DPDP Draft rules passed: What does this mean for marketers?

The rules for withdrawing consent and erasing data make it hard for marketers to keep collecting data over time, which can lead to less accurate targeting

author-image
Vishesh Sharma
Updated On
New Update
Data-protection
Listen to this article
0.75x 1x 1.5x
00:00 / 00:00

New Delhi: On January 3, 2024, MeitY released draft rules for the Digital Personal Data Protection (DPDP) Act. The much-awaited regulations are now open for public consultation. Among the prominent features of the bill is that parents must provide “verifiable” consent if their ward wishes to open a social media account. 

 

Recently, the Australian government also introduced a bill in Parliament to prohibit children under 16 from accessing social media platforms. The bill was also backed by the Senate.

The need for “verifiable” proof sheds light on how governments across the world are putting steps in place to “safeguard” children making it difficult for marketers to target the upcoming generation.

With new regulations and limited social media access for children, marketers will face a tough challenge trying to gather authentic data about young consumers. They must find innovative, compliant ways to understand children's preferences, ensuring data authenticity amidst stricter privacy laws. This requires adaptability and creativity to reach young audiences effectively.

Among other features of the Act, the notice from the Data Fiduciary (organisation collecting data) to the Data Principal (individual providing data) must be clear, standalone, and easy to understand. It should list the personal data being collected, explain the purpose, and describe the goods or services enabled by the processing simply.

Additionally, it must provide a link to the Data Fiduciary’s website or app and explain how to withdraw consent, exercise rights, and make complaints.

The rules for withdrawing consent and erasing data make it hard for marketers to keep collecting data over time, which can lead to less accurate targeting.

For consumers, this means they won't get annoying calls from websites where they entered their phone number if they choose to withdraw their consent or opt for erasure of data. 

The act also mandates that if a Data Fiduciary processes personal data for purposes listed in Schedule III and the Data Principal does not engage with the Fiduciary within a specified period, the personal data must be erased unless required for legal compliance. 

Before erasure, the Data Fiduciary must notify the Data Principal at least 48 hours in advance, alerting them that their data will be erased unless they log in or initiate contact with the Fiduciary to fulfill the specified purpose. This notification allows the Data Principal to preserve their data by taking action.

It is important to note that the act enforces the setting up of a Data Protection Board (DPB), an online office, that will have the power to investigate data breaches and enforce penalties. It can conduct remote hearings and fine up to Rs 250 crore, making it a strong regulator in data protection.

To wrap it up, marketers need to pull up their socks in terms of data collection especially third-party data the DPDP Act.

DPDP Act DPDP 2023 personal data Data Protection Bill Data Protection DPDP
Advertisment