
Control over Receiving Marketing Communications: Under India’s New Privacy Law


The Digital Personal Data Protection Act, 2023 (DPDP Act) that is set to be enforced soon intends to provide individuals control over their personal data. Such control will also encompass the ability to regulate marketing communications. Considering this, in this article, we analyse how the DPDP Act impacts existing marketing practices of businesses.
Only ‘Yes’ Means ‘Yes’
Consent for marketing is required to be obtained through an affirmative action, instead of nudging users through opt-out or having pre-ticked boxes. Businesses may accordingly need to consider steering away from default ‘yes’ check box mechanisms, which ‘nudge’ customers to agree receiving marketing content.

Purpose Limitation
Personal data collected, or otherwise processed basis consent or where voluntarily provided by an individual should be limited to ‘specified purposes’. For instance, a customer merely sharing their contact number/email address with a restaurant towards securing a reservation may not necessarily imply consent for receiving future marketing communications.
‘Specific’ and ‘Unconditional’ Consent

The DPDP Act requires consent obtained to be ‘specific’ and ‘unconditional’. For consent to be specific, businesses may need to consider whether the purposes for which consent is being obtained are tailored, and not overbroad. Further, the requirement that consent is also ‘unconditional’ may oblige businesses to revisit instances where consent for marketing is bundled with other permissions, such as permission to access data required to provide a service.
In fact, the distinction between: (i) data required to provide a service; and (ii) data required for marketing may often be blurry – especially where targeted advertising is the core revenue model of businesses such as social media platforms, which may make bundling potentially justifiable in certain cases.
A Pay or OK Model?

For free services offered in two-sided markets, where the platform facilitates interactions between buyers and sellers (e.g., e-commerce platforms, social media platforms, etc.) - the B2B customer of the platform, and not the end user, pays for the service as quid pro quo for the B2B customer gaining marketing leads among end users. In fact, in the EU, the ‘pay or OK model’, wherein users either pay for a service, or consent to targeted advertising has been challenged under EU’s data protection law. This leads to a two-fold question:
(i) Can targeted advertising be regarded as necessary to providing of a free service, and
(ii) Would an excessive or unfair price for a subscription as an alternative, as well as a nudge to agreeing to targeted advertising, mean that consent is not freely given or is conditional, contrary to the DPDPA requirement?

Interestingly, unlike the GDPR, the DPDP Act does not recognize fairness as a principle. However, fairness is separately regulated under Indian consumer protection law. Businesses may therefore also need to consider whether an excessive subscription price may be perceived as an ‘unfair trade practice’ under consumer protection law.
What Happens to ‘Selling’ and ‘Buying’ Data?
Businesses that previously ‘purchased’ data ‘sold’ online from data brokers without any preexisting relationship with the customer for marketing, would need to consider in each case whether there is a lawful basis such as consent to further share/receive such data for sales and marketing purposes. This may require additional due diligence for marketing teams, as well as robust representations and warranties while receiving data from data suppliers and third parties, to ensure that such receipt is kosher from a DPDP Act perspective.

Can I Object to Marketing?
The DPDP Act does not contain a ‘right to object’ to marketing unlike the GDPR. However, consent for marketing purposes under the DPDP Act may be withdrawn by the customer (e.g., by clicking the ‘unsubscribe’ button). In the absence of legitimate interests as a lawful basis under the DPDP Act (unlike the GDPR), personal data retained by a business may have to be deleted, unless personal data can be retained pursuant to another lawful basis.
No More Ads to Children?

The DPDP Act expressly prohibits behavioural monitoring, tracking or targeted advertising directed at children. However, from the text of the DPDP Act, it is unclear if children as a category can receive recommendations that are age-appropriate for them, i.e., if the restriction is only against curating marketing content tailored to a particular child.
Summing up
To conclude, businesses will need to revisit their consent requests, privacy notices as well as data handling practices to ensure compatibility with the DPDP Act. Training and sensitization of teams would ensure that a culture of privacy permeates the overall marketing strategy of businesses.

Supratim Chakraborty
Supratim Chakraborty is at Khaitan & Co.

Siddharth Sonkar
Siddharth Sonkar is Associate at Khaitan & Co.