMail vs Mailchimp or MisarMail vs Brevo.
Self-hosted platforms give you direct database access. You can:
Pull complete subscriber records on data access requests within minutes
Execute bulk deletions for users who withdraw consent
Produce audit logs showing exactly when consent was recorded and what data was collected
Demonstrate to regulators exactly where data is stored and who can access it
With self-hosted infrastructure, you control:
Who has access to subscriber data (your team only, not platform employees)
Encryption at rest and in transit
Network access controls and firewall rules
Backup and recovery procedures
When a subscriber exercises their right to erasure, you need to delete their data from your email platform, analytics, and any other system. Self-hosted platforms allow you to execute direct database queries for deletion — instant, verifiable, and complete.
You need full GDPR compliance for EU subscribers and DPDP compliance for Indian subscribers. Both frameworks require explicit consent — so a single robust consent process covers both.
Required: Privacy policy referencing both GDPR and DPDP Act. Separate consent records by jurisdiction. Data Processing Agreements with any sub-processors. Data Protection Officer if processing large volumes.
DPDP Act applies. GDPR applies only if you have EU customers (unlikely for India-only D2C).
Required: Explicit consent at signup. Clear unsubscribe mechanism. Data retention policy. Subscriber data deletion capability. Grievance officer if processing large volumes.
If you're emailing HR at European companies, GDPR applies to those contacts' data. B2B email marketing operates in a gray area under GDPR — but the safest practice is to treat all EU contact data as if GDPR applies in full.
Mistake 1: Using purchase history as implied consent
Buying from you does not constitute consent to receive marketing emails under either GDPR or DPDP Act. You need explicit marketing consent, separate from transactional consent.
Mistake 2: One consent for all communications
"Subscribe to receive communications from us" is not specific enough. Subscribers should understand they're consenting to email marketing specifically — not a generic data use permission.
Mistake 3: Ignoring unsubscribe requests for "a few days"
Both laws require prompt action. Under GDPR, 30 days is the maximum. Under DPDP, immediacy is implied. Failing to honor unsubscribe requests promptly is one of the most commonly enforced violations.
Mistake 4: Storing unsubscribed contacts indefinitely
Keeping unsubscribed contacts in your database "just in case" is a data retention violation. Keep only what's necessary for suppression (the email address, marked as unsubscribed, with a deletion schedule).
Mistake 5: No data processing agreements with email platforms
If you use a SaaS email platform, that platform processes your subscribers' personal data. Under GDPR, you need a Data Processing Agreement (DPA) with them. Most major platforms have standard DPAs available — you need to actively execute them.
Topic | GDPR | DPDP Act 2023 |
|---|---|---|
Who it covers | EU data subjects | Indian data subjects |
Legitimate interest | Allowed | Not allowed for marketing |
Language requirement | EU language | All 22 Indian scheduled languages |
Localization | Not required | May be required (TBD) |
Enforcement | Active, multi-billion fines | Starting 2026, up to ₹250 crore |
Self-hosted advantage | Security and audit control | Data stays in India |
Does GDPR apply to Indian companies?
Yes. GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is based. An Indian company with European subscribers, customers, or website visitors must comply with GDPR for that data. The EU has extraterritorial jurisdiction and has fined non-EU companies, including companies from the US, India, and other jurisdictions.
What are the penalties for DPDP Act violations in email marketing?
The Digital Personal Data Protection Act 2023 provides for penalties of up to ₹250 crore per contravention for serious violations. Specific email marketing violations include: failing to obtain proper consent before sending marketing emails, failing to honor data deletion requests, not maintaining adequate security for subscriber data, and failing to notify the Data Protection Board of data breaches. The Data Protection Board of India will enforce these penalties once fully constituted, expected in 2026.
Do I need explicit consent to send marketing emails in India?
Yes. Under India's DPDP Act 2023, explicit consent is required before sending marketing emails to Indian subscribers. Unlike GDPR which allows 'legitimate interests' as a basis for some processing, the DPDP Act requires consent for marketing communications. Consent must be freely given, specific to email marketing, informed, and unconditional. Pre-ticked boxes, bundled consent, and buried opt-ins are not valid under DPDP.
How does self-hosted email help with DPDP compliance?
Self-hosted email platforms (hosted on Indian VPS infrastructure) help DPDP compliance in three main ways: data stays within India (avoiding cross-border transfer compliance questions), you have direct control for fulfilling data access and deletion requests, and you have complete auditability of who accesses subscriber data and when. This makes it straightforward to demonstrate compliance to regulators compared to using international SaaS platforms where your data lives on foreign servers.
What is the difference between GDPR and India's DPDP Act for email marketing?
Key differences: GDPR allows 'legitimate interests' as a processing basis while DPDP requires explicit consent for marketing; DPDP requires consent notices in all 22 Indian scheduled languages while GDPR requires the local EU language; GDPR has mature enforcement with billions in fines issued since 2018 while DPDP enforcement is beginning in 2026; both require explicit consent withdrawal mechanisms and data deletion capabilities, so compliance with both can largely be achieved with a single robust consent process.
MisarMail is self-hosted email marketing that keeps your subscriber data on Indian servers — the cleanest path to DPDP compliance. Learn more at mail.misar.io
1 followers
AI systems builder · 7 years in production. RAG, self-hosted infra, agent architecture. 📬 Deep-dives → mrgulshanyadav.substack.com
Comments
Sign in to join the conversation
No comments yet. Be the first to share your thoughts!