含羞草社区

The Digital Personal Data Protection Act, 2023 (DPDPA) has transformed the data protection landscape. As businesses await its implementation, a key concern, particularly for B2C industries, is its impact on digital advertising and commercial communications. Advertising has become increasingly personalised. Businesses try to reach consumers most likely to engage with their products or services, often tracking users across websites, devices and platforms through technology. The collection and processing of personal data is essential to build detailed user profiles.

Unlike data protection frameworks in other jurisdictions, such as the EU, the DPDPA primarily allows consent as the legal basis for processing personal data. This is particularly challenging for businesses that rely on inferred interests rather than voluntarily provided user data. Although the DPDPA includes a legitimate use ground for data voluntarily shared by users, it is of limited use in advertising, where data is usually collected passively or inferred from online behaviour.

To comply with the DPDPA, businesses need to shift from broad-based data collection models to more focused and transparent practices. One approach is to restrict data collection only to that which is crucial for advertising. Businesses should ensure that privacy notices are straightforward, clear, and easily comprehensible. They must clarify how consumer data will be utilised for advertising and commercial communications.

Businesses may adopt anonymisation and pseudonymisation, enabling targeted advertising without breaching data protection standards. Previously common activities such as data broking must be restructured to comply with the DPDPA’s stringent consent requirements. One solution is adopting zero-party data strategies, in which consumers voluntarily share their preferences through activities such as quizzes or surveys in exchange for rewards. An alternative is the use of federated cohorts, groups of unidentifiable individuals with similar preferences, allowing advertising without using personal data.

Challenges, other than the DPDPA, include telecommunications regulations, particularly the , governing promotional communications. Under the TCCCPR, businesses must check phone numbers against the national Do Not Disturb (DND) list before sending messages. Businesses must also collect consent through a prescribed mechanism for communicating with existing customers.

This is a significant compliance challenge, with businesses having to obtain consent under the DPDPA to process personal data for advertising and under the TCCCPR to send communications. These consents cannot be bundled because the TCCCPR requires consent to be collected through the newly introduced digital consent acquisition architecture, a part of the TCCCPR blockchain-based governance mechanism. Prospective customers registered for DND cannot be sent promotional communications regardless of whether DPDPA-compliant consent to process their data has been obtained. This produces a disconnect between advertising and delivery. Users may be ideal targets, but are unreachable.

To overcome this compliance gap, businesses may implement dual consent mechanisms, clearly distinguishing consent for data processing for advertising and consent for the delivery of promotional communications. These use TCCCPR-compliant systems to trigger consent acquisition by targeting phone numbers on a consent acquisition portal or displaying prominent QR codes. The two consents remain separate. Enterprises may also install first-party engagement systems such as in-app notifications, platform-centric notifications or nudges.

Businesses can thus reduce their dependence on TCCCPR-compliance mechanisms, having no need to communicate with consumers through phone calls and SMS. They rely instead on internal user-focused promotional mechanisms.

Although the dual-consent challenge seems complex, it allows businesses to re-engineer their advertising strategies and build privacy-conscious frameworks. As data protection and telecom regulations evolve, businesses that adapt will remain compliant and gain greater consumer trust. By aligning with the new regulatory regime, businesses can continue to engage their target audiences effectively while complying with legal requirements.

Ada Shahrbanu is a senior associate and Ajeeth Srinivas is an associate at Spice Route Legal