Learn how you can Unlock Limitless Customer Lifetime Value with CleverTap’s All-in-One Customer Engagement Platform.
In India, the long-awaited Digital Personal Data Protection (DPDP) Act, 2023 has recently been passed by both houses of the Parliament of India and received assent from the President. This marks a significant milestone for India as it moves closer to enacting its first Act that defines regulations concerning the usage and processing of personal data by both private entities and government bodies. The Act, as it is named, will apply to personal data collected in India in a digital format, as well as in a non-digital format if it is subsequently digitized. A penalty of up to Rs 250 crore (around USD $30 million) may be imposed for each instance of data breach.
Why the Digital Personal Data Protection Act? And why now? The need stems from the fact that data — especially personal data — serves as a livelihood for brands. In the widening digital landscape, brands are continually gathering personal data. Whether customers are consuming online content, making purchases, sharing health information, or providing banking particulars, they are required to share diverse data during their online interactions.
Given the pivotal role of personal data in marketing technology (martech) endeavors, it is essential for growth marketers to possess a thorough understanding of the Act’s implications on their customer engagement initiatives. The Data Protection Act, 2023 includes critical clauses that affect martech endeavors. In this blog, we delve into the key highlights of the Act and its consequences within the martech realm.
Brands are required to obtain explicit consent before utilizing customer data for personalized marketing campaigns.
For instance, an ecommerce brand could implement an in-app/native pop-up on their app or website, requesting the customer’s approval to use their browsing and purchase data for personalized recommendations, thus adhering to the regulations in the Act. However brands need to introduce this change in a way that does not impact the seamless experience of customers.
Brands must use customer data solely for its intended purposes. Also, brands must promptly fulfill customer requests for data deletion after achieving its purpose. This showcases a commitment to privacy compliance and helps build enhanced trust with customers.
It is imperative for brands to prioritize data security by protecting sensitive customer data through encryption, multi-factor authentication, and routine security audits. In the event of a data breach, prompt reporting to India’s Data Protection Board and informing affected users about the breach and potential risks is vital.
For instance, a health app storing sensitive health-related data of the user should implement robust security measures such as encryption using security standards such as AES 256 and multi-factor authentication. In case of a breach, the brand must promptly notify the relevant authorities and affected users, thus ensuring both trust and compliance.
Brands must enable easy access to personal data for customers and empower them to request corrections as needed. Transparent communication regarding data usage cultivates trust and enhances customer satisfaction.
For instance, in the case of an ecommerce app, customers should possess the right to access their data and rectify any inaccuracies. The brand should offer a user-friendly interface for customers to review their data and make necessary updates.
When collaborating with international partners, brands must comply with the data transfer restrictions outlined in the Act. It is essential to transfer data exclusively to countries sanctioned by the Act, and to refrain from transferring data to any country which is restricted by the Central Government.
For example, let’s consider an e-commerce app that collaborates with global suppliers; the app should exclusively share user data with countries that are permitted under the Act and not restricted by the central government by way of a notification to this effect. This practice ensures strict compliance with regulations and the protection of personal information. Additionally, businesses may want to adopt a multi-region data center model to meet diverse business and compliance requirements. This ensures reduced latency along with upholding the highest security standards.
For brands targeting children, securing verifiable parental consent is necessary before collecting and processing data from individuals under 18 years of age. Incorporating parental verification procedures during the registration process guarantees adherence to consent regulations.
For instance, an educational app for children could implement a parental verification process, using various channels like push notifications, in-app messages, email, and more thereby ensuring compliance with consent regulations, enhancing privacy protection.
Brands that collaborate with government entities must acknowledge exemptions granted to government agencies, on grounds like national security. It is essential to ensure responsible practices that uphold privacy rights.
For instance, consider a banking app partnering with government bodies; in such cases the brand should be aware that government agencies might have exemptions, particularly those related to national security.
As the landscape of data protection continues to evolve, the Digital Personal Data Protection Act 2023 stands as a significant milestone in India. Its implications for the world of martech are vast, reshaping how brands collect, process, and utilize consumer data. Moving forward, it is crucial for both brands and consumers to stay informed and engaged, ensuring a responsible and harmonious digital ecosystem that respects individual privacy while fostering technological progress. Stay tuned for more updates on how CleverTap can assist brands in their compliance efforts!
Please note this blog is not to be construed as legal guidance and is only intended as reading material.