Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”) intends to safeguard personal data of individuals from unauthorised use, transfer, or disclosure. It regulates entities handling personal data and imposes obligations and restrictions on the use and transfer of such data.

The individual to whom the personal data relates (“data principal”), is often a purchaser or recipient of a product or service from the entity that determines the purpose and means of processing of their personal data (“data fiduciary”). In such instances, the data principal may qualify as a ‘consumer’ under the Consumer Protection Act, 2019 (“CPA”) – the principal consumer protection legislation in India.

Consumers are frequently asked to share personal data like their name, address, phone number, banking and card information, and government IDs when engaging with sellers or service providers. As both data and consumer protection legislations intend to protect individuals’ interests, there are overlapping provisions in both laws that raise potential jurisdictional questions and dual compliances. This note explores the intersection between the DPDPA and the CPA and what it means for businesses.  

Notably, the CPA applies only in case of a “sale” – that is, it is not applicable to free goods or services. Additionally, it is inapplicable to goods or services availed for resale, commercial purposes (not including self-employment), or under a contract of service. Accordingly, individuals would be unable to exercise rights under the CPA (a) when they are merely browsing an online platform, (b) against employers, and (c) in most cases, against the government. Nevertheless, individuals may be able to act against businesses offering goods or services for sale, without making a purchase, if such businesses are in contravention of their obligations in relation to ethical consumer practices under the CPA (such as in relation to unfair trade practices or misleading advertisements). Additionally, a beneficiary of a paid service may seek recourse under the CPA, regardless of whether the beneficiary directly purchased such service.