How can companies that rely on personal data for marketing comply with India’s DPDP Act? #PrivacyNama2023

“Let’s say you join as the Chief Privacy Officer of a finance company, let’s call it B-Finance, which has been spamming people quite a lot in India. Day one, what would you do when you’re dealing with the vast amount of datasets that are being operationalized and the sources of that data are not even known and the entire business model of that company depends heavily on that spamming that happens,” MediaNama Founder and Editor Nikhil Pahwa asked the speakers at the PrivacyNama 2023 conference held on October 26-27. Pahwa’s question comes in the context of India’s recently enacted Digital Personal Data Protection (DPDP) Act, 2023 which places restrictions on the collection and processing of personal data by companies.

• First discover what data is collected, from where, and on what basis: The first thing a company needs to invest in identifying where the data is coming from, where it is getting stored, and how is it moving out. They can get a vendor to do this. “Because when you have that much amount of data and you do not have any controls on day zero, you are running into a breach situation […] So I think building a data governance approach and starting with the data discovery would be my approach here,” Vasudha Gupta, Chief Privacy Officer, Unlimit, opined. “If you do not know your collection points, you will not know how it’s even flowing and what are the lawful basis of processing. So if I were the CPO of that particular company, the first thing I would understand is what is the lawful base they’re using for so much data,” Jagannath PV, Chief Privacy Officer, LTIMindtree, added.
• Sensitise your marketing team: “Sensitize your marketing team on what the law is. I think that’s a very important aspect. You should make it as simple as possible. At the same time, you can’t just say the law says this. You have to articulate the law in such a way that they understand what the law says and what are the implications for the company on what the law says,” Jagannath opined.
• Implement an opt-out mechanism: “I would want to implement the opt-out option, which I’m assuming is not there, otherwise by now, at least many would have opted out. Implement the opt-out option and then revalidate your consent mechanism,” Jagannath shared. “The Data Protection Act allows the rollover of historical data with an opt-out,” Bharat Saraf, Director of Privacy at PhonePe, added, but warned that providing opt-out could be a challenge. “If we have millions of customers from whom we have collected data and we are processing that data, if we have to send them an opt-out option, where do we send that to? Do we have their verified email address? No. If we are collecting their email address, is that an additional collection which is allowed? I mean, the rules have to clarify all of that,” Saraf elaborated.
• Take granular consent: “What kind of consent you’re going to take? Is it going to be granular consent? I’m a big advocate of granular consent because for two reasons. One is you are allowing the data principal to know why you are taking consent. Two is if they are opting out of consent, if you do not take granular consent, you need to opt out of everything. Instead, if you provide a granular consent mode, if somebody wants to opt out of a newsletter subscription, they can do that but still can be contacted or vice versa,” Jagannath explained.

This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.

Adding another layer of complexity to the example given earlier, Pahwa asked the speakers what would happen when the marketing is outsourced to other companies. “There are companies who say that we’re not responsible for this because it’s been done by a company that we’ve outsourced to. So how does the data protection bill address that situation? How would you go about cleaning that function,” Pahwa asked.

• It will be the responsibility of the fiduciaries because the DPDP Act doesn’t place any requirements on data processors: Jagannath explained that the DPDP Act does not place any obligations on data processors and it is the data fiduciaries that are responsible for any processing done by data processors they work with. “If somebody is messing up on your behalf, you are going to be held accountable. So your contracts need to be very, very strongly written,” he remarked. The fiduciaries should ask their processors if they are collecting data lawfully, if they have obtained consent, if they have an audit trail for the consent, and so forth, Jagannath added.

To another set of speakers discussing user rights under the DPDP Act, Nikhil Pahwa asked about the rights that users have against companies that spam them. “Can I ask them for sources of information? Can I file a grievance with them? Like, what are the rights that I have against all this spam that I’m getting,” Pahwa asked.

• Ask them what information they have about you and then withdraw consent: “I think one of the things that we can look at is once you write to the company, you first understand what is the source of information that they have about you. And then you can ask them to withdraw consent for that particular purpose or sharing of data with that particular source,” Gangesh Varma, Principal Associate at Saraf and Partners, said.
• Users should be able to unsubscribe easily: “You obviously have to have the ability to unsubscribe and it should be an easy ability to unsubscribe, not what you see in current places, which is that sometimes you go to another website and you have to again enter your email ID, you can’t have a two-step unsubscription. I think it would have to be an easy way to withdraw consent. But also because you have my data, because you’re sending me a spam email, I have the right to access [information],” Vrinda Bhandari, an independent legal practitioner, opined.

Jagannath PV added an important point about how publicly available personal data is out of the ambit of the DPDP Act, which could allow spam marketing that exists based on publicly available data to continue as usual. 

• DPDP allows data scraping: Taking the example of Clearview AI, which is a company that built its facial recognition technology by training its models on publicly available pictures of people, Jagannath explained how the DPDP Act allows such kind of data scraping. “My fear is DPDPA allows you to do that. That is my biggest fear. Publicly available data or freely available data you can use it. So the same thing is going to happen here,” he remarked.
• Data fiduciaries should avoid using scraped data: Even though data scraping might be allowed under the DPDP Act, data fiduciaries must avoid using scraped data, Jagannath advised. “Because at the end of the day, you become, in European terminologies, you become joint controllers or independent controllers when you start acquiring that data. So when you become a data controller, you need to ensure that that scraped data is consented. So you have to go and take re-consent of that for that scraped data. So I’d rather not use that scraped data. I’d rather use data that I have control of and that I know has been lawfully gotten.”

Also Read

• How To Comply With India’s New Data Protection Law: Chief Privacy Officers Share Their Views
• Here’s why companies need industry guidelines to navigate India’s data protection law #PrivacyNama2023
• Summary: India’s Digital Personal Data Protection (DPDP) Act, 2023
• A Complete Guide To India’s Digital Personal Data Protection Bill, 2023

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!