No More “Legitimate Interest”? The DPDPA’s Tight Leash on Promotional Messaging in India
By Advocate (Dr.) Prashant Mali
Cyber & Privacy Lawyer | International Policy Expert | Bombay High Court Advocate
“I get hundreds of calls, messages, and emails, mostly promotional. I imagined the Digital Personal Data Protection Act, 2023 (DPDPA) might finally put an end to this.”
If that quote resonates with you—you’re not alone. Welcome to India’s digital Wild West, now entering the era of compliance sheriffs. But here’s the clincher: unlike GDPR or the UAE’s PDPL, India’s DPDPA does not allow “legitimate interest” as a legal basis to process personal data.
Yes, you read that right.
🔍 The Myth of "Legitimate Interest" Under DPDPA: Busted
In GDPR (Article 6(1)(f)), "legitimate interest" acts as a lifeline for businesses—letting them process personal data without explicit consent if they can prove that the interest is lawful, necessary, and not overridden by individual rights. Similarly, UAE’s PDPL allows data controllers to invoke such grounds, with guardrails.
But DPDPA 2023, in all its sovereignty-embracing glory, drops the gavel hard:
There is no provision for "legitimate interest" or "contractual necessity" as a basis to process personal data.
So those unsolicited promotional WhatsApps, SMSes, or spammy emails? No more hiding behind vague business justifications.
📜 What Does the DPDPA Say Instead?
DPDPA is clear: consent is king. And not just any consent—Section 6 demands:
- Free
- Specific
- Informed
- Unambiguous
- With a clear affirmative action
And under Section 7, where "deemed consent" could offer some wiggle room, the bar is high and purpose-specific—like providing a requested service, compliance with law, or medical emergency situations.
It does not include promotional activities or marketing communication.
Sharing data voluntarily (say, giving your phone number for a one-time OTP) does not mean you’ve agreed to be bombarded by offers from 13 random brands.
🤔 So What Now? Are Companies Stuck?
Well… yes and no.
❌ Can they keep sending promotional messages without consent?
No. That would be unauthorised processing—a clear breach, potentially attracting penalties under Section 33 and 34 of the DPDPA Rules (awaiting final notification, but expected to include graded penalties for non-consensual communications).
🔁 Will companies now seek consent for every promotional message?
They’ll need to—but cleverly. The new playbook will be:
- Bundled consent at the point of onboarding (though not forced)
- Clearly worded options to opt in/out of marketing
- Consent dashboards (mandated under Section 12 for Data Fiduciaries)
🕳️ Will they find loopholes or “legitimate” workarounds?
Some might try. Watch out for:
- “Transactional” labels on marketing messages
- Hiding consent deep in privacy policies
- Partnering with Data Processors who claim to have “lawful consent”
But under DPDPA, the burden of proof lies with the Data Fiduciary. If someone complains, you’d better have clean, timestamped, opt-in logs.
🗣️ Will there be government clarification?
Absolutely. The Data Protection Board of India (DPBI), once operational, is expected to issue guidance clarifying ambiguities—especially around what qualifies as “informed consent” in marketing, and whether certain categories (e.g. existing customers) can receive limited communication.
🛑 DPDPA vs GDPR: A Quick Matrix
| Feature | GDPR | DPDPA 2023 |
|---|---|---|
| Legitimate Interest | ✅ Yes | ❌ No |
| Contractual Necessity | ✅ Yes | ❌ No |
| Consent Required for Marketing | ✅ Mostly | ✅ Always |
| Deemed Consent for Promotion | ❌ No | ❌ No |
| Penalties for Violation | ✅ Yes (up to €20M) | ✅ Yes (up to ₹250 crore per instance) |
💬 Final Reflection: The Beginning of the End of Spam?
While the law is robust, enforcement is everything. Once the DPDPA Rules are finalised and the Data Protection Board is live, we’ll see:
- Sharper consent frameworks
- Cleaner digital communications
- An end to data brokering in the shadows
But until then, vigilance lies with us. Individuals must start saying “no” with greater frequency. And companies must embrace privacy by design, not as a checkbox but as a core strategy.
India just rang the death knell for lazy, exploitative marketing. The age of permission-first data economy is here.
Time for marketers to unlearn, and for citizens to reclaim their digital dignity.
Author's Note
The DPDPA’s intent is unambiguous: Indian citizens are not products, and their data is not free real estate. In my opinion, the absence of “legitimate interest” is not a limitation—it’s a moral recalibration. Let businesses adapt.
Actionable Advice for CISOs, CMOs, and Founders:
- Review your data collection and marketing practices immediately.
- Build a granular consent architecture—not blanket approvals.
- Educate your teams. Ignorance won’t shield you from fines or reputational damage.
Because in the DPDPA era, silence is not consent.
Any DPDPA Certification | DPDPA Consultation | DPDPA Policy making E-mail: info@cyberlawconsulting.com
By: Advocate (Dr.) Prashant Mali
Cyber Law Expert | Data Protection Lawyer | Thought Leader in Cyber, AI & Privacy Law
