Given the increasingly fundamental role played by the media in our data-driven and interconnected world, a renewed focus on data protection is warranted in the field – particularly for the issues of profiling and direct marketing.

Profiling refers to the process of drawing inferences about a person based on the analysis of their data, to determine their preferences and accordingly predict, recommend, or decide an outcome in relation to such a person. Direct marketing entails the direct promotion or marketing of a product or service to customers, utilising channels such as email or social media campaigns, or through telemarketing. No data protection law in India specifically regulates direct marketing or profiling. 

On August 11, 2023, India enacted the fourth iteration of its data privacy law, that is, the Digital Personal Data Protection Act, 2023 (“DPDPA”). The Indian government is yet to notify dates for its enforcement. The advent of the DPDPA 2023 will impact profiling and direct marketing efforts of businesses. Separately, the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”) issued under the Telecom Regulatory Authority of India Act, 1997, regulate telemarketing within India and would apply to direct marketing efforts through telephonic means. 

Media organisations that use individuals’ personal data for direct marketing need to gear up to ensure compliance with the requirements laid down by the DPDPA and resolve any conflicts with the Telecom Commercial Communication Customer Preference Regulation (TCCCPR) or sectoral laws where necessary. 

Specifically, businesses ought to identify the relevant ground of processing in relation to profiling and direct marketing activities. Consent is the primary ground for processing personal data under the upcoming data protection law in India. For consent to be considered valid, it must be freely given, specific, informed, unconditional, unambiguous with a clear affirmative action, for a specified purpose, limited to personal data that is necessary for such specified purpose, and withdrawable. The DPDPA also imposes a notice requirement where processing is based on consent – every consent request must be accompanied by or preceded by a notice that informs individuals about the personal data sought for collection, purposes of the processing, and procedures for grievance redressal, withdrawing consent, and filing a complaint with the Data Protection Board of India. If consent was collected before the implementation of the DPDPA. It is necessary to furnish this notice as soon as feasible.

In the event of a lack of explicit guidance on consent, businesses can refer to data laws in other jurisdictions to comprehend consent thresholds. The data protection laws of the European Union and the United Kingdom lay down consent standards that are largely similar to the ones under the DPDPA. We anticipate that the Indian government will provide guidance on how organisations can practically seek consent from data principals.

The DPDPA does not provide for another legal basis for processing that may be appropriate for the purposes of direct marketing or profiling (by media organisations, for purposes such as targeted advertising or personalised content, as opposed to profiling by, for example, financial institutions for the purposes of analysing creditworthiness). If there are no other appropriate grounds available, organisations must obtain the consent of individuals to conduct direct marketing efforts.

Therefore, media businesses that rely on profiling or direct marketing for their activities or revenue will be significantly affected as such processing can only be undertaken if an individual opts in. Given the high standards of consent and the new guidelines on dark patterns issued under the Consumer Protection Act, 2019, such opt-ins cannot be sought surreptitiously. Therefore, organisations will likely be able to conduct profiling and direct marketing in relation to far fewer individuals.  

Further, the DPDPA provides that while the data privacy law must be construed harmoniously with other legislations, in the event of a conflict between the DPDPA and other laws in relation to issues such as consent standards or grounds of processing, the provisions of the DPDPA will prevail. Hence, organisations must keep in mind the data protection obligations that stem from laws like the TCCCPR or relevant sectoral laws. As an example, the TCCCPR mandates that organisations must obtain explicit consent from individuals before sending them specific categories of promotional communication. In such instances, the consent standard outlined under the DPDPA will take precedence, and compliance measures must be approached accordingly.

Media businesses must accordingly begin delineating their processing activities at this stage itself, to determine applicable grounds of processing and restructure their business functions to the extent necessary. Previously mandatory processing will likely need to be made optional upon implementation of the DPDPA to the extent that such processing may only be conducted based on consent.