Walking into a store where every step you take is tracked, every product you look at is noted and every hesitation is recorded – creepy, right? This is the digital reality we live in, where these harmless-sounding cookies quietly monitor our every move online. But with the world shifting toward a ‘cookie-with-consent’ model, an alarming number of consumers and brands alike are unaware of laws that protect data. “ In India, a vast majority treat cookie consent pop-ups like something to click on to get to the next page they want. They just want the pop-ups/fine print to stop interrupting their browsing! While global trends push for more transparency, Indian consumers remain largely passive. Many just hit “Accept All” without a second thought,” Siddharth Chandrashekhar, advocate and counsel, Bombay High Court, told BrandWagon Online. This is problematic primarily because India is one of the largest data markets in the world, yet a majority of users still lack a nuanced understanding of what it means when brands collect their data. For consumers, the big question is—Do they care? As of now, not enough, but with the rise of data breaches and misuse of personal information, the tide is more than likely to turn soon, he added.
Only 16% of Indian Consumers understand the intricacies of the DPDP Act (Digital Personal Data Protection Act), and an even smaller number of companies, just nine per cent, claim to fully comprehend the law. This lack of awareness isn’t just a technical oversight; it’s a ticking time bomb for brands navigating consumer trust and legal compliance. The PwC survey reveals that 56% of consumers are unaware of their data rights under the DPDP Act. Even more concerning, 69% of people don’t know they can withdraw consent once given, meaning many are essentially giving brands a free pass to track and store their data indefinitely. “With the widespread use of cookies and other tracking technologies, it is typical for organisations that use such technologies as part of their websites and applications to adopt a ‘cookie policy’ that governs the use of the same. However, it is pertinent to consider that such a policy alone may not be sufficient to demonstrate compliance with the DPDP Act,” Prashant Phillips, executive partner, Lakshmikumaran & Sridharan Attorneys, said. Instead, the use of policies must be accompanied by providing informed notice and consent, implementing technical and organisational measures, providing opt-out mechanisms, providing procedures for data principal rights, and aligning with privacy principles, he added.
Experts opine that as global companies have to follow the GDPR guidelines, they will also know the nooks and corners of the DPDP Act. As India is home to a vast number of mid-sized industries and organisations, the repercussions spurt here. “Data Processors/Fiduciaries must now start to play it safe. While European companies have been hit hard by GDPR’s consent-first culture, India’s now DPDP Act brings similar pressures. Brands must now go beyond merely collecting consent—the Data Processors/Fiduciaries need to prove that they’re safeguarding consumer data. Transparency, compliance, and education are now survival tools. So, whether it’s reducing cookie creepiness or ensuring airtight security, Data Processors /Fiduciaries must be on their A-game or risk the wrath of both consumers & regulators. Before Data Processors /Fiduciaries gather those cookies, brands ought to first start to gather crumbs of consumer trust,” Chandrashekhar added.
What should brands do?
This is not a situation where ignorance is bliss, this is far from it. 42% of consumers are unsure if they would continue using a company’s services following a data breach, the PwC report revealed. It is safe to say that brands must take this as a wake-up call. If consumers don’t trust you with their data, they will walk away. “Invest in Education: Data Processors/Fiduciaries need to upskill their compliance teams. Onboarding with legal experts and data protection consultants is no longer optional—it’s essential and an ideal start. Data Processors/Fiduciaries need to simplify their data protection so that anyone from a 12-year-old to an 80-year-old would understand what they’re providing when they give their consent,” Chandrashekhar opined. Having a surface-level understanding of the DPDP Act isn’t enough. With a market as vast and varied as India’s, brands can’t afford to be lax. Brands need to adopt a GDPR-like approach: audit data practices, ensure transparency, and obtain clear consent. Investing in compliance is no longer optional—it’s the cost of doing business, he added. “Lastly, the Act’s current language is ambiguous concerning the processing of personal data that is available in the public domain. The upcoming consultation on the data protection Rules is an opportunity for businesses to negotiate for clarity, and to secure legal and operational certainty as the Act is implemented. If such ambiguities persist, there is a risk that the repeated disputes and legal cases will produce jurisprudence which repeatedly affects compliance for companies,” Sidharth Deb, manager, public policy, The Quantum Hub, added.
The legal risk of playing fast and loose
Although it might seem like brands have taken the DPDP Act for granted, it should be noted that the act has sharp teeth. Failing to obtain explicit consent for data collection can result in hefty fines, with penalties reaching up to Rs 250 crore for major violations. Beyond financial penalties, the reputational damage could be devastating. In an era where privacy scandals can snowball into public relations nightmares, companies can’t afford to be complacent. Additionally, the government may mandate corrective actions, further adding to operational costs.
In this new era of data privacy, the way brands handle consumer data will define their future. “India’s rising data breaches and low consumer awareness pose serious challenges, but there are solutions. Brands and the government must focus on educating consumers about their data rights while enforcing strong data protection laws. Companies need to adopt ethical data practices, invest in cybersecurity, and empower consumers with control over their data. Though a lack of awareness may lead to exploitation, brands that prioritise data security can stand out and build lasting trust. Embracing privacy-enhancing technologies will further protect consumer data and strengthen market trust. This is a crucial moment for brands to lead with integrity in India,” Gopa Menon, chief growth officer – APAC, Successive Technologies, said. As India embraces stricter regulations like the DPDP Act, brands must shift from merely collecting data to actively building trust through transparency and accountability. Those who prioritise educating their customers, obtaining clear consent, and safeguarding personal information will not only avoid legal pitfalls but also foster deeper consumer loyalty.