DPDP Act Advanced Topics
Deep dive into complex DPDP compliance scenarios: consent management, cross-border transfers, children's data protection, legitimate uses, and regulatory conflicts. Expert guidance for organizations across Mumbai, Bangalore, Delhi, Hyderabad, Gurgaon, and Pune.
Consent Management Deep Dive
Granular vs Bundled Consent
DPDP Act requires consent to be "specific" - meaning consent for one purpose cannot be bundled with consent for another unrelated purpose. Organizations must provide separate consent options for distinct purposes.
E-commerce Platform
Single checkbox: "I agree to receive order updates and marketing communications"
Separate checkboxes: (1) "I agree to receive order updates" (required), (2) "I agree to receive marketing communications" (optional)
Banking App
Bundled consent for account opening, credit assessment, and third-party offers
Separate consent for: (1) Account opening (required), (2) Credit assessment (required for loans), (3) Marketing offers (optional)
Best Practices:
Consent Withdrawal Mechanisms
Section 6(4) requires that withdrawal of consent must be as easy as giving consent. This means the withdrawal mechanism must be equally accessible and straightforward.
Mobile App
Consent given via one-click button, withdrawal requires emailing support
Consent given via button, withdrawal via same button or in-app settings with one click
Website
Consent via popup, withdrawal buried in privacy policy with complex form
Consent via popup, withdrawal via account settings or footer link with simple toggle
Best Practices:
Consent Refresh Strategies
While DPDP Act does not mandate consent expiry, best practice is to periodically refresh consent, especially for marketing and profiling purposes.
Best Practices:
Consent Manager Integration
Rule 4 establishes Consent Managers as intermediaries for managing consent. Organizations can integrate with registered Consent Managers for standardized consent management.
Technical Considerations:
Cross-Border Transfer Complexities
Restricted Countries Framework
Section 16 allows Central Government to restrict data transfers to specific countries. Organizations must monitor notifications and ensure compliance.
As of January 2025, no restricted countries list has been notified. However, organizations should prepare for potential restrictions.
Preparation Steps:
Cloud Infrastructure Considerations
Most organizations use cloud providers with global infrastructure. Cross-border transfer compliance requires careful architecture.
Multi-Region Cloud Deployment
Data may be replicated across regions for redundancy
Configure cloud services to restrict data to specific regions, disable automatic cross-region replication, use region-specific encryption keys
Global SaaS Platform
Customer data from India mixed with global customer data
Implement data residency options, separate Indian customer data, use dedicated India region infrastructure
Adequacy Decisions (Future)
Similar to GDPR, DPDP Act may allow adequacy decisions for countries with equivalent data protection. Monitor for future developments.
Children's Data Protection
Age Threshold: Under 18
Unlike GDPR (16 years) or COPPA (13 years), DPDP Act sets the age threshold at 18 years. This is significantly higher and requires robust age verification.
Implications:
Verifiable Parental Consent
Section 9 requires "verifiable" parental consent - meaning organizations must have reasonable assurance that consent is from actual parent/guardian.
Verification Methods:
OTP to Parent Mobile
Document Verification
Credit Card Verification
Video KYC
Prohibited Processing
Section 9(2) prohibits tracking, behavioral monitoring, and targeted advertising of children.
Prohibited:
Allowed Processing:
Legitimate Uses Analysis (Section 7)
When Consent is NOT Required
Section 7 lists specific purposes where consent is not required. Understanding these exemptions is critical for compliance.
Voluntary provision by Data Principal
Example: User voluntarily provides email in contact form for specific purpose
Conditions: Purpose must be clear, data used only for stated purpose
Performance of function under law
Example: Government agency collecting data for statutory function
Conditions: Must be authorized by law, limited to necessary data
Compliance with court order or legal obligation
Example: Responding to court summons, tax compliance
Conditions: Must be actual legal requirement, not voluntary
Medical emergency
Example: Hospital accessing patient records in emergency
Conditions: Genuine emergency, proportionate access
Employment-related processing
Example: HR processing employee data for payroll, benefits
Conditions: Limited to employment relationship, reasonable necessity
Safeguarding life or health
Example: Contact tracing during epidemic, emergency services
Conditions: Genuine threat to life/health, proportionate response
Common Mistakes:
State Processing Standards
Section 7(b) allows State to process data for specific purposes. This creates a separate framework for government data processing.
State Processing Exemptions:
Conflict Resolution
DPDP vs Sector-Specific Regulations
Organizations in regulated sectors must comply with both DPDP Act and sector-specific regulations. Understanding how these interact is critical.
Banking & Finance (RBI)
RBI mandates data localization; DPDP allows cross-border transfer (subject to restrictions)
Follow stricter requirement (RBI data localization)
Maintain data in India as per RBI, ensure DPDP compliance for Indian data
Securities (SEBI)
SEBI requires retention of records for specific periods; DPDP requires data minimization
Retain data as per SEBI requirements, delete after retention period
Document legal basis for retention, implement automated deletion post-retention
Insurance (IRDAI)
IRDAI requires extensive data collection; DPDP requires purpose limitation
Collect data as per IRDAI requirements with clear purpose specification
Separate consent for regulatory vs marketing purposes
Telecom (TRAI)
TRAI has specific consent requirements for commercial communication
Comply with both TRAI (DND) and DPDP consent requirements
Implement dual consent tracking, respect both frameworks
DPDP vs Contractual Obligations
Contracts may require data sharing or processing that conflicts with DPDP requirements.
B2B Contract Requiring Data Sharing
Include DPDP compliance clauses in all new contracts
Data Retention in Service Agreement
Define reasonable retention periods in contracts
DPDP vs Other Privacy Laws (GDPR, CCPA)
Organizations operating globally must comply with multiple privacy frameworks.
Recommended Approach:
Key Differences:
Territorial Scope
Processing of digital personal data in India
Processing in EU or offering goods/services to EU residents
Determine which law applies based on data subject location and processing location
Age Threshold
18 years
16 years (or lower as per member state)
Apply stricter threshold (18) for users who may be in both jurisdictions
Penalties
Up to ₹250 Crores
Up to €20M or 4% of global turnover
Ensure compliance with both to avoid penalties under either framework
Strengthen Your Compliance Posture
Explore complementary certifications that work together to provide comprehensive security and compliance coverage.