Relevant emails often get lost in a sea of direct marketing messages, and unsubscribing rarely works. While consumers may find these emails a menace, they are a vital component of businesses’ direct marketing efforts. But, under the Digital Personal Data Protection Act, 2023 (DPDP), businesses must brace for major shifts in direct marketing to both existing customers and prospects.
The DPDP’s approach of providing ‘consent’ as the only legal basis for processing personal data for most commercial activity poses a challenge for direct marketing which is usually via email, messaging, phone calls, and social media. Implementing a well-designed and compliant direct marketing program is critical as businesses gear up for a full rollout of the DPDP.
What are some challenges and opportunities for direct marketing activity under the DPDP? Let’s dive in.
Maintaining existing lists
For existing customers, the DPDP provides some leverage - it requires a notice to be issued to all individuals whose personal data is already being processed (‘processing’ has a wide definition and includes every conceivable action about personal data). These individuals then need to actively opt-out, until which time businesses can continue using their data.
List growth
Growing existing mailing lists will be impacted. The practice of automatically opting-in anyone who leaves an email ID or phone number will need to stop. Many businesses require providing contact information to explore product pricing and features on websites, or to get a call back from sales representatives. Their privacy policies then allow unrestricted use of that personal information - this will no longer be possible.
Data sources
Buying lists from third parties and data brokers will have no place going forward. For one, using personal data without consent will not be feasible – so no cold calling, emails, or messages if consent isn’t already available. And no reaching out via these means to get consent.
Where data brokers are sources of personal data, consent will not be available. Businesses will then find it challenging to respond to data access requests and justify their holding of personal data.
Data storage and security
Data storage mechanisms directly impact the efficacy of security measures needed to protect data. Therefore, storing lists on spreadsheets and devices of sales executives needs to stop. For smaller businesses that cannot invest in automation or expensive systems, documenting and implementing robust practices and governance will be key to avoiding a breach of or defending prosecution under the DPDP.
Access to lists and personal data must be controlled. Absent any standards specified by the DPDP, the adequacy of security measures will likely be determined based on many factors including the size of the business, industry, and nature of personal data being processed, among others.
List scrubbing
The lists will need constant updating against opt-outs/ unsubscribes and in response to data erasure requests, calling for technical measures or robust processes to ensure information is passed on to relevant stakeholders, third parties, and systems so that further communication is stopped.
Reviewing data requirements
While more may be merrier for personal data, businesses must reassess the range of personal data they collect and determine what and how much they need. Because required security measures could vary based on the sensitivity and type of personal data, volumes, and other aspects, personal data that isn’t needed mustn’t be collected.
Demonstrating adequacy of security measures
The DPDP does not prescribe an industry standard for protecting personal data, as many businesses will not have the financial wherewithal to implement one. However, the fines under the DPDP can be crippling (the highest slab of fines, i.e., up to INR 250 crores has been specified for not implementing reasonable security safeguards to prevent a personal data breach). Consequently, all businesses dealing with customer data must review their practices and implement demonstrable measures backed by policies and governance in case they are ever subject to a data breach or a complaint under the DPDP.
ADVERSITY AND OPPORTUNITY
Adversity brings opportunity, and this is true for the DPDP too. The restrictions mean that businesses will need to rework approaches to data collection and marketing practices.
Data and consumer focus
Businesses should use the time available to analyze the type and quality of personal data they need and focus on means to secure consent for these. This also means understanding their consumers better, leading to improved marketing programs. The increasing availability and deployment of AI makes this easier and changes can be faster through AI-driven analyses.
Opportunity through consent notices
A requirement for consent notices means they can be drafted innovatively, providing more options and information to customers, and getting deeper insights through their choices. A well-drafted notice will use insights into consumer behavior and psychology to increase engagement and help target consumers with focused marketing. There is abundant research on consumer behavior and psychology – utilizing this to draft will increase the chances of securing consent.
Trust
Enhanced awareness and an explosion of cybercrime including phishing fraud, deepfakes, and the impact on children, means individual concern for their data will continue increasing. While compliance may result in short-term challenges, it will have long-term benefits by increasing consumer trust.
CONCLUSION
The DPDP needn’t be daunting despite the challenges it poses. Data privacy is here to stay and will get more restrictive as consumers become more circumspect about their data and who has access to it. Increased international trade means that the privacy requirements of other countries will also impact Indian businesses. A robust and well-executed compliance program under DPDP will help gain consumer trust, enhance engagement, increase retention, and provide a competitive advantage.
Businesses must use the extra time before the Rules under the DPDP get implemented to thoroughly reassess direct marketing programs, which will not be able to continue as-is under the DPDP. This reality must sink in.