In the Indian market, unsolicited marketing emails and calls constitute a pivotal pillar of customer acquisition. A comprehensive survey reveals that a staggering 66% of the population encounters three or more such calls daily. Suffice it to say the number of promotional e-mails is far greater than that. Notably, the financial services sector accounts for a substantial 51% of these unsolicited communications, followed by real estate, healthcare, telecommunications, and other service industries.

In many instances, customers willingly provide their contact information themselves or it is procured in bulk from third-party sources. While these same customers may later view these techniques as a nuisance, businesses continue to leverage these techniques extensively. For years, direct marketing via email and telephone calls has proven to be the most economical method for reaching customers quickly.

The implementation of the Digital Personal Data Protection Act (DPDP Act) signals a seismic shift in data privacy for Indian businesses. With the Act's stringent restrictions on data collection and usage solely dependent on customer consent, businesses, particularly those processing significant personal data volumes, must undertake a thorough assessment of their practices to ensure alignment with the new legal landscape.

What Does the DPDP Act Say?

The DPDP Act extends its purview to the processing of any "digital personal data," which encompasses any information relating to an identifiable individual, whether directly or indirectly. This includes commonly utilized identifiers such as names, mobile phone numbers, and email addresses. Notably, even physically collected data, such as handwritten forms, becomes subject to the DPDP Act's provisions upon digitization.

However, the Act excludes data rendered publicly available by the individual, such as contact information displayed on a personal social media profile, or data, of which, disclosure is mandated by law. For instance, a sales representative could contact the author of this blog using the contact details listed on his publicly accessible LinkedIn profile without seeking his prior consent.

Centralizing Consent

The DPDP Act establishes a consent-driven framework for data processing. This signifies that businesses (referred to as a Data Fiduciary under the DPDP Act) are prohibited from collecting or utilizing personal data without obtaining an individual's (referred to as a Data Principal under the DPDP Act) free, informed, and explicit consent.

The onus of demonstrating verifiable consent rests solely on the business. To ensure compliance, they must maintain comprehensive audit logs that meticulously document the legitimate acquisition of consent for each individual's data. These logs should also specify the respective consent preferences of each individual.

Individuals retain the inherent right to withdraw their consent at any time. Upon such withdrawal, the business is obligated to promptly erase the associated data. Furthermore, data must be deleted once its stipulated purpose has been fulfilled. While the precise time frame for post-consent withdrawal and purpose-completion deletion remains in flux, indefinite storage is strictly prohibited.

Transparency and Purpose Specificity during Consent

Before obtaining consent for data processing, a business must provide a comprehensive notification to the individual. This notification should detail the specific types of data to be collected and the exact purposes for which it will be used. Notably, the use of the data is strictly limited to these pre-disclosed purposes. Any deviation from the specified purposes constitutes a direct violation of the DPDP Act and its emphasis on informed consent.

To illustrate: Consider a scenario where a business collects customer information and seeks consent for three distinct uses: 1. Promotional communications 2. Product launches 3. Newsletters

If the customer grants consent for the latter two purposes (b and c) but explicitly denies it for the first (a), the business can only communicate with the customer about promotions and product launches. Transmitting any other content without the individual’s express consent would constitute a clear breach of the DPDP Act and the data principal’s rights.

The DPDP Act recommends penalties that can extend up to INR 250 crores under certain non-compliance.

Individuals’ Rights Under the Act

The DPDP Act empowers individuals with significant control over their data, which in turn increases the compliance responsibilities of businesses, particularly during marketing emails or calls. Some of the key rights include:

• Right to Access Information: Upon request, the business is required to provide the individual with a summary of the processed data, the activities involved in processing, and the identities of entities with whom the data has been shared.
• Right to Modify, Update, and Delete Data: The databases of businesses must reflect any changes in consent preferences promptly, and data processing activities must be adjusted accordingly.
• Right to Grievance Redressal: Businesses must provide readily accessible grievance redressal in relation to their responsibilities under the DPDP Act.

To Ponder On

The DPDP Act marks a turning point in India's marketing landscape, shifting the power from intrusive tactics to informed consent. While adapting will require effort, it presents tremendous opportunities to build trust and engage customers authentically. Businesses that embrace this shift and leverage consent as a competitive advantage will thrive in the new data-driven era. The DPDP Act doesn't spell doom for marketing; it's a chance to do it better. Start your journey towards ethical and sustainable customer engagement today.