Last week, the Ministry of Electronics and Information Technology (MeitY) published the fourth iteration of the country’s data protection bill. Dubbed as the ‘Digital Personal Data Protection Bill’, the proposal aims to ensure the protection of user data and online privacy. The draft talks about big entities, social media platforms and even companies being accountable for the consumer data and seeks to prohibit misuse of personal data of users.
Hefty penalties are also in store for companies breaching certain rules.
Storyboard18 reached out to industry executives to understand their interpretation of the draft and how it could possibly impact their business.
To be sure, data for marketers can include anything from consent Personally identifiable information (PII), to cookies and Ad IDs.
A CMO at a leading automotive commercial vehicle OEM says that marketers need to ensure collecting data will state upfront an ‘itemised notice’ and there will be a mechanism that such cookie acceptance notification becomes an easy to adopt modality.
“Such data collected needs to be used for the stated purpose which means cross fertilisation of data may not be possible across other product lines by the same company /or/ should state clearly the associated business,” the executive adds.
Total addressable market could shrink
Wakefit which leverages Google and Meta heavily states that it reaches its prospective customers through non-personal data such as their demographic, interests and affinities to run campaigns.
“… if the bill, once it becomes a law, still allows Google or Meta to track customers based on their interests, then we can target them in the same way that we are doing right now. Nothing much changes,” notes Savijeet Singh, Head – Digital Marketing, Wakefit.co.
The direct-to-consumer (D2C) home solutions startup collects personal data when the user lands on its site and consensually shares his/her personal data (name, number or email address). The current bill clearly demarcates personal data and non-personal data.
“We will definitely see a shrinkage in the overall volume of users. In such a case, brands may need to pivot to maybe ATL/BTL activities to ensure that these customers are also being advertised,” Savijeet Singh, Wakefit.co
Wakefit says that it has been stringent about the customer privacy since it’s paramount that the customer feels that their privacy is being respected.
“So, all our internal compliance and server side security is already on par with what the bill is demanding. But definitely we will ensure that our security and compliances are much more in line with the draft that the bill is proposing. Secondly, what I do see being affected is the total addressable market that Google and Meta has, since users will be given an option to opt out. We will definitely see a shrinkage in the overall volume of users. In such a case, brands may need to pivot to maybe ATL/BTL activities to ensure that these customers are also being advertised,” he notes.
Impact on D2C players
Singh also highlights that often companies align with a third partner service for reaching out to customers through services such as WhatsApp after they have given consent for the first-party data. In case, certain users decide to opt out later on then it could be a challenge to ensure that the service providers take users out from their promotional/marketing flows.
“The other problem that I see might affect a lot of D2C players is promotional messages. There’s a lot of transactional communication that goes to the customer, whether it is order delivery status or transaction related updates such as discounts/cashbacks. There’s no differentiation right now between transactional and promotional messaging also. So if something related to this will be built into the bill once it is further revised will give much needed clarity,” he explains.
Clarity required
Each brand/ marketer dealing with data will have to appoint a data protection office (DPO) eventually and the same can overlook all nodes data processing, storage & discarding in a safe and effective manner. Since data cannot be stored for perpetuity the CDP’s (customer data platform) needs to connect to a central repository which can also monitor permission, correction of data and eventually discard.
“As of now, no clear mention on classifying cookie id (although getting depreciated by 2024) and Ad Ids classification in the draft bill – this is to be seen : will they be treated as personal data? However, the government may expect certain startups from adhering to this bill and this will be a function of the number of users and volumes which could be in the interest of such new age business,” says the CMO quoted above.
Strict Penalties
Bharat Khatri, Chief Digital Officer, APAC at Omnicom Media Group suggests that penalties for foreign entities and tech giants should not be in Indian rupees.
In a LinkedIn post, he writes, “In exchange of exporting & misusing petabytes of Indian consumer data to build more deeper AI & ML models Rs 100-200 cr is a very low cost or investment to build the billion $$$ (dollar) enterprise valuations, so penalties should be based on companies’ residential status & utilities for which they are transferring this data outside India.”
As data becomes critical to reach consumers, companies have to work hard to ensure that they create sticky individual platforms where customers share their data helping them to build first-party data. This data needs to be leveraged in compliance with the rules that the government will eventually release under the new law.