Naavi.org

We opened up a discussion yesterday on the challenges before a digital marketing or a digital advertising company after the advent of Data Protection laws such as DPDPA.

Advertising is focussed on the five principles namely creating Awareness, Interest, Desire besides informing about the availability and enhancing the post purchase satisfaction.

The Advertising has the responsibility of converting the marketing strategy through appropriate communication to bring desirable changes in the buying behaviour. The advent of Artificial intelligence (AI) has enabled advertisers to analyse the buying behaviour of a prospective consumer and derive better communication strategies.

On the other hand the approach of Privacy and Data Protection is to provide the consumer a choice of decision making and any attempt to persuade the consumer to change his buying behaviour may be considered as ‘manipulation’ of the consumer’s mind and invoke the complaint of the use of “Dark Pattern” methods which are considered undesirable and a punishable offence under the Consumer Protection Act.

Consumer goods organizations who depend on Advertising need to balance their need for marketing with the risks of their campaigns turning out to be considered as “Manipulations” of the consumer mind.

At the same time, in structuring the appropriate advertising messages, an organization needs to have a good understanding of the current state of mind of a consumer and hence “Profiling” of a Consumer is the starting point for any marketing activity. Understanding the buying behaviour and tailoring the advertising messages to maximize the desire to purchase is the essence of marketing.

Attempting to understand and document the buying behaviour of a consumer is what is referred to as “Profiling”. The DPDPA and other data protection laws consider profiling of visitors on a website as an infringement of Privacy rights. GDPR Compliance therefore considers “Cookie Management” as an important activity of Compliance.

In DPDPA Compliance therefore, we need to strike a balance between the advertising needs and the avoidance of privacy infringement. Many times the Data Fiduciaries entrust their advertising responsibilities to specialized agencies and donot have a clear visibility of what an Advertiser is doing to gather information.

The DGPSI, the golden standard for DPDPA Compliance suggests many effective steps to mitigate the Privacy Risks in Profiling of prospective customers including visitors to a website or Visitors to a retail product store, conducting marketing surveys etc.

a) Manage the Advertisers as Joint Data Fiduciaries

b)Develop an exclusive “Data Monetization Policy” which includes the Profiling and Advertising policies

c) Develop a suitable Pseudonymization/anonymization policy for Personal Data Processing

When we look at the risks of advertising, it is clear that people mind “Friendly Alerts” but are concerned about “Spamming”. When does a “Friendly Alert” become “An Annoying Spam” and how do we recognize it is the art of Digital Advertising in the Privacy Era.

In the years around 2011, Naavi was pursuing a patent on “Adview Certification” and though Privacy was not a concern at that time, had incorporated an element of Consumer Consent and incentivisation. The thought seems to have a value even now with the added aspects of Anonymized processing of information and the use of AI.

Perhaps this new thought requires to be merged with the DGPSI framework into the “Data Monetization Strategy”.

This would however require technology back up where gathering of profiling information is done in a manner that it has the consumer consent and the delivery of advertisements is done in such a manner that it cannot be classified as “Spam”

Watch out for more action in this front as the “Privacy Compliant Digital Advertising” as a concept is unfolded. Probably there is scope for new Privacy Enhancement Technology Products in this area as well.

Naavi

One of the toughest challenges presented by DPDPA is for the Digital Marketing and Advertising Companies.

Marketing to be effective needs market segmentation and Advertising to be effective requires the messages to be tailored for the audience. The movement of media from the Print to TV and now to the Social Media/Internet has necessitated a big change in the approach of the Advertisers and Marketers.

When Internet was first used for business communication, the potential of the internet to have a targeted advertising campaign became extremely attractive to the Advertising & Marketing (A&M) Community. The potential to understand the location of a web site visitor enabled a geographical profiling of the audience. The content and the key word used by the visitor to arrive at the landing page enabled profiling of the immediate interest of the visitor. These factors enabled presentation of target specific messages which are useful to the A&M companies as well as the consumers.

Over a period, excessive advertising, use of content interrupting advertising made advertising a bit annoying. Today, privacy activists consider any form of profiling of a visitor of a website as an intrusion of privacy requiring prior consent of the Consumer.

With the availability of AI, analysing the visitor’s habit including the amount of time spent on each page by a visitor provides a lot of information which can be productively used by the marketing company to make its campaigns sharp and effective.

The challenge for the Website owner and the supporting Advertising and Marketing consultants is to ensure that while the requirements of profiling for advertising needs to be fulfilled, the constraints of DPDPA also need to be managed.

DGPSI the Peerless framework for DPDPA compliance is developing the procedural framework that should make DPDPA compliance for A&M companies feasible.

Await a more detailed discussion of the DGPSI-A&M framework shortly.

Naavi

As the data protection community awaits the notification DPDPA rules, there is a speculation that Government is hesitant since Government bodies are not ready.

While it may be true that the Government bodies are not fully ready for DPDPA, private entities are also not ready and are putting pressures on the Government to delay.

It is strange that some of these companies are deliberately flouting the rules even though they are aware that they are wrong.

We have been attending many Privacy seminars all over India and it is clear that the professionals have a fairly good awareness of what needs to be done and what should be avoided. But the companies are going ahead with their bad practices indicating that the business managers donot care about the law.

I recently came across ZeeTV which has a mobile app which can be subscribed only with an “Auto Pay” instruction. There is no clear option to make payment for a monthly or yearly subscription without agreeing to auto renew.

I recently saw “Audible” also imposing mandatory auto renewal for its membership. Does it mean that the DPO of Audible and ZeeTV donot know the basics of Data Protection?. It appears to be so.

Probably the business managers donot know that as soon as the Act is notified, there could be a flood of complaints on such companies and ZeeTV may need to face a penalty situation upto and beyond Rs 250 crores for not complying with DPDPA.

Hope ZeeTV will put an end to this obnoxious practice.

Naavi

P.S: Readers have informed that Netflix and Audible also have a similar policy of forced auto renewal.

In our previous post, The Zugzwang won the challenge wee had raised some concerns of a DPO that arise when we receive a Data Access Request. This was discussed during an event in Bangalore yesterday and I share some of the thoughts that came up for discussion during the event.

Data Access Request is one of the first rights that a law like DPDPA provides to the data principal. Essentially it provides a right to a data principal to get a summary of how the data fiduciary is processing his personal data.

The DSAR request can be sent to the company through an e-mail and does not cost much effort to the data principal. But for the Data Fiduciary this is a ticking bomb and if not defused could explode with disastrous consequences.

Hence an organization needs to put in place a robust mechanism to handle the request.

DGPSI, (Data Governance and Protection Standard of India), the framework that addresses DPDPA compliance provides a right framework for meeting the challenges that the DSAR presents.

The challenges of DSAR under DPDPA include

a) Recording the request received

b) Acknowledging the request

c) Verification of the identity of the requester, his authority for the request and matching it with an existing data principal with whom the Data Fiduciary has a relationship

d) Extracting the related consent associated with the processing of the personal information of the requester

e) Extracting all the data elements that the Data Fiduciary has received and used in respect of the data principal.

f) Ensuring that the data is within the scope of the DPDPA

g) Identifying all the processes in which different elements of the data of the data principal are being processed

h) Identifying the external data processors involved in the process and the data shared with them.

i) Identifying if the data principal is not a minor or a nominee and if so identifying the related consent from the guardian and the nomination details along with the procedure for settlement.

j) Handling the grievance redressal along with the adjudication at the adjudicator of ITA 2000 or DPB.

lk Handling the data erasure process both at the level of the Data Fiduciary and the associated Data Processors.

l) Handling the data breach notification requirements

m)Handling the exceptions such as when the request applies to a legacy information for which a new consent was required.

Probably the above list is not exhaustive. But DGPSI is a system which asks the relevant questions and creates a foundation from which all these questions can be answered.

For example, DGPSI follows a data classification that tags the jurisdiction, focusses on the processes, recommends centralized data storage, recommends data valuation, set up a grievance redressal mechanism, ensure that the top management has considered and approved risks that cannot be mitigated and has to be absorbed, ensures that distributed responsibility addresses identification of data and proper documentation of all compliance requirements. Even when the cause of breach is through an AI, DGPSI has a necessary process to address the same.

If you are DGPSI Compliant you are ready to address all of the above requirements .

Naavi

Mr Gukesh became the youngest World Chess champion by winning the FIDE word championship by cornering Mr Ding in a Zugzwang position where White (Ding) had to make a move but any move would have led to loss. This zugzwang position is common in Chess especially with the pawn and king ending.

A similar situation is confronted by Data Fiduciaries in certain circumstances when they have to comply with DPDPA.

Take the example of an email received by a Data Fiduciary in Bangalore from jr2024@protonmail.com which stated

“My name is R. Jhonny, residing at Lucknow . Under the provisions of ITA 2000 read with DPDPA 2023, kindly provide me the following information.

•Do you process  any of my personal data?

•If so, for what purpose and how did you obtain it?

•Please share the copy of the consent I have given if any?

•Please let me know with whom all you have shared it, the purpose of sharing.

•In case I donot receive the information within 3 days from receipt of this email, I shall be constrained to take necessary steps to recover compensation from your end for wrongful processing of my personal data”

This looks a simple question but it takes lot of effort in the first place and even thereafter, may lead to many challenges. Whatever move you make, you may continue to deteriorate your position until you are checkmated.

This problem is set to be discussed by Naavi in today’s event in Bengaluru at LTIMindtree.

Naavi

In October 2024, Meity declared IOB, RBL Ltd, IndusInd Bank ltd, Federal Bank and Bank of Maharashtra as “Protected Systems under ITA 2000”

Notifications:

IOB

RBL

IndusInd Bank

Federal Bank

Bank of Maharashtra

The implications are two fold.

Any attempt to access such computers other than the permitted persons noted below will be considered as an offence that can carry imprisonment of 10 years.

Who can access

(a) any designated employee of the Bank authorised in writing by the Bank to access the protected system;
(b) any team member of contractual managed service provider or third-party vendor who have been authorised in writing by the Bank for need-based access; and
(c) any consultant, regulator, Government official, auditor and stakeholder authorised in writing by the Bank on case-to-case basis.

Any other person accessing the system will be liable for imprisonment of 10 years.

Further under Section 70(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008).

Additionally the Information Security rules under the notification of 22nd May 2018 should apply to such systems (Refer here). Kindly check details here

Hope each of the Banks comply with the directions contained in the May 22 security guidelines.

Naavi

P.S: For records we note that

1. CAMS was also notified on 2nd February 2024 . It is known more as a Registrar handling securities.
2. KFin Technologies Private Limited was also notified on 1st February 2024.
3. NIA was notified on 26th February 2024