Five issues to consider as the DPDPA turns two.

Two years ago, on 11 August 2023, we watched as India’s data protection law, the Digital Personal Data Protection Act, 2023 (now, fondly, the DPDPA) came into being.

In the months (and now, years) that followed, Indian tech lawyers dissected every inch of the new law. We analysed what its enforcement might mean for data fiduciaries and data subjects alike, identified risks, compliance gaps, and comforted ourselves with nuanced positions.

We were flooded with questions. Some were time-oriented: “How long will we have to implement the law?” Others were concerned about the scope of the law: “Will this apply to me if I process personal data of foreign persons in India?” Yet others focused on how much would need to change in their compliance processes: “But, it’s just like the GDPR, isn’t it?” (No, friends, it isn’t.)

Two years on, here are 5 (of the many!) issues that have stayed with me several stakeholder meetings, and one set of draft rules later.

1. The 3P consent conundrum. How does the recipient of your pharmacy order/e-commerce parcel/surprise gift/grocery order, or UPI payment provide consent? Notice is a prerequisite to consent, and however we spin things, the DPDPA is heavily consent-oriented. As non-consensual grounds of processing personal data are limited (e.g., most use cases are unlikely to qualify as a medical emergency), fiduciaries processing third-party personal data will likely need to rely on consent. But, here’s where the problem has always been - collection occurs before notice can be provided and, unlike Article 14 of the GDPR, the DPDPA does not provide for post-facto notice.

2. What’s [your] age, again? Age isn’t just a number. It’s likely going to be your gateway to most things on the internet, even if those services aren’t otherwise age-gated. With processing personal data of a minor (that is, anyone who is under 18) without verifiable parental consent being tied to hefty penalties, there’s a big push to identify which users are U18s. While there’s no statutorily mandated age-assurance or verification requirement (unlike with the UK's Online Safety Act 2023), such measures are going to play an important role here. Platforms, for example, will have to decide if they want to completely exclude U18s, and if so, how? Even if digital businesses don’t intend to become solely 18+ services, how does one definitively know if a user is a child? The Sri Krishna Committee, in its report accompanying the draft Personal Data Protection Bill, 2018, noted that relying solely on parental consent would be likely to prompt children to lie. They were probably right. That's why age verification or assurance - amorphous as either may be in a DPDPA context - will have to drive this process.

3. “Does your mother know that you’re [online]?” When the draft Digital Personal Data Protection Rules, 2025 (also, fondly, the DPDPR) began our January with a bang, almost everyone zeroed in on the verifiable parental consent rules. How do you identify if X is Y’s parent absent a standardised, widely-adopted, cross-identifying relational mechanism? The DPDPR provides some comfort, suggesting that reliance on ‘reliable details’ that may be present with the fiduciary could be one way of doing this. But, which details will be considered 'reliable' enough, and what about services that don’t have a pre-existing relationship with the parent? Take children’s gaming platforms, for instance: in most cases, they’re unlikely to (in the ordinary course of things) have parents’ details on hand. In that case, such platforms will likely have to rely on fledgling digital ID mechanisms that have limited adoption so far. The bigger questions remain: how will this be operationalised on the ground, and will it exclude areas where digital literacy numbers are comparatively lower?

4. [Not] Curated just for you? Certain kinds of processing activities are barred when it comes to minors’ personal data. Aside from targeted advertising, tracking, and behavioural monitoring also make the list. The latter will likely fundamentally change how U18s experience the online world. For example, will U18s no longer have access to personalised content? This is possible, as the proposed exemptions under the DPDPR do not carve out room for personalisation. If so, will U18s lose access to personalised playlists, suggested educational podcasts, and the like? Will their ability to ‘discover’ something new, something interesting, something to their tastes, be impaired?

5. What is ‘publicly available’ data, anyhow? A key exclusion to the law is still shrouded in mystery. It proceeds without a definition, raising some related questions. For example, will the personal data on a social media account with 1 million followers but labelled ‘private’ (there are popular people out there), count as ‘publicly available’ data? And then there are the guardrails: who makes the data public counts. So, if you don’t ‘agree’ (and how does one trace this?) to a photo of yourself being posted to a public online profile, is it publicly available data? And, what if it’s a photo of you and five others?

Anniversaries give us a chance to reflect on what’s changed, and what hasn't. The DPDPA’s second anniversary resurfaces some lingering issues as the next year - and, hopefully, one that sees the finalised DPDPR - begins.