Advertising Industry needs to wake up to the demands of DPDPA 2023..1

Naavi as part of his career development had been in the advertising industry for around 11 years and has closely participated in the activities of a full service advertising industry which creates brands, builds brands, understands consumer behaviour with research, reaches out to consumers, creates effective communication to pass on a message to the masses. Naavi’s involvement in advertising was during the period when Internet made an entry and hence advertising industry was transforming from News papers to TV medium with advertising on websites just appearing on the horizon. At that time Naavi had also thought of and pursued a patent “Adview Certification” which involved implanting an intelligent beacon on the website to monitor the behaviour of the visitors to develop a realisable metric of visitors like the TRP in TV industry or ABC (Audit Bureau of Circulation).

With this background, if we now look at the developments worldwide on “Privacy”, it appears that the digital advertising industry is one sector which has an existential threat on account of the Privacy laws. While Fintech and Health sector also have many hurdles to cross, they are to some extent manageable. But Digital Advertising industry which is at the root of all marketing activities and has to design communication appropriate to the target audience has a real uphill task  to the extent that many may feel that there is no way the industry can be fully compliant and hence the winner is the one who is good in deception.

The Data analytics industry has two parts to its activities namely analysis of anonymized data and analysis of identified personal data. Data Science industry related to anonymized data may not be affected by the privacy laws if we accept that “Anonymization of previously identifiable personal data” is similar to “Deletion” and does not require any explicit consent of the data principal. However, analysis of identifiable personal data is closely associated with “Targeted advertising” and does face the same problem as the advertising industry. In fact the data analytics of identifiable personal data and digital advertising industry work in close unison and hence their problems are similar.

To understand the issue, let us start with the simplest of simple tasks namely “Sending E Mails without prior consent” offering products or services. At present we call these as “Unsolicited emails” and “Spam”. “Causing annoyance” with repeated unsolicited emails is a punishable offence in some laws. (Also applicable to unsolicited phone calls).

Does this mean that the only way an organization can reach out to its prospective customers is through “Search Engines” and “Voluntary walk in enquiries”? . The unsolicited mobile calls are a little more annoying than unsolicited emails since mobiles calls cause a greater disturbance than the emails. However emails provide an opportunity to respond leisurely and hence are less demanding on the critical time of the receiver.

The Privacy law makers and the advertising industry have to sit together and sort out this issue and whether a polite “E Mail to request permission to send the next detailed email about the service” say once a year should be considered as a permitted one time activity.

The other points of discussion which we may discuss in continuation are..

1.Profiling a customer for the purpose of market segmentation and targeted advertising

2. “Collecting personal information through cookies set by the advertising agencies/adtech companies on the websites of companies” and consent mechanism for the same

3. “Regulation of information collected by an ad agency/adtech company through cookies from one advertising client to be used for profiling and made available to other clients”.

Internationally there is a discussion on the “Diligence Requirements for the Adtech Industry” for demonstrating lawful consent for collecting and selling personal data. (Refer article in

This article flags the efforts of the Interactive Advertising bureau and SafeGuard Privacy tool called IAB Digital Platform. This platform will contain a set of standardized privacy diligence questions that are specially designed for participants in the digital advertising industry. This is a good industry initiative which is required. 

Some parts of the requirements mentioned here were included in the WebDTS concept which FDPPI promoted but observed a frustratingly large number of non compliance. Perhaps in India we need the Advertising industry regulators to start looking at “Compliance to DPDPA 2023” as a requirement to be considered. At present the advertising industry and more particularly the Ad Tech companies would appear to be completely unconnected with the DPDPA 2023. The end users may escape responsibility by stating that the “Ad Service Provider is a Joint Data Fiduciary” and is responsible for compliance of DPDPA. With many of them operating on AI platforms hosted on websites of their clients and the information collected is that of the customer of a customer, there is very little possibility of “Consent” being obtained. 

While compliance activists like us keep pointing out these issues, the compliance subjects continue to feel that the compliance is “Impractical”. The Advertising industry needs to sit together and find a proper solution to this problem at the earliest.

(Comments welcome)


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.