India’s tryst with data privacy is belated, but better late than never. With the Digital Personal Data Protection Act, 2023 in place, the ministry of electronics and information technology is set to release detailed administrative rules that, if implemented effectively, could signal the beginning of the end of rampant unauthorised data collection by digital platforms. The government now intends to prohibit the practice of bundled consent, a technique that compels users to agree to the collection of all kinds of data—essential or otherwise—before they can access even the most basic services.
Under the proposed rules, social media platforms and internet intermediaries—referred to as data fiduciaries—must separate user consent for optional and mandatory services. Users should be able to opt in or out of different data processing activities with clarity. Consent must be granular, purpose-limited, time-bound, and revocable. This is not merely a technical tweak. It is a philosophical shift in favour of the citizen over the corporation.
READ | Scrap SEZs — Make India one giant factory floor
By making metadata records—logs of consent timestamps, purposes, and languages—mandatory, the new rules introduce traceability and accountability. It may be too early to celebrate, but this signals a welcome disruption of Big Tech’s default behaviour: obfuscate, overwhelm, extract.
Bundled consent and the myth of free platforms
India must learn from the European Union’s confrontation with Meta’s deceptive “pay or consent” model. In the EU, Meta now offers users a choice—either pay for an ad-free experience or allow Meta to process personal data for behavioural advertising. But regulators argue that this isn’t a real choice; it’s coercion under the guise of consent. The Consumer Protection Cooperation Network, backed by the European Commission, found that Meta’s practices misled users, limited their time to decide, and forced them to either buy their privacy or relinquish it.
India must categorically reject similar binary options. Consent is not valid if it is extracted under compulsion—economic or procedural. Our regulations must prevent data fiduciaries from conditioning the core functionality of their platforms on users’ willingness to part with their data. Any attempt to present a false dichotomy—privacy or access—must be deemed a violation of consumer rights and data ethics.
Additionally, India should study the EU’s enforcement under the Digital Markets Act. The Act requires that consent for combining personal data across services must be optional, and users must be provided with an alternative that is functional and less intrusive. India’s emerging enforcement framework must include similar safeguards to prevent the monopolisation of user data.
PwC report: A wake-up call to India Inc.
A recent study by PwC India assessing 100 enterprise websites found that only 9% of them collected user consent that was free, specific, and informed. This means that the overwhelming majority of organisations still rely on ambiguous, all-encompassing consent models that users often accept by default. This isn’t consent; it is silent compliance under duress.
Only 16% of websites displayed a cookie consent banner, and just 2% offered multi-language support. While 90% of organisations had privacy notices, only 41% informed users of their rights to erasure, correction, and access. And a mere 4% had any visible breach notification mechanisms.
This is unacceptable for a country that aspires to become a data economy superpower. The lesson is clear: legislation without implementation is lip service. India must move swiftly from passive compliance to active enforcement. Penalties under the DPDP Act must be applied without fear or favour.
China’s strategy: Define, limit, enforce
India would do well to also observe China’s assertive model. In 2024, China issued detailed rules classifying what constitutes necessary personal information across 39 categories of mobile apps—from messaging to food delivery. These rules allow users to decline non-essential data requests without losing access to core services. For instance, a ride-hailing app can ask for your location and payment details, but a dictionary app cannot demand your contact list.
This level of granularity is currently missing in India’s approach. India must move beyond broad principles to sector-specific codification of what constitutes necessary data for different kinds of digital services. China’s regulation is backed by multiple enforcement bodies—the Cyberspace Administration, Ministry of Industry and Information Technology, and State Administration for Market Regulation. India must emulate this multi-agency coordination model to check Big Tech overreach.
The road ahead: What India must do
If India is serious about safeguarding its digital citizens, it must pursue a four-pillar strategy:
Legislate with teeth: The administrative rules under the DPDP Act must go beyond gentle nudges. They must mandate real-time audit trails, empower data protection officers with independence, and require platforms to publish periodic transparency reports.
Enforce through institutions: Establish a fully independent Data Protection Board with investigative and adjudicatory powers. It must be adequately staffed, funded, and insulated from political interference.
Empower users: Platforms must be required to offer a simple dashboard showing all data consents given, with an instant option to revoke them. All data policies should be made available in multiple regional languages. India’s digital citizens must not need legal degrees to assert their privacy rights.
Punish non-compliance: Companies that violate consent norms must face stiff financial penalties—calibrated to global revenues, as in the EU. Repeat offenders should face business restrictions, including bans on data transfers or the suspension of intrusive services.
Privacy cannot be optional
India, with its billion-plus digital users, cannot afford to remain a passive bystander while its citizens’ data is mined and monetised. The government must act decisively, drawing from the best global practices—whether in Brussels or Beijing.
Social media platforms and internet intermediaries must be told, in no uncertain terms, that data sovereignty belongs to the individual, not the algorithm. Privacy is not a privilege. It is a constitutional right. And no business model—however innovative or profitable—can be allowed to override it.
As the old adage goes, if you’re not paying for the product, you are the product. But it is high time India ensured that its people are no longer sold without their consent.