Back to blogFirst-Party Data Rules in Southeast Asia & India
13 min read

First-Party Data Rules in Southeast Asia & India

Google Consent Mode v2 covers the EEA, UK and Switzerland — not Singapore, India or Indonesia. What actually governs your first-party data in each market.

By Team COACT

If you run marketing in Singapore, India, or Indonesia and you've been told to implement Google Consent Mode v2, check the scope before you spend a sprint on it. Google's own EU user consent policy states it applies to end users in "the European Economic Area, the UK and Switzerland" (Google). Not Asia. The Google Ads documentation for the v2 consent signals says the same thing — it covers customers receiving data from end users in the EEA (Google Ads Help), and names no Asian market anywhere.

That doesn't mean you have no consent obligations. It means you have three different ones, from three domestic laws at three completely different stages of maturity — and none of them is the one the global agency content is shouting about. This post covers what actually applies in each market, what the real dates are, and why the most-cited statistic about first-party data ROI is one you can't check.

Key Takeaways

  • Consent Mode v2 is scoped to the EEA, UK and Switzerland. It is not required for Singapore, India, or Indonesia traffic — verified against Google's own published policy.
  • India is the only one of the three markets with a live compliance clock. Its DPDP Rules were notified in November 2025 on a phased runway, with consent-manager obligations landing roughly a year later.
  • Indonesia's PDP Law has been fully in force since October 2024 — but the implementing regulation is still unsigned and the supervisory agency still isn't stood up.
  • The "first-party data delivers 2.9x revenue uplift" figure everyone cites has no measurement methodology we could open and verify. Treat it accordingly.

This is marketing analysis, not legal advice. Confirm anything load-bearing with counsel in the relevant market.

Consent Mode v2 Doesn't Apply to Singapore, India, or Indonesia

Search "Consent Mode v2 guide 2026" and you'll get a stack of articles from consent-management vendors written as though the requirement is planetary. Read them closely and you'll notice something: almost none state a geography. That omission sells software.

Here's the actual scope, from the primary source. Google's EU user consent policy — the document the whole regime hangs off — applies to end users in the European Economic Area, the UK and Switzerland. The Google Ads help page covering the v2 signals (ad_user_data and ad_personalization) describes itself as applying to customers receiving data from end users in the EEA. Neither document mentions Singapore, India, Indonesia, or any Asian market.

Market Consent Mode v2 required?
Singapore No
India No
Indonesia No
European Economic Area Yes
United Kingdom Yes
Switzerland Yes

Source: Google, EU user consent policy and Google Ads Help (consent mode for EEA traffic), retrieved 2026-07-12.

The nuance that matters: not required is not the same as not useful. Consent Mode is a mechanism for passing consent state into Google's tags, and your domestic obligations are real regardless. Implementing it because you've decided it's the cleanest way to carry signals you need to carry anyway is a defensible call. Implementing it because you think Google requires it in Jakarta is not.

What Actually Governs First-Party Data in Your Markets

Three markets, three regimes, three stages of maturity. Treating "SEA" as one compliance surface is the single most common error we see.

Data protection status by market, 2024 to 2027 Timeline of three markets. Singapore's PDPA is in force across the whole window. Indonesia's PDP Law came into force October 2024 but has no implementing regulation yet, shown as a dashed bar. India notified its DPDP Rules in November 2025, with consent manager obligations around November 2026 and full substantive obligations around May 2027. 2024 2025 2026 2027 Singapore Indonesia India PDPA in force throughout In force — no implementing reg. Oct 2024 Nov 2025 Nov 2026 May 2027 Rules notified Consent managers Full obligations today Sources: PDPC; UU PDP No. 27/2022; MeitY DPDP Rules 2025. Retrieved 2026-07-12
Sources: PDPC; UU PDP No. 27/2022; MeitY DPDP Rules 2025. Retrieved 2026-07-12
Singapore India Indonesia
Law PDPA 2012 (amended 2020) DPDP Act 2023 + Rules 2025 PDP Law No. 27/2022
Status In force, mature Rules notified, phasing in In force since Oct 2024
Regulator PDPC — established Data Protection Board — standing up None yet established
Implementing rules Yes, plus guidance Phased to ~2027 Still unsigned
Live deadline for marketers? No Yes — see below Not yet

Sources: PDPC; MeitY DPDP Rules 2025; UU PDP No. 27/2022 as summarised by DLA Piper and Chambers. See the methodology note for verification caveats.

Singapore: A Mature Regime With Real Flexibility

Singapore's PDPA has been in force for over a decade and was meaningfully amended in 2020. For marketers the practical shape is this: consent can be express or deemed, and the 2020 amendments widened the deemed-consent routes considerably — adding deemed consent by contractual necessity and by notification, alongside exceptions for legitimate interests and business improvement.

That flexibility is the point, and it's routinely missed. Singapore is not a GDPR clone. There are lawful routes to processing first-party data that don't require a cookie banner staring down every visitor. The PDPC's advisory guidelines on requiring consent for marketing purposes are the document to read — though note it dates from 2015, which tells you something about how settled the regime is.

A caveat: Singapore's statute site blocked automated retrieval when we compiled this, so the specifics above come from the regulator's published guidance as indexed rather than a fetch of the statute. Have someone open the primary text before building a consent architecture on it.

India: The Only One of the Three With a Deadline

This is where the clock is actually running, and it's the least-covered story in the region.

India's Digital Personal Data Protection Act passed in 2023, and the Rules that make it operational were notified in November 2025 — on a phased runway rather than a single switch. The Data Protection Board stands up first. Consent-manager obligations land roughly a year after notification, around November 2026 — that's about four months from now. Full substantive compliance follows roughly eighteen months after notification, around May 2027.

The consent-manager concept is the one to understand, because it has no real equivalent in the regimes most global playbooks are written against. India's framework contemplates registered intermediaries through which individuals can give, manage, and withdraw consent across data fiduciaries. If you're collecting first-party data from Indian users at any scale, that changes the plumbing — not just the banner copy.

An honest caveat on the dates. Sources disagree on whether notification fell on 13 or 14 November 2025, and we could not resolve it against a primary government source: MeitY's page serves a JavaScript shell with no retrievable text, and the PIB press release blocked automated access. The phase structure — Board first, consent managers at roughly twelve months, substantive obligations at roughly eighteen — is consistent across every source we checked. The exact commencement day is not something we'll assert. If you're building a compliance calendar off this, have counsel confirm the gazette date.

Indonesia: In Force, But Nobody's Enforcing It Yet

Indonesia's PDP Law is the strangest of the three, and the most consequential given Indonesia is Southeast Asia's largest digital market.

The Selamat Datang Monument and fountain at the Hotel Indonesia Roundabout in central Jakarta, surrounded by traffic and high-rise towers
Jakarta's Bundaran HI. Photo by Eko Herwantoro via Unsplash.

The law's two-year transition period ended in October 2024. It is fully in force. And yet the implementing regulation — the document that would explain how any of it actually works — remains unsigned, with the last public draft circulated in 2023. The dedicated supervisory agency contemplated by the law still hasn't been established; in the interim, oversight sits with the digital ministry rather than a purpose-built data protection authority.

So Indonesian marketers face a genuinely awkward position that neither the law-firm coverage nor the marketing coverage articulates: the obligations are live and the penalties are real, but the operational detail that would tell you how to comply is still pending, and the body that would tell you whether you've succeeded doesn't exist yet. The rational posture isn't to wait — it's to build to the law's stated principles now, document your reasoning, and expect the implementing regulation to add specificity rather than reverse direction. Compliance-by-waiting is a bet that the regulation lands soft. That's not a bet we'd take in a market this size.

These Indonesia specifics come from consistent reporting across several international law firms (DLA Piper among them) rather than from Indonesian primary sources we fetched directly. Treat them as well-corroborated but confirm with local counsel before acting.

Does First-Party Data Actually Improve Performance?

Probably. But we're not going to prove it to you with the statistic everyone else uses, because we couldn't verify it.

The figure in near-universal circulation is that first-party data delivers up to 2.9x revenue uplift and 1.5x cost savings, from a study co-published by BCG and Google. It's quoted constantly, always as though it were a measured result.

Here's what we can and can't say. We could not open the study — BCG's site serves a 403 to automated retrieval, and the Think with Google page hosting the Asia-Pacific edition now redirects to a generic hub. Indexed excerpts of the study's own methodology footnote indicate the uplift figures come from survey responses, with marketers asked what incremental revenue impact their company had achieved, then cross-tabbed against non-adopters. We couldn't confirm that against the primary document, so treat it as a strong signal rather than a finding.

What isn't in dispute: no source we could open discloses a holdout, a control group, or an incrementality test behind the 2.9x. A cross-sectional comparison also can't separate first-party data from the fact that brands sophisticated enough to run such programmes tend to be sophisticated at everything else — and it's co-published by a company whose ad products benefit from first-party data adoption.

That doesn't make the number false. It makes it a number whose provenance you can't check, which is the kind we don't build arguments on.

What we could not find: a single methodology-disclosed benchmark for CDP or server-side tracking adoption. Not one source with a stated sample, fielding window, and panel definition. Every number in circulation traces to a statistics aggregator or a vendor counting its own customers. If you've seen a confident CDP adoption percentage, that's where it came from.

Want a first-party data setup built for your actual markets?

COACT runs a free 15-day pilot for founders who want compliant, working data collection across Singapore, Indonesia, and India — not a one-size-fits-all consent banner.

See the pilot program

What to Do About It

Reminder: this is marketing analysis, not legal advice. Confirm anything load-bearing with counsel in the relevant market.

  1. Decide on Consent Mode v2 for engineering reasons, not compliance ones. It's not a Google requirement in these three markets. Your domestic obligations stand either way.
  2. Build toward India's consent-manager milestone now — it's the only dated milestone in the region, and it changes architecture rather than notice copy. Confirm the exact date with counsel.
  3. Treat the three markets as three configurations. One pan-regional consent flow will be over-engineered for Singapore and under-prepared for India simultaneously.
  4. Get server-side collection working regardless. None of the regulatory ambiguity changes the fact that platform-side signal keeps degrading — our guide to setting up conversion tracking that actually works covers the reconciliation routine.
  5. Document why each collection route is lawful. In Indonesia especially, a written rationale is the closest thing to a defence available while the detail is pending.

Frequently Asked Questions

Does Google Consent Mode v2 apply in Singapore, India, or Indonesia?

No. Google's EU user consent policy states it applies to end users in the European Economic Area, the UK and Switzerland, and the Google Ads documentation for the v2 consent signals describes itself as covering EEA traffic. Neither names any Asian market. You may still choose to implement it as a mechanism for carrying consent state, but it is not a Google requirement in these markets.

When does India's DPDP Act actually affect marketers?

The Rules were notified in November 2025 on a phased runway. Consent-manager obligations land roughly twelve months later, around November 2026, and full substantive obligations around May 2027. The consent-manager framework is the one that changes marketing data architecture rather than just notice copy. Sources disagree on the exact notification day, so confirm the gazette date with counsel before building a compliance calendar.

Is Indonesia's PDP Law being enforced?

The law has been fully in force since its transition period ended in October 2024, and administrative penalties are provided for. However, the implementing regulation remains unsigned and the dedicated supervisory agency has not been established, with oversight sitting at the digital ministry in the interim. The obligations are live even though the operational detail is pending.

Do I need a cookie banner in Singapore?

Not necessarily. Singapore's PDPA allows both express and deemed consent, and the 2020 amendments broadened the deemed-consent routes and added legitimate interests and business improvement exceptions. It is not a GDPR clone, and lawful processing routes exist that don't require blanket consent prompts. Read the PDPC's advisory guidance on consent for marketing purposes, and confirm the statute text with counsel.

Is the "2.9x revenue uplift from first-party data" figure real?

A real study reports it, but we could not open that study to check how it was measured — BCG's site blocks automated retrieval. Indexed excerpts of its methodology footnote suggest the figures come from marketers self-reporting their own revenue impact in a survey. No source we could open discloses a holdout, control group, or incrementality test behind the 2.9x, and it was co-published by a party whose ad products benefit from first-party data adoption.

What CDP adoption data exists for Southeast Asia?

None with a disclosed methodology — we looked. Every adoption percentage in circulation traces either to a statistics-aggregation site with no stated sample or to a CDP vendor counting its own customer base. Treat any confident figure with suspicion, and note that "CDP" also abbreviates the Carbon Disclosure Project, which contaminates search results for anyone researching quickly.

Conclusion

The most useful thing we can tell you about first-party data in Singapore, India, and Indonesia is what you don't have to do: Consent Mode v2 is not a Google requirement in any of the three, whatever the vendor guides imply. Your domestic obligations are a separate matter, and they're real. What you do have is one settled and unusually flexible regime, one mid-rollout with a milestone roughly four months out, and one that's technically live but operationally undefined. Three configurations, not one policy.

How this post was compiled. The Consent Mode v2 scope finding — the load-bearing claim here — was verified directly against Google's own EU user consent policy and Google Ads Help documentation on 2026-07-12; the quoted scope language is Google's. Every other regulatory claim carries its verification status inline at the point you'd rely on it, because that's where it matters: India's and Indonesia's positions rest on law-firm reporting rather than primary government sources we could open, and India's notification date carries an unresolved one-day discrepancy we've declined to guess at. No verified CDP or server-side adoption benchmark exists in public, and we've said so rather than citing a statistics mill. This is marketing analysis, not legal advice — confirm anything load-bearing with counsel in the relevant market. Coact is a performance marketing agency working with ecommerce and app businesses across Singapore, India, and Indonesia.

Continue Learning

Want results like these for your brand?

COACT runs performance-based growth across SEA & India. Start with a free 15-day pilot.

Book a discovery call