Push Notifications, In-App Tracking, and Re-Targeting: The Mobile Marketing Stack That DPDPA Is About to Break
The average Indian mobile app sends 4.5 push notifications per day to its users. It tracks in-app behaviour across every screen. It shares behavioural data with advertising networks. It retargets users across other apps and websites based on what they did inside the product. This is the mobile marketing stack that has driven growth for Indian consumer apps for years.
The DPDPA is not going to make this illegal. But it is going to make most of it illegal, the way it is currently done. And the organisations that understand this now and rebuild their mobile marketing infrastructure on a compliant foundation will not just avoid regulatory risk. They will build a more sustainable and more trusted relationship with their users.
How the DPDPA Applies to Mobile Marketing
The DPDPA applies to digital personal data in India. Mobile marketing involves processing personal data at multiple points. Behavioural tracking inside an app generates personal data about what a user does, what they look at, how long they spend on different features, and what they purchase. Push notification systems use device identifiers and user profile data. Retargeting systems share user identifiers and behavioural data with third-party advertising platforms.
Each of these processing activities requires a lawful basis under the DPDPA. For processing that is not necessary for the performance of the core service the user signed up for, the lawful basis is typically consent. And the DPDPA’s consent standard requires that consent be specific, informed, freely given, and as easy to withdraw as it was to give.
This means that a single consent checkbox at the point of app installation that covers tracking, push notifications, personalised advertising, and third-party data sharing does not meet the DPDPA standard. Each processing activity requires its own consent, described in plain language that the user can genuinely understand.
Push Notifications and Consent
Push notifications are treated as a consent-based processing activity under the DPDPA because they use personal data, specifically device identifiers and user profile information, to deliver personalized communications. The operating system-level permission that iOS and Android require for push notifications is technical, not DPDPA consent.
A user who grants push notification permission at the OS level is agreeing to receive notifications from the app. They are not necessarily consenting to the processing of their personal data for personalized targeting. The DPDPA requires that consent for the data processing dimension of push notifications be sought separately and specifically, with a clear explanation of what data is used to determine what notifications are sent.
This means that organizations need to redesign their notification consent flows to explain, in plain language, what data powers their notification targeting, and to give users granular control over what types of notifications they receive and on what basis.
In-App Tracking and the Analytics Stack
Most Indian apps use a combination of analytics platforms, including tools like Firebase, Mixpanel, Amplitude, and AppsFlyer, to track user behaviour. These platforms collect detailed data about every user action inside the app and often correlate it with device identifiers, advertising IDs, and third-party data to build rich user profiles.
Under the DPDPA, this tracking generates personal data, and the processing of that data requires a lawful basis. For analytics that are strictly necessary for the operation of the service, there may be a legitimate use argument. But for analytics that go beyond what is necessary for the core service, including cross-app tracking, advertising ID linkage, and third-party data enrichment, consent is required.
This has significant implications for how analytics tools are configured. Many Indian app teams have never reviewed the default configuration of their analytics SDKs. The default is typically maximum data collection. A DPDPA-compliant analytics implementation requires reviewing exactly what each SDK collects, limiting collection to what is necessary and consented to, and ensuring that data sent to third-party analytics platforms is governed by appropriate data processing agreements.
Retargeting and Third-Party Data Sharing
Retargeting is the practice of showing advertising to users based on their behaviour inside your app or on your website. It works by sharing user identifiers and behavioural data with advertising platforms, which then match those identifiers to users they can reach on other apps and websites.
Under the DPDPA, sharing personal data with third-party advertising platforms for retargeting purposes requires explicit, informed consent. The user must be told that their data will be shared with named or categorised third parties for the purpose of showing them advertising outside your app. The current practice of burying this disclosure in a lengthy privacy policy that nobody reads does not meet the DPDPA’s plain language and specific consent requirements.
This means that retargeting audiences built on consent-less data sharing are non-compliant under the DPDPA. Organisations will need to rebuild their retargeting audiences using data from users who have specifically consented to this use, which for most Indian apps will mean a significant reduction in retargeting audience size, at least initially.
The Consent Management Platform Question
The technical solution for managing granular consent across a mobile marketing stack is a Consent Management Platform, or CMP. A CMP allows organizations to collect, record, and manage user consent preferences across different processing activities, and to propagate those preferences to the relevant SDKs and platforms.
Building or implementing a CMP for a mobile app is not a trivial technical project. But it is the foundation on which DPDPA-compliant mobile marketing must be built. Without a CMP, there is no reliable way to know which users have consented to which processing activities, and therefore no way to ensure that processing is limited to consented users.
The CMP must also support withdrawal. When a user withdraws consent for a specific processing activity, the CMP must propagate that withdrawal to every platform and SDK that was processing data under that consent. This requires integration between the CMP and the full analytics and advertising stack.
The Re-Engagement Campaign Problem
Many Indian apps run re-engagement campaigns targeting users who have become inactive. These campaigns typically use push notifications, email, and paid advertising to bring lapsed users back to the app. Under the DPDPA, re-engagement campaigns must be evaluated carefully.
If a user has not explicitly consented to re-engagement communications using their personal data, and the re-engagement activity is not necessary for the core service, the processing required to run these campaigns may lack a lawful basis. Organisations that run large-scale re-engagement campaigns against their entire user base, without distinguishing between users who have and have not consented to this use, are creating significant DPDPA exposure.
Why ComplyPlanet
ComplyPlanet works with mobile-first organizations and consumer app companies to audit their current marketing stack against DPDPA requirements and build a compliant mobile marketing architecture.
We help you map every data collection and sharing activity across your mobile marketing stack, identify the legal basis required for each activity, and design a consent management approach that meets the DPDPA standard while preserving as much marketing capability as possible.
We also help you review your third-party SDK and platform agreements to ensure appropriate data processing agreements are in place, and we help you implement the data minimization principles that reduce your breach exposure across your marketing data infrastructure.
Conclusion
The mobile marketing stack that has powered Indian app growth for the past decade was built in a world without meaningful data protection law. That world no longer exists. The organisations that rebuild their marketing infrastructure on a consent-first, data-minimal foundation now will be the ones that users trust, and regulators leave alone, in the years ahead.
ComplyPlanet can help you build a DPDPA-compliant mobile marketing framework. Contact us today.
ComplyPlanet – Your Compliance Backbone