Primary Research (B2B or B2C surveys) in India 2026

Indian businesses spend an average of 14 weeks trying to figure out whether their B2B or B2C survey complies with the Digital Personal Data Protection Act 2023, the Consumer Protection Act 2019, and sector-specific regulations. The problem is not running the survey. The problem is running it without knowing whether you need a Data Fiduciary agreement, a prior consent notice under Rule 3 of the DPDPA Rules 2025, or clearance under the Collection of Statistics Act 2008. Running afoul of these laws attracts penalties up to Rs 250 crore under Section 33 of the DPDPA 2023. KAMRIT Financial Services LLP provides end-to-end advisory, structuring, compliance documentation, and regulatory liaison so you can launch your primary research programme in India without a notice from the Data Protection Board. We handle everything from consent architecture to data retention schedules, working with your legal team or replacing them entirely.

What is Primary Research (B2B or B2C surveys) in India 2026?

Primary Research (B2B or B2C surveys) in India refers to the systematic collection of original data directly from respondents for commercial, policy, or academic purposes. Unlike secondary research, which uses existing datasets, primary research involves direct engagement with target populations through structured questionnaires, interviews, or focus groups. In India, this activity falls under multiple regulatory frameworks depending on the sector and data type. The Digital Personal Data Protection Act 2023 governs how personal data of Indian citizens is collected, processed, and stored, making every survey that collects name, phone number, income bracket, or purchase history a regulated activity. The Consumer Protection Act 2019 covers B2C surveys that influence consumer decisions or product claims. If your survey collects data from 50 or more respondents on behalf of a foreign entity, the Collection of Statistics Act 2008 Section 4 may require prior notification to the Ministry of Statistics and Programme Implementation (MOSPI). The Insurance Surveyors and Loss Assessors Regulations 2015 and SEBI (Research Analyst) Regulations 2014 impose additional obligations if your survey covers insurance products or securities. KAMRIT structures your research programme to comply with every applicable Act before data collection begins.

Who needs this

Your business needs primary research advisory if it falls into any of the following categories or thresholds. KAMRIT evaluates each engagement against these conditions at intake.

• Any entity collecting personal data from Indian residents through digital or physical survey instruments falls under the DPDPA 2023 and requires mandatory compliance before fieldwork
• Startups raising Series A or later that need investor-grade market sizing data with documented methodology and data integrity audit trail
• B2C brands launching products in new geographic markets where consumer spending patterns and demand elasticity are unknown
• Foreign companies or LLPs conducting surveys involving 50 or more Indian respondents, requiring compliance with the Collection of Statistics Act 2008 and FEMA guidelines on data remittance
• Fintech, lending, or NBFC entities conducting borrower surveys that constitute a proxy for credit assessment, triggering RBI Fair Practices Code and Digital Lending Guidelines 2022 compliance
• Healthcare and pharmaceutical companies conducting patient outcome surveys or KOL (Key Opinion Leader) interviews, requiring compliance with Drugs and Cosmetics Rules 1945 and ICMR ethical guidelines
• Real estate developers and RERA-registered entities conducting buyer sentiment surveys for project feasibility, which RERA circulars treat as marketing material subject to Section 10 of RERA Act 2016
• Companies seeking mandatory annual market share reporting under the Competition Act 2002 or sectoral regulator requirements (TRAI, IRDAI, SEBI)
• Educational institutions and edtech companies conducting student outcome surveys that may involve minor data under the POCSO Act 2012 and DPDPA 2023 Section 8(1)
• Any entity where the survey data will be used to file statutory returns, regulatory submissions, or statutory audit working papers

Documents required

KAMRIT assembles your compliance document stack based on survey scope, respondent profile, and data processing architecture. The following documents form the core pack; additional sector-specific documents are added at scoping.

• Data Processing Purpose Note: One-page document specifying the exact commercial or research purpose for which data is collected, required under Section 5 of DPDPA 2023
• Prior Consent Notice (in English and optionally Hindi/regional language): Drafted under Rule 3(1) of the DPDPA Rules 2025, covering purpose, data categories, retention period, and third-party sharing
• Data Fiduciary Agreement: Required if KAMRIT or any third party processes data on behalf of the entity, documenting roles and obligations under Section 8 of DPDPA 2023
• Internal Data Protection Policy: Privacy notice to be published on the survey platform or shared with respondents under Section 5(2) of DPDPA 2023
• Data Retention and Deletion Schedule: Timeline-linked document specifying when raw data, anonymised datasets, and analysis outputs will be destroyed or archived
• Respondent Consent Forms (digital and physical): Sector-adapted consent language for B2B (professional) and B2C (consumer) respondents with opt-in and withdrawal mechanisms
• Project Initiation Form (PIF): KAMRIT's internal scoping document capturing survey objectives, sample size, geography, methodology, and data processing infrastructure
• Non-Disclosure Agreement for Field Staff: Agreement binding interviewers, call centre agents, or field enumerators to data confidentiality under Section 72A of IT Act 2000
• MOSPI Notification Copy: Required for surveys involving 50 or more respondents commissioned by or on behalf of foreign entities, filed under Section 4 of Collection of Statistics Act 2008
• Sectoral Compliance Certificate: Industry-specific document such as RBI Fair Practices Code declaration, FSSAI research purpose declaration, or IRDAI surveyor compliance declaration as applicable
• Data Breach Response Plan: Documented procedure for notifying the Data Protection Board and affected respondents within 72 hours under Section 8(6) of DPDPA 2023
• Final Research Report Declaration: KAMRIT-certified statement confirming methodology compliance, consent documentation audit, and data integrity for use in investor or regulatory filings

How KAMRIT runs it, step by step

KAMRIT operates a six-stage engagement model from initial scoping to final compliance certification. The client is involved at three gate points; the remaining stages are handled by KAMRIT.

1. Scoping and Regulatory Mapping. KAMRIT conducts a 60-minute intake call covering survey objectives, target respondent profile, sample size, methodology (digital, telephonic, or face-to-face), data fields being collected, and intended use of results. We then map every applicable regulatory framework and identify whether the survey triggers DPDPA 2023, Consumer Protection Act 2019, Collection of Statistics Act 2008, or sector-specific obligations. The output is a Regulatory Impact Assessment (RIA) document delivered within 2 working days of intake. This stage is included in the base engagement fee.
2. Consent Architecture Design. Based on the RIA, KAMRIT designs the consent and notice framework. For B2B surveys, this includes a data processing agreement with your corporate respondents and a lawful basis determination under Section 5 of DPDPA 2023. For B2C surveys, KAMRIT drafts the prior consent notice compliant with Rule 3(1) of the DPDPA Rules 2025, including opt-in language, purpose limitation, and withdrawal mechanism. For surveys involving 50 or more respondents commissioned by foreign entities, KAMRIT prepares the MOSPI notification package under Section 4 of the Collection of Statistics Act 2008. This stage requires one round of client feedback and takes 3 working days.
3. Compliance Documentation Pack Preparation. KAMRIT prepares the full document stack described in the documents section: consent forms, data protection policy, NDA templates for field staff, data retention schedule, and breach response plan. For sector-specific surveys (fintech, pharma, real estate), KAMRIT adds the relevant sectoral compliance certificate. All documents are reviewed against the latest notified rules under the DPDPA 2023 and submitted to the client for execution. This stage takes 4 working days after consent architecture sign-off.
4. Technology and Data Infrastructure Review. If the survey uses digital platforms (Google Forms, SurveyMonkey, custom-built portals, or API integrations with CRM systems), KAMRIT reviews the data processing infrastructure for compliance with Section 5(4) of DPDPA 2023. We verify data localisation requirements, encryption standards, and third-party data sharing arrangements. KAMRIT issues a Technology Compliance Report identifying gaps in data storage, API permissions, and cookie/tracking mechanisms. For cloud-hosted solutions, we confirm that data processing agreements are in place with providers. This stage is quoted separately for engagements where client infrastructure audit is required.
5. Fieldwork Compliance Monitoring. During the active survey period, KAMRIT provides a compliance monitoring service that includes weekly spot-checks on consent documentation completeness, random audit of field enumerator NDA compliance, and monitoring of data collection logs for anomalies. We maintain a compliance diary that serves as evidence of due diligence if the Data Protection Board or any other regulatory authority requests documentation. Fieldwork monitoring is available as an add-on service quoted at engagement scoping.
6. Compliance Certification and Final Handover. Once survey fieldwork is complete, KAMRIT issues a Compliance Certification Report that documents the entire compliance chain: RIA, consent architecture, document execution records, technology review (if applicable), and fieldwork monitoring (if applicable). The report includes a statutory declaration signed by KAMRIT's authorised signatory that the primary research programme was conducted in compliance with applicable laws. This document is suitable for inclusion in investor data rooms, regulatory submissions, and statutory audit files. The certification is delivered within 5 working days of fieldwork completion.

Timeline

From kickoff to compliance certification, a standard primary research engagement with KAMRIT takes 15 to 22 working days. The KAMRIT-controlled stages (scoping, consent architecture design, documentation preparation, and final certification) account for approximately 12 to 14 working days and are within KAMRIT's direct control. The regulator-controlled stage, specifically the MOSPI notification review under the Collection of Statistics Act 2008 for foreign entity surveys, is handled by MOSPI and typically takes 21 to 30 calendar days from submission of the complete notification package. KAMRIT submits the MOSPI notification within 3 working days of completing the consent architecture. Delays in client feedback or execution of consent forms will extend timelines proportionally. For purely domestic surveys without MOSPI triggers, end-to-end timelines compress to 12 to 16 working days. Rush engagements with a 7-working-day delivery target are available at a 40% premium, subject to resource availability. Government holidays and weekends are excluded from working-day calculations. KAMRIT provides a detailed Gantt-style project timeline within 24 hours of engagement confirmation.

How our pricing compares

KAMRIT's primary research compliance advisory starts at Rs 84,899 for the standard engagement covering scoping, consent architecture, document preparation, and compliance certification. This fee is all-inclusive of KAMRIT professional fees; government fees (MOSPI notification filing fee of Rs 5,000 under the Collection of Statistics Act 2008 rules) are billed separately at actuals. IndiaFilings charges Rs 45,000 to Rs 65,000 for market research regulatory compliance advisory but excludes technology infrastructure review and fieldwork monitoring, both of which KAMRIT quotes as optional add-ons. Vakilsearch does not offer a dedicated primary research compliance service and refers such queries to their legal advisory practice at Rs 1,500 to Rs 3,000 per hour, making total project costs unpredictable and typically 30 to 45% higher than KAMRIT's fixed-fee model for comparable deliverables. ClearTax offers survey compliance under their compliance umbrella at Rs 55,000 but their service is limited to IT Act 2000 and basic DPDPA alignment, without the sectoral depth required for fintech, pharma, or real estate surveys. LegalRaasta quotes Rs 35,000 to Rs 50,000 for data protection advisory but does not provide MOSPI notification services or fieldwork compliance monitoring. KAMRIT's price reflects the depth of sectoral regulatory expertise across fintech RBI guidelines, pharma ICMR standards, and RERA marketing compliance, backed by a documented compliance certification that has been accepted in investor due diligence processes and regulatory inquiries.

Common mistakes KAMRIT avoids

Most businesses that come to KAMRIT after a failed DIY attempt make one or more of the following errors. Each is a distinct regulatory risk, not just an administrative oversight.

• Using a generic 'I agree to terms' checkbox without a purpose-specific consent notice under Rule 3(1) of the DPDPA Rules 2025, making every data point collected legally questionable
• Failing to notify MOSPI for foreign-commissioned surveys with 50 or more respondents, attracting penalties under Section 9 of the Collection of Statistics Act 2008
• Collecting minor data (respondents under 18) without parental consent and age verification, directly violating Section 8(1) of DPDPA 2023
• Storing raw survey data on personal devices or unencrypted cloud storage without a documented data processing agreement, creating liability under Section 8(6) of DPDPA 2023
• Using survey results in investor presentations or regulatory filings without a documented methodology and compliance certification, creating misrepresentation risk under SEBI ICDR regulations
• Assuming B2B surveys are exempt from data protection law because they involve professionals, when every respondent's personal data (phone, email, designation) still requires lawful basis under Section 5 of DPDPA 2023
• Retaining survey data beyond the stated retention period without a documented extension or renewal of consent, triggering the right to erasure under Section 11 of DPDPA 2023
• Not briefing field enumerators on consent protocols and data handling, making the data controller vicariously liable for enumerator breaches under Section 8 of DPDPA 2023