DPDP Draft Rules: How marketers will navigate consent and data erasure

On January 3, 2024, MeitY released draft rules for the Digital Personal Data Protection (DPDP) Act. The much-awaited regulations are now open for public consultation. The act's prominent features include the right to data erasure and the need for “verifiable” consent from parents if their wards wish to open a social media account, along with the local storage of Indian consumers' data. 

The guidelines are expected to make the job of a marketer difficult, as they will now have to devise innovative ways to collect and harvest data to create targeted campaigns.  

The third-party data challenge 

With third-party cookies already on their way out globally, collecting third-party data will become more difficult, and marketers will now have to rely on first-party data.

Ashish Tiwari, CMO of Home Credit India, feels the new legislation will make “third-party data acquisition and utilisation almost redundant and increase accountability and transparency.”

“The data being used by marketers will now increasingly rely more on the firsthand collection, gathered by direct customer engagement, with explicit consent from individuals becoming crucial,” Tiwari added.

The strict regulations around third-party data raise the question of whether marketers will now share first-party data with their agencies as well.

Weighing in on the discussion, Yorick Pinto, Senior Creative Director at BC Web Wise, said, “Marketers will need to re-evaluate how they share first-party data with agencies to ensure compliance with the Act’s provisions. This might involve:

1. Implementing clear data-sharing contracts.
2. Appointing third-party auditors to oversee compliance and audit processes.
3.  Employing technologies such as secure data clean rooms to enable data analysis without sharing raw datasets.” 

Adding to Pinto, Tiwari mentioned that agencies will be required to demonstrate data governance practices and secure data processing and management.

“The implementation of the DPDP act will require companies to fundamentally rethink their marketing strategies, considering the impact of the law on marketing activities that will lead to an overhaul of the existing practices,” Tiwari resolved. 

Supplementing Tiwari’s thoughts, Mini Gupta, Cybersecurity Consulting Partner at EY India, said, “Marketers must ensure they have consent and auditable evidence for data collection. Without such evidence, they will need to rely more on first-party data, where consent is obtained directly. When engaging third parties or agencies to collect or process personal data, marketers must ensure compliance with the DPDP Act of 2023 and its rules. Data fiduciaries must protect personal data and ensure reasonable security safeguards to prevent breaches. This will require stricter regulations, good governance practices, stringent contractual measures, and a strong third-party privacy risk management program.” 

Marketers often gather more data than necessary, like location access, to target customers at multiple touchpoints. However, the new act will limit data collection to only what's required. This means marketers won't have access to all the information about users. So, will the new act result in less effective targeting?

Weighing in on the discussion, Pinto said, “The era of ‘collect everything, use later” is over; strategic data collection is the new mandate. The DPDP Act’s emphasis on collecting only what is necessary will put a lot of restrictions on marketers, forcing them to focus on sharply targeting their audiences to capture high-quality, relevant data while ensuring personalisation and user privacy.”

Tiwari thinks the act won't make targeting less effective. The act only limits unnecessary data collection but still allows marketers to gain insights from the data they are allowed to collect. 

“The onus is now on the marketers to effectively leverage first-party data and integrate consent-driven data sources into their strategies,” quoted Tiwari. 

Deriving “more from less”  

With the new act, marketers need to find smart ways to use less data. How are they getting ready for this, and what changes are they implementing to make it happen? 

Answering the query, Tiwari said, “At Home Credit India, we derive valuable insights from firsthand data collated from smaller datasets and strategise on maximising its potential. We prioritise enhancing our customers’ experiences by building robust CRM systems to drive personalisation, trust, and transparency. Integrating consent management and ensuring compliance is a crucial part of our customer engagement strategy.”

Suggesting how brands can prepare to do more with less, Pinto said:

•     AI and Machine Learning: These technologies are enabling predictive insights from smaller datasets, enhancing personalisation without breaching privacy norms.
•     Contextual Advertising: Marketers are returning to context-driven ad placements, where relevance is inferred from the environment rather than personal data.
•     Direct Consumer Engagement: Brands are focusing on strengthening direct communication channels like email, WhatsApp, and app-based interactions to gather consented data. This recalibration of strategies aligns with global best practices for ethical marketing.

Erasure of data as a challenge 

“The Data Principal’s right to the erasure of data introduces operational complexities, particularly in managing legacy data systems. Ensuring complete deletion of customer data across interconnected platforms and backups will require significant infrastructure upgrades,” highlighted Tiwari. 

Mentioning more challenges that arise from the right to the erasure of data, Gupta (EY India) said, “The rights granted to a data principal include the ability to request the erasure of their personal data. However, a lack of visibility into the personal data inventory and its touchpoints, both within the organisation and externally, can pose significant challenges in comprehensively erasing the data. 

Moreover, marketers will need to ensure that their data processors also erase any personal data provided to them for processing. This includes verifying that data has been thoroughly deleted from the data processors' systems. These challenges highlight the importance of having a clear and comprehensive data management strategy to ensure compliance with data erasure requests.” 

How should marketers prepare? 

The challenge is monumental, the regulations are strict, and the costs are high, so how can a marketer prepare for the challenge that’s coming ahead? 

Sharing her thoughts on the subject, Gupta (EY India) said, “Before the Act is implemented, every marketer should assess their current state in relation to the applicable provisions of the Act. At a minimum, they should gain visibility into the personal data collected or processed by them, including various personal data touchpoints such as processing activities, technology systems, and third parties external to the organization. A comprehensive data mapping exercise is critical and foundational to comply with the Act.” 

Focusing on the need to invest in robust technology for the data infrastructure that will ensure compliance with data storage, access, and erasure requirements, Tiwari also stressed simultaneously training the team involved in the process.  

Wrapping it up, Soumya Mohanty, MD and Chief Client Officer, Kantar, said, “Collecting data with consent, like in market research, is the right approach. Marketing has always used consented and aggregated data with clear guidelines. First-party data alone isn't enough; you need insights from a broader audience. So, get used to working with consented sample data.”