DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAW

Direct marketing is the promotion or marketing of a product or service directly to customers. It may be undertaken through various modes such as email or social media campaigns, or through telemarketing. There is no single law specifically regulating direct marketing in India. 

On August 11, 2023, India put into effect the Digital Personal Data Protection Act, 2023 (“DPDPA”), the fourth iteration of the data protection law. The advent of the DPDPA will impact the direct marketing efforts of businesses. Until the DPDPA is enforced, India’s data protection laws of general application comprise the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000. Separately, the Telecom Commercial Communications Customer Preference Regulations, 2018 (“TCCCPR”), issued under the Telecom Regulatory Authority of India Act, 1997, would apply to direct marketing efforts through telephonic means. Lastly, sectoral regulators (for instance: in the financial sector) impose several restrictions on the promotion and marketing of regulated products and services, which businesses ought to consider depending on the industry.

Businesses that use individuals’ personal data for the purposes of direct marketing need to gear up to ensure compliance with the requirements laid down by the DPDPA and resolve any conflicts with the TCCCPR or sectoral laws where necessary. This article provides an overview of the obligations under the DPDPA, as well as practical concerns and recommendations for compliance.

GROUNDS OF PROCESSING

The DPDPA lays out consent to be one of the primary grounds for processing personal data. To be valid, consent must be free, specific, informed, unconditional, unambiguous with a clear affirmative action, for a specified purpose, limited to personal data that is necessary for such specified purpose, and withdrawable. The DPDPA also imposes a notice requirement where processing is based on consent – every consent request must be accompanied with or preceded by a notice informing individuals about the personal data sought to be collected and the purposes of processing, the manner of exercising their right of grievance redressal, withdrawing consent, and raising a complaint with the Data Protection Board. Where consent was collected prior to the implementation of the DPDPA, such notice must be provided as soon as reasonably practicable.

In the absence of explicit guidance on consent, businesses can turn to other jurisdictions’ data laws to understand consent thresholds. The data privacy laws of the European Union and the United Kingdom lay down consent standards that are largely similar to the ones under the DPDPA. We expect the Indian government to issue guidance on how organisations may practically seek consent from data principals.

The Digital Personal Data Protection Act, 2023 does not provide for another legal basis for processing, that may be appropriate for the purposes of direct marketing. In the absence of any other appropriate ground, organisations will have to seek the consent of individuals to engage in direct marketing efforts.

The DPADPA shall prevail over the other laws when a conflict arises between them. However, where such conflict pertains to cross-border transfers of personal data, the other law will prevail if it imposes a higher threshold. Therefore, organisations need to be mindful of data protection obligations arising out of laws such as the TCCCPR or relevant sectoral laws. For instance: the TCCCPR requires organisations to seek the explicit consent of individuals prior to sending them certain categories of promotional communication. In case of conflicts, the DPDPA will prevail and compliances must be approached accordingly.

ADDITIONAL OBLIGATIONS REGARDING DATA OF A CHILD OR PERSON WITH DISABILITY

The DPDPA imposes additional obligations for processing the personal data of children (i.e., individuals under eighteen years of age) and persons with disability. Data fiduciaries are prohibited from tracking, behavioural monitoring, or targeting advertisements at children. Therefore, businesses are precluded from using children’s personal data for direct marketing.

Nevertheless, the central government may exempt certain categories of business, or processing for certain purposes, from this requirement. In this case, direct marketing towards children would be permissible so long as it is unlikely to trigger any detrimental effect. Additionally, the age threshold may be lowered for certain data fiduciaries, if the central government is satisfied that the processing is “verifiably safe”. 


Similarly, the personal data of a person with disability, who has a lawful guardian, may only be processed (including for direct marketing purposes) with the “verifiable consent” of their lawful guardian.

PRACTICAL NEXT STEPS FOR BUSINESSES

In order to adhere to the obligations under the DPDPA, businesses will need to rehaul their collection and processing of personal data, and may consider the following measures to kickstart compliance:

  1. Conducting a data mapping exercise to determine whether they process any personal data collected on the basis of consent, that is used for direct marketing;
  1. If personal data is processed for direct marketing on the basis of consent, a notice drafted in accordance with the requirements of the DPDPA must be provided to data principals upon implementation of the DPDPA;
  1. Developing a user journey to provide sufficient notice and collect valid consent;
  1. Ceasing any tracking or behavioural monitoring of children, or targeted advertising directed at children;
  1. Carving out separate avenues in user journeys for children and persons with disability;
  1. Implementing mechanisms to verify the consent of the lawful guardian of a person with disability, taking into account the available technology and risks inherent in the processing; and
  1. Regularly reviewing available age verification and consent verification mechanisms to ensure the use of appropriate current technology.
CONCLUSION

Non-compliance with the requirements for processing personal data belonging to children or persons with disability may attract penalties as high as INR 200 crores. On the other hand, general non-compliance with the DPDPA may be met with a penalty as high as INR 50 crore. Accordingly, we recommend that businesses start evaluating their direct marketing activities and data collection journeys at this stage. Businesses may reach out to data protection law firms for assistance in this regard. They may also perform a global data review of other data privacy laws and best practices to inform their own compliance with the data protection law.