The Digital Personal Data Protection Act, 2023 (DPDPA), the first-ever data privacy law in India, is finally live. In the ever-evolving digital landscape in India, data protection regulation is paramount. Everyone dealing with data must understand the implications the Act will bring in.
The Digital Personal Data Protection Act brings stricter compliances to streamline user privacy across India. Marketers must know about it and understand its impact on their activities.
In this blog, we will cover the Act comprehensively from a marketer’s perspective.
Estimates say there will be 907 million internet users in 2023 in India, with around 10 million users added monthly. India must have a data protection law as there is a dearth in preserving user privacy. Countries around the world are coming up with their own data privacy laws. The European region leads with the General Data Protection Regulation (GDPR), followed by the California Consumer Privacy Act (CCPA/CPRA) and others.
In India, users have relied on The Information Technology Act, of 2000 for data privacy. The Supreme Court of India, in 2017, said, the right to privacy is a fundamental right under Article 21 of the Indian Constitution. However, there were no regulations specifically for preserving user data privacy until the DPDPA, 2023 was passed.
The Digital Personal Data Protection Act, 2023
On August 11, 2023, the president of India granted assent to the Digital Personal Data Protection Act, 2023 (DPDPA). This law will have a greater impact on all the businesses that collect data from people in any form. The Act talks comprehensively about user consent for data processing, the measures businesses must take, penalties for non-compliance, and more.
This law applies to data processed beyond the territorial limits of India if it pertains to the data of users in India. The law defines personal data as, “any data about an individual who is identifiable by or in relation to such data;” This means
- Any data that helps identify an individual.
- Even if you do not have the name, email address, phone number, or IP address of the user but you have a photograph and the name of the company, the combination of the photograph and the company name can be personal data.
Therefore, the DPDPA stands as a bulwark of user data privacy of people in India. It applies to both citizens and non-citizens if they are in India.
For example, if the eCommerce business or a marketer is not from India, but deals with users in India. The DPDPA applies to them and mandates them to comply with it.
When Does The Law Come Into Force?
As per the Digital Personal Data Protection Act, the law comes into force when the Government of India notifies. However, the Union Minister for the Ministry of Electronics and Information Technology, Shri Ashwini Vaishnav says, “the implementation of this law will take at least six to ten months”.
Therefore, all businesses dealing with the data must make necessary arrangements to comply with the law within 10 months. By the end of 2024, all businesses must be prepared for the DPDPA by shifting to privacy-preserving technologies. Worst part, Google Chrome is also phasing out third-party cookies by the end of 2024.
To comply with the data privacy updates, marketers must start relying on first-party data, the gold mine. In addition to that, regular data audits and other measures are necessary to ensure compliance with the law.
Who Implements The Digital Personal Data Protection Act?
The Data Protection Board of India, an independent body, will be responsible for all the complaints related to the DPDPA.
All the organizations must appoint
- Data protection officer, and
- Independent data auditor,
Who help the businesses comply with the law. The data protection officer will represent the company in front of the data protection board. He/she will be the point of contact to address the user’s grievances regarding personal data privacy. The data protection officer must conduct data protection impact assessments regularly.
In the case of failure, the user can directly approach the Data Protection Board of India which operates in digital mode. The board resolves the issues and functions like a civil court that also imposes a penalty for non-compliance.
If either party is unsatisfied with the order of the Data Protection Board of India, they may approach the appellate tribunal within 60 days. The appellate tribunal will expedite the case to dispose it within six months.
Who Does The Digital Personal Data Protection Act Safeguard
The Digital Personal Data Protection Act has jurisdiction over everything that happens within the territory of India. The law has its extra-territorial jurisdiction when it is related to the people within India.
DPDPA does not safeguard only the citizens but also the non-citizens living in India.
The law applies to all businesses irrespective of their base of operations if they are dealing with or have customers in India. If the business is processing user data in India, it must comply with the regulations laid down by the Digital Personal Data Protection Act.
Opt-in & Opt-out Consent
The law clearly states that the user consent must be accompanied or preceded by a notice
- Informing the users of the personal data collected,
- The purpose for which it is processed,
- How to revoke the consent, and
- How to raise a complaint with the Data Protection Board.
Any business that has collected personal data before the law comes into force must inform all users about how their data is processed and obtain their consent for further processing.
Rights The Users have Under The DPDPA, Privacy Law In India
The Digital Personal Data Protection Act, 2023, offers 4 exclusive rights to users in India, and they are as follows:
- Right to access: Get the summary of personal data and with whom the data is shared. The user also has the right to seek the information on the purpose of data processing.
- Right to correction & erasure: The user has the right to withdraw the consent and request to correct or delete personal data. The data protection officer must ensure that it is done.
- Right of grievance redressal: The users have the right to grievance redressal with the data protection officer. It also means that businesses should inform users of the grievance redressal mechanism.
- Right to nominate: The user has the right to nominate another person to exercise their right to privacy. This comes handy, especially where the user ceases to exist or is incapable of exercising their right to privacy.
Impact Of The Digital Personal Data Protection Act, 2023 On Marketers
The digital personal data protection Act is the first of its kind law in India that protects the user’s privacy. Marketers and businesses are unsure of the impact the law has on them. Primarily every digital marketer or digital business that deals with the data of the users has a significant impact on the way their businesses are conducted.
From the examples or illustrations mentioned in the Act, it showed that the Act focuses on eCommerce industry, the financial industry, social media, health care industry, insurance sector, data processors, pharmaceuticals, real estate, banking sector, and every other digital business.
The personal data privacy law of India is specifically clear on data processing of children (anyone who attained the age of 18). No business, for whatsoever reason, track, or collect the behavioral analytics of children for targeted advertising.
Looking at the DPDPA at glance would not provide any deep insight into the impact. However, when closely examining the Act, you realize that the Act has in itself a comprehensive data privacy framework.
Below are the implications of the Act on the marketers:
Data Minimization, Purpose Limitation and Data Transparency
The businesses can only process or collect the personal data that is necessary, relevant and confined to the purpose for which the data is required.
Businesses have to get a clear consent to process the data and be transparent about the data processing mechanisms to the users. Robust and comprehensive consent mechanisms have to be brought in place to let the users know the purpose for which they are providing the consent for. Let the users understand how the data is used. All the websites must incorporate a consent manager application such as cookiebot, cookie-script, etc., to ensure proper consent is taken from the user.
The minimum penalty for the businesses is Rs. 50 Crores and the maximum penalty is Rs. 250 Crores. The data fiduciary has to pay a penalty of upto Rs. 250 Crores if they fail to provide necessary safeguards to prevent personal data breach.
What Should Marketers Do To Reduce Impact of The Digital Personal Data Protection Act?
Shift Focus To First-party Data
To rely on third-party data sources is not advisable in the era of data privacy. Even applications like Google Chrome are phasing out third-party cookies to be in compliance with the data privacy regulations. Consent becomes paramount to the users and therefore, marketers must adopt first-party data to navigate through the data privacy landscape. First-party data is high-quality data as the users themselves voluntarily give consent. So, any data that comes directly from the user is of high importance rather than a third-party data source.
Robust Data Governance
The DPDPA mandates a regular data audit and the data protection impact assessment by the businesses to ensure that required guidelines are followed. Robust measures are to be brought in to protect the personal data of the users as the breach of data will impose a penalty of around Rs. 200 Crores.
Enhanced Privacy-centric Marketing
Marketers must shift their focus towards offering personalization while protecting the user’s privacy. That is where Meta brings in tools like Conversions API, Advanced Matching in Pixel, Google brings in enhanced conversions, and similarly, every company is leveraging privacy-centric technologies to carry out the marketing activities without any loss.
Data signal loss was on the higher-side as soon as the data privacy updates kicked-in. Some businesses have mitigated signal loss by embracing privacy-preserving technologies. Customer Data Platforms like CustomerLabs that sync the data on the server-side using Conversions API like tools help businesses leverage the full potential of first-party data, and maximize their performance.
Important Terms That Marketers Should Know In The DPDPA
Even before knowing the clauses, the marketer should know the meanings of a few terms used in the Act. Below are the terms and the definitions:
- Consent Manager: “A point of contact between the users and the businesses who allow the user to give, manage, review and withdraw their consent in an accessible, and transparent way.”
- Data Fiduciary: “Ideally it is any business, specially marketers and eCommerce businesses who determines the purpose and means of processing the user data.”
- Personal Data: Personal data is all PII like name, email addresses, phone numbers, IP addresses and other combinations of details which help identify a user. For example, if you have a person’s photo and the workplace name, you can find their name and other details. Therefore, even the photo and the workplace name are considered personal data.
- Processing: Processing means wholly or partly automating the process of collecting, recording, storing, organizing, structuring, adapting, retrieving, indexing, sharing, combining, transmitting, disseminating, and aligning the data for any purposes.
Important Clauses Marketers Should Know In Data Privacy Act Of India
Even though the entire act is very much important for a marketer to read, below are the most important clauses that must be read with utmost detail.
- Clause 4: Speaks about the grounds for processing personal data
- Clause 6: Talks about ‘consent’
- Clause 7: Guides on the necessity of processing personal data
- Clause 8: Talks about obligations of a data fiduciary, i.e., you, as a marketer or any business.
- Clause 9: Clause on processing of personal data of children (anyone who attained 18 years of age)
- Clause 11, 12, 13, & 14: Rights to the users
- Clause 16: The law’s applicability outside the territory of India when the data is processed outside India
The Digital Personal Data Protection Act brings in new challenges to the marketers while it brings in opportunities to build strong relationships with the users by offering personalized experiences in a privacy-centric way. Embracing transparency, prioritizing first-party data, and adopting privacy-centric marketing strategies, are the go-to-marketing strategies for marketers to navigate through the data privacy landscape.
To stay ahead of the game,
- Educate all your teams about the provisions of the digital personal data privacy act, 2023, and how it impacts their day-to-day operations.
- Conduct regular data audits
- Consult with data privacy experts
- Adopt first-party data strategies
- Imbibe privacy-preserving technologies