Marketing is regarded as the cornerstone of customer acquisition in every business. Commercial communications have become crucial for effective marketing and business development. On the flip side, commercial communications have not only given rise to customer complaints, reporting increased spam from businesses but also raised serious data protection concerns on the collection, usage, sharing and retention of personal data used for sending commercial communications in the first place.
The recently enacted Digital Personal Data Protection Act 2023 (Act), cuts across various sectors and aims to bring about a culture of privacy, transparency and accountability among businesses. Among its various business implications, the Act has a substantial impact on the core of business operations, specifically marketing activities.
Key considerations for businesses sending marketing communications
Consent-based approach: In addition to a host of other obligations, the new law requires businesses to only process personal data based on either consent or certain legitimate uses. This means that businesses will have to obtain explicit consent from individuals in order to send them marketing communications. Such consent should be free, specific, informed, unconditional and unambiguous, provided through a clear affirmative action. Given that consent must be ‘specific’ to the intended purpose of collection, businesses will no longer be able to use the existing personal data of customers to send commercial communications (unless such a customer has expressly consented to receiving them) or make the provision of any service or offering of the business conditional on user consent. The enhanced standards for consent also eradicate the possibility of businesses resorting to pre-checked boxes or unclear language to obtain consent and lay emphasis on an ‘opt-in’ methodology.
Transparency with customers: Businesses are required to transparently inform customers about how they intend to process customer personal data for marketing purposes. This must be done by presenting customers with a notice in the prescribed manner, either before or at the time of obtaining their consent, setting out details relating to personal data processing and their rights under the law. This ensures that customers take an informed decision while providing their consent and are fully aware of their rights.
Data minimisation and restrictions on retention: The Act mandates that the personal data collected from individuals be limited to such personal data, as is necessary. In light of this, businesses may implement ‘privacy by design’ practices and related measures to ensure that only such limited personal data is collected and used for marketing purposes. Additionally, the Act sets out restrictions on the storage and retention of personal data, which require businesses to erase all records of personal data upon customers withdrawing their consent or as soon as it is reasonable to assume that the specified purpose for processing is no longer served.
Sensitising marketing teams: Given that the Act introduces new obligations on the collection, storage, transfer, implementation of security safeguards, etc., it is pertinent that comprehensive training programs be introduced to marketing teams so that they can strategise their practices in compliance with the Act. This includes understanding key compliances under the law, maintaining internal records of processing activities, significance of clear and unambiguous consent-seeking language, compliance with translation requirements, etc. Marketing teams may also liaise with other teams within the organisation so that the personal data used for commercial communications is processed in alignment with the Act throughout its processing journey within the organisation. It is also important for marketing teams to revisit the user interfaces, display of consent-seeking messages and ‘unsubscribe’ options in emails and notices, language used in sign up and registration forms, etc.
Other considerations: Businesses handling personal data must implement mechanisms to enable customers to exercise their rights under the Act. They need to report personal data breaches, comply with restrictions relating to processing of personal data of children under 18 years of age, assess applicability of additional compliances such as appointing data protection officers, conducting data protection impact assessments, etc. on the specific processing activity. Additionally, sending commercial communication may trigger other requirements depending on the mode in which such communications are made. Specifically, if commercial communications such as promotional messages are sent over telecom resources such as phone calls and SMS, requirements prescribed by the Telecom Regulatory Authority of India (such as obtaining consent through ‘digital consent acquisition’) will also apply. Therefore, it is crucial for businesses to re-evaluate their current practices of sending commercial communications to ensure that the end-to-end process, starting from the collection of personal data until the deletion of such data, is done in compliance with applicable laws.
Conclusion
In this data-driven era, the new Act not only introduces a privacy-centric approach to conducting business but also seeks to enhance the customer experience by reducing the menace of pesky calls, unsolicited promotional messages and related spam. In other words, the Act promises to strike a balance between effective marketing and customer privacy. Such controlled marketing also minimises customer exposure to SMS fraud, malware, phishing, etc. Businesses are compelled to upgrade their marketing practices, emphasising aspects such as consent, individual rights, accountability and data security. The overall legal landscape surrounding commercial communications ultimately provides businesses with an opportunity to enhance customer trust, facilitate meaningful marketing communications, and improve their brand image through goodwill and reputation. Given the hefty penalties under the Act, it will be interesting to see how the marketing practices of businesses evolve with time as the industry gears up for compliance with it.