Marketing under a Brand and DPDPA compliance

Organizations use “Brand Building” for two purposes.

The first is to inculcate a “Brand personality” within the network of organizations associated with a brand. When a company states that it is a “Godrej” or “Tata” or “Birla” Company, or belonging to “Apollo”, “Reliance” group, it reflects certain personalities associated with the philosophy of the brand. This is for internal structuring of a company and development of internal policies of management.

The second purpose is to derive benefits of the brand association in marketing of the products. Here the brand will influence the purchase decisions of the consumer since he associates the prominent brand personality perception with the product. It could be related to the reliability of the product, quality, integrity etc.

Whether the brand architecture is constructed as “House of Brands”, “Endorsed Brand”, “Sub Brand” etc the consumer is expected to infer the product benefits from the qualities perceived in the associated brand.

Marketing as a profession always tries to take positive aspects of the brand association and use it as a promotion. In the process it does not give much consideration to the possibility of “Mis-representation”. In many of the consumer product companies, “Marketing” is the most powerful division and every other department whether it is Finance or Information Security or Privacy, it has to toe the line set by the Marketing division.

In such a context, the DPOs trying to remain compliant with DPDPA will face a huge challenge.

Many times Brands are shared with competing downstream entities with their own service capabilities. Some sub brands may be better than others and unless the consumer has the clarity that he is taking the service from the sub brand and not from the main umbrella brand, there is an open invitation for litigation if things go wrong.

There are some extreme situations such as when an Indigo passenger finds a cockroach in his food, or a Zomato employee is found earing into the parcels, or a Zepto warehouse is found unhygienic, or an RCB event results in a stampede, the stigma getting attached to Indigo or Zomato or Zepto or RCB as a brand. Some of this may be a result of negligence in imparting the brand values and some may not involve any such negligence. The damage in terms of perception is however real.

When there is a positive rub off of the brand on the product sales, every one is happy. But when there is a negative impact, litigations will follow and most of the time, litigation is on the main brand for their negligence.

When it comes to collection of personal data and processing under different data protection laws, a question will arise about the responsibilities of the Umbrella brand owner and the sub brand user.

DPDPA presents a tough challenge in this context compared to other laws like GDPR.

The reason is that DPDPA expects the “Personal Data Collector” as a “Data Fiduciary” with a duty to take care of the Privacy rights of the data principal. Under GDPR, the “Data Controller” has a lower responsibility since his compliance ends with presenting a “Transparent” privacy policy. The Data Fiduciary under DPDPA however is required to ensure that there is no misrepresentation and there has to be a privacy notice and associated consent forming a valid “Contract” which can be used in future litigation.

The dilemma of companies is to decide

a) Whether my company is a significant data fiduciary because I am part of the brand which is a significant data fiduciary?

b) Can I declare myself a “Data Processor” instead of a “Data Fiduciary”

c) What is the level of disclosure I have to maintain with the consumer if I am sharing the personal data with my brand owner for purposes not related to what I have collected it for.

d) How will a Consumer Activist react if there is a loss caused by me as a sub brand operator?… Will he litigate against the Brand owner because it is more useful in the Courts?

The difficulty lies both for the Brand owner as well as the Brand user since depending on the convenience, a litigant can proceed either against the Brand user or the Brand owner.

This is a matter of serious and in depth debate but under DGPSI, FDPPI adopts the principle of recognizing a “Super Data Fiduciary” who owns the brand and “Data Fiduciary” who operates under the brand as distinct from “Joint Data Fiduciary” and “Data Processor”.

The policies to be adopted, contracts to be drawn need to be tailored to the recognition of this “Status” of an organization. The DPO of the Super Data Fiduciary has to absorb certain vicarious responsibilities for managing the DPO responsibilities of individual sub brand user entities. In some cases the sub-brand entities may be “Group Companies” and amenable to oversight. But if the sub brand entities are independent companies and part of joint ventures with other super data fiduciaries, the task of the DPOs are more complicated.

FDPPI would be interested in getting the reactions of the professionals in this regard.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.