Most brand teams in India treated the Digital Personal Data Protection Act, 2023 as a legal department problem — something to handle with a cookie banner update and a revised privacy policy PDF. Then the rules began landing on marketing workflows in ways nobody anticipated. UGC collection pipelines, creator whitelisting arrangements, testimonial repurposing, and audience retargeting built on user submissions are now sitting in exactly the territory the DPDP Act regulates. And the mistakes brands are making are remarkably consistent.
This piece is specifically about those mistakes — what brands get wrong when they collect, store, and monetise UGC under India's new data regime, and what doing it properly actually looks like in practice.
Mistake 1: Treating a Creator Agreement as a Data Consent Document
The most common error we see is brands handing creators a "content rights agreement" and assuming that covers their data obligations under the DPDP Act. It does not. A rights agreement addresses intellectual property — who can use the video, for how long, on which platforms. The DPDP Act addresses personal data processing, which is an entirely different legal instrument.
When a creator submits a testimonial video, that submission typically contains:
- Their voice and face (biometric-adjacent data under ongoing regulatory interpretation)
- Their name and social handle, sometimes their city or profession
- Potentially their email or phone number collected during the submission flow
- Device metadata depending on how the form or app collects the file
Under the DPDP Act, processing any of this requires a lawful basis — most commonly, free, specific, informed, and unambiguous consent tied to a clearly stated purpose. A generic line in a content agreement saying "you consent to us using your content" does not satisfy that standard. The consent must be granular enough that the data principal (the creator or consumer who submitted the content) understands exactly what data is being collected and precisely how it will be used — including whether it will be used in paid Meta or Google ads, whether it will be shared with media-buying agencies, and whether it will be retained beyond the campaign period.
Mistake 2: Running UGC Repurposing Without a Clear Retention Policy
India's D2C brands — particularly in beauty, food-tech, and apparel — have built large libraries of organic customer posts collected over three to five years via Instagram regrams, WhatsApp forward campaigns, and Shiprocket/Meesho seller review exports. The DPDP Act's data minimisation and purpose-limitation principles mean that sitting on this archive without a documented retention policy is now a liability, not an asset.
The Act requires that personal data be retained only as long as necessary for the stated purpose. If a customer submitted a testimonial photo in 2021 for a single product launch campaign, that data cannot legally be repurposed in a 2025 brand refresh without fresh consent. The practical implication for UGC-heavy brands:
- Audit your existing UGC library and tag each asset with the original collection date, channel, and stated purpose
- Identify assets older than 18–24 months where the original consent scope was narrow
- Either obtain fresh consent through a targeted outreach (email or DM) or sunset those assets from active campaigns
- Build a retention schedule — for example, paid-ad usage rights expire 12 months post-collection unless renewed
A Bengaluru-based skincare brand we know of ran into this directly when a creator whose 2022 testimonial was still appearing in Meta retargeting ads in 2024 filed a complaint. The creator had since had a falling out with the brand. Under the DPDP Act, a data principal can withdraw consent — and if the original consent was ambiguous, the brand has little ground to stand on.
Mistake 3: Ignoring the Children's Data Provisions in Family and Parenting Categories
This is a particularly sharp risk for brands in baby care, edtech, toys, and family nutrition — categories where UGC almost inevitably involves children. The DPDP Act prohibits processing children's personal data (under 18) without verified parental consent, and prohibits behavioural tracking and targeted advertising to children entirely.
Many brands in the Rs. 60,000–Rs. 3,00,000 per month UGC production bracket are running campaigns where parents submit videos of their children using a product. The submission form asks for the parent's email but says nothing about the child's data or the fact that the child's face will appear in paid Instagram Reels targeting parents aged 25–40. This is a structural compliance gap.
The fix is specific:
- Add an explicit disclosure in the submission form: "This video may include a minor. I confirm I am the parent/guardian and consent to the use of this video including the child's likeness in digital advertising."
- Do not use children's likeness data in any behavioral retargeting segment — including Custom Audiences on Meta built from website visitors who viewed the video
- Check ASCI's guidelines on advertising to children, which layer on top of the DPDP requirements: testimonials involving children must not exploit their inexperience or credulity, and this shapes how the UGC can be scripted and presented
Mistake 4: Whitelisting Without Data Processing Agreements with Creators
Whitelisting — running paid ads from a creator's personal Instagram or Facebook account — has become a standard tactic for D2C brands on Meta India. The problem: when a brand accesses a creator's account to run ads, audience data flows back to the brand's ad account. Pixel events, custom audience builds, and lookalike seeds derived from the creator's followers involve processing the personal data of third parties who never consented to interact with the brand directly.
Under the DPDP Act, the brand becomes a Data Fiduciary and the creator's management of their own audience data makes the creator a de facto participant in that processing chain. This is an area where Indian marketing practice is materially behind the legal framework. A proper whitelisting arrangement now requires:
- A data processing addendum in the creator contract specifying what audience data the brand will access, for what purpose, and for how long
- Confirmation that the brand will not use creator-audience data to build retargeting segments outside the agreed campaign scope
- A clear off-boarding clause: when the whitelisting period ends, audience segments derived from the creator's account must be deleted or anonymised
In our production work, we brief creators on whitelisting specifically — they need to understand that granting ad account access has data implications for their followers, not just content implications for their feed. Increasingly, creators with larger followings (100K+) in cities like Mumbai and Delhi are asking for this clarity before signing.
Mistake 5: The "Public Post = Free to Use" Assumption
A persistent misconception among Indian brand marketers is that if a consumer posts publicly about their product experience — on Instagram, on Zomato, on Google Maps — that content is freely usable in marketing. It is not, and the DPDP Act makes this clearer. The post being public affects copyright and discoverability; it does not constitute consent for the brand to process the poster's personal data (their image, their name, their review text) for commercial advertising purposes.
Platforms like Meta and Google have their own Terms that grant the platform a licence — not the brand. When you screenshot a customer's Instagram story and use it in your brand's paid Reels campaign, you are processing that person's data without a lawful basis under the DPDP Act. The fact that it happens constantly across Indian D2C marketing does not make it compliant — it makes it a widespread unaddressed risk.
The correct workflow:
- Use a structured UGC solicitation flow — email post-purchase, in-app prompt, or a WhatsApp message with a clear opt-in — rather than scraping organic posts
- Tools like Bazaarvoice, Yotpo, or even a simple Google Form with explicit consent language are sufficient for most budgets
- For organic posts you genuinely want to repurpose, DM the creator, get written permission, and document it — a screenshot of the exchange with a date stamp is the minimum
What a Compliant UGC Programme Looks Like in 2025
Compliance does not mean slowing down production or abandoning UGC as a channel — it means building consent into the collection architecture from the start. A brand running 10–15 UGC videos per month at a Rs. 60,000–Rs. 1,20,000 production budget can absorb the compliance layer without material cost if it is designed upfront: a proper submission form, a two-sentence consent disclosure reviewed by a lawyer once, a simple retention schedule, and a creator agreement addendum that covers data. The brands that will be exposed are those treating compliance as a retrofit problem — something to fix after a complaint arrives.
The DPDP Act's enforcement mechanism is still being operationalised, but the Data Protection Board of India is being constituted, and the first penalty notices will set precedent quickly. Being the brand that a creator or consumer uses as a test case is an avoidable risk.
If you are building or auditing a UGC programme and want to ensure your collection, usage, and creator workflows are structured correctly from the start, speak with our team — we work with brands across India to produce compliant, high-performing UGC at scale.