The Digital Personal Data Protection (DPDP) Act, hailed as a progressive step toward securing personal data, is poised to become a regulatory quagmire for India’s Micro, Small, and Medium Enterprises (MSMEs). While the intent of the law — protecting individual data rights — is laudable, its techno-legal framework fundamentally misreads the ground realities of India’s economy.

The recently released “Techno-Legal DPDP Framework Misreads India’s MSME Landscape” by SKOCH Development Foundation and the Federation of Indian Micro and Small & Medium Enterprises (FISME) points out that the proposed compliance architecture, though elegant in theory, risks becoming an existential threat to India’s 63 million MSMEs.

The Flawed Assumption: One Size Fits All

The techno-legal model assumes that MSMEs operate like fintech companies, where customer consent flows can be digitized easily. But a tailoring shop in Kanpur, a local bakery in Madurai, or a small logistics operator in Raipur doesn’t have the digital backbone needed to seamlessly integrate consent management systems. For them, complying with the DPDP requirements will mean new hardware, internet connectivity, software subscriptions, cybersecurity measures, staff training, and regular audits — costs they are ill-prepared to bear.

Unlike fintech companies, for MSMEs, data is incidental — not strategic. Customer trust is rooted in service quality and personal relationships, not complex consent flows.

The Myth of Cost-Reduction Through Technology

Defenders of the DPDP framework argue that techno-legal measures — like Consent Managers and digital offices — will lower compliance costs. But our study shows otherwise. Even simple baseline compliance (like maintaining digital records, grievance redressal mechanisms, breach reporting systems) requires substantial recurring costs for micro and small enterprises.

The example often cited — the success of Account Aggregators (AAs) — is deeply misleading. The financial sector is highly regulated, digitally mature, and structurally dependent on data. MSMEs operate in informal, low-margin sectors where customer consent frameworks are alien to business operations.

Market Inelasticity: The Demand Trap

Another argument suggests that compliance-induced trust will expand MSME markets. But market expansion through trust only works in digitally scalable sectors like fintech or e-commerce. Traditional MSME sectors — garment manufacturing, event management, catering, transportation — operate in largely inelastic markets constrained by physical, logistical, and financial realities. A wedding caterer cannot triple their business merely because customer data is now securely stored.

For these sectors, compliance costs directly eat into already fragile margins without adding corresponding revenue.

Graduated Compliance: An Illusion

Proponents argue that the Act’s “graduated compliance” — distinguishing Significant Data Fiduciaries (SDFs) — protects MSMEs. However, even the so-called “basic” compliance framework mandates data audits, standardized consent collection, data breach notifications, and grievance redress mechanisms for all businesses. The base cost remains significant.

Without public funding, subsidized compliance kits, or ecosystem-wide support (as was done for UPI adoption), expecting MSMEs to comply is unrealistic and risks forcing many out of the formal economy.

Silent Taxation on MSMEs

Rather than empowering small businesses, the DPDP Act risks becoming a form of silent taxation — draining MSMEs of managerial attention, capital, and operational energy. Instead of focusing on producing goods, growing markets, and serving customers, MSMEs will have to divert scarce resources to compliance tasks designed for large corporations.

Without pragmatic adjustments — such as sector-specific thresholds, financial support, and compliance-as-a-service models — the law will widen the digital divide rather than bridge it.

Lessons from Digital Public Infrastructure (DPI)

The success of UPI is cited as proof that India can leapfrog digital adoption. But UPI succeeded because it was systematically enabled — with government subsidies, massive merchant education drives, waived fees, and simple onboarding.

The DPDP rollout, by contrast, offers MSMEs no help — only obligations and penalties. Expecting MSMEs to navigate complex compliance independently will likely cause mass non-compliance, token compliance (without meaningful change), or complete retreat into informality.

Conclusions: An Urgent Call for Reform

India’s MSMEs contribute nearly 30% of GDP and employ over 110 million people. They are the lifeblood of India’s ambition to become a developed country by 2047.

Yet, the current techno-legal design of the DPDP Act risks pushing them into retreat, burdening them with compliance costs they cannot afford, and favoring large, digitally native corporations who can absorb and weaponize compliance.

Without a fundamental rethinking — recognizing sectoral diversity, offering handholding support, and phasing obligations — the DPDP framework could unintentionally choke the vibrancy out of India’s economic backbone.

In the race to secure digital rights, we must not trample upon those who lack the means to run.