How adtech companies can adapt to India's data protection revolution

The digital advertising landscape in India is on the cusp of a significant transformation. The arrival of the Digital Personal Data Protection Act (DPDPA), akin to the EU's General Data Protection Regulation (GDPR), ushers in a new era of stricter regulations for data collection, processing, and, most importantly, individual privacy rights.

Before diving in, let's establish some key terms:

·      Personal data: This encompasses everything from Aadhaar numbers and passport details to seemingly innocuous things like browsing history and cookies. Essentially, anything that can directly or indirectly identify an individual.

·      Data principal: The individual whose data is being collected.

·      Data fiduciary: The platform or website calling the shots on how this user data is used (think social media giants or e-commerce platforms).

·      Data processor: The company handling the data on behalf of the Fiduciary (ad tech companies are prime examples).

The Impact: New responsibilities

The DPDPA casts a long shadow, with the onus falling squarely on data fiduciaries. They'll need to be extra vigilant about obtaining clear, informed consent, managing data security with an iron fist, and respecting a user’s rights as a data principal. Data processors, while not directly liable, will be held accountable to the Fiduciary for ensuring compliance.

The DPDPA empowers consumers to take control of their data. This includes right to access information regarding the personal data, right to correct or update personal data as well as right to delete. There are provisions to erase personal data when the data subject revokes their consent; or as soon as it is reasonable to assume that specified purpose is no longer served.

Moreover, the data has to be periodically purged in compliance with the prescribed retention periods depending on user agreements of mandated guidelines by the government. DPDP also offers the right to appoint a nominee to exercise rights in case of death or incapacity, and give intimation of data breach to the Data Protection Board and each affected data subject.

For redressal of grievances, they should also compulsorily appoint a Grievance Officer and publish the contact details. The DPDP act mandates robust data security measures, with hefty penalties for non-compliance (remember the billion-dollar GDPR fines and still climbing?).

However, the accompanying rules and procedures are yet to be finalised by the government, leaving some grey areas before companies take action.

Industry standardisation: Critical necessity

The above changes mandate that the data fiduciary manages data user’s rights across the adtech ecosystem, presenting a complex and unique challenge. For example, take the case of the requirement of ‘Right to Erase’—it will require that data fiduciary communicate this request to all the participants of the adtech ecosystem with whom the data has been shared.

For the digital advertising industry and adtech ecosystem, specifically the Programmatic ecosystem, running on Real Time Bidding (RTB) paradigm, multiple Publishers, Supply Side Platforms (SSP), Demand Side Platforms (DSP), Data Management Platforms (DMPs), brand advertisers, their ad agencies and other adtech service providers are involved in each ad delivery transaction.

This necessitates, critical need for standardisation of the process of communication of the ‘Right to erase’ and its interoperability among all the players. In the absence of standardisation, every organisation will have to build custom APIs to communicate and signal data rights to each other. That will entail huge cost for everyone.

Industry collaboration is they key solution

Thankfully there is some help getting available, by the recently released ‘Data deletion request framework’ developed through collaborative effort of industry orchestrated by IAB Tech Lab', an international data setting standards body of the digital advertising industry. This framework establishes a standardised process for transmitting the ‘delete’ requests across the entire ad tech ecosystem securely and efficiently upholding the data principal’s privacy rights under the DPDPA.  

It is not the first time that industry collaboration for standardisation has provided the path to scalable and efficient path to compliance with data protection and privacy regulations. Transparency and Consent Framework (TCF) and IAB Tech Lab Global Privacy Platform (GPP) are similar examples, which are used in over 85% of advertising transactions in Europe as well as for compliance with multiple state regulations such as GDPR and US state regulations (now over 15 in number).

The call to action: Collaboration for interoperability

Developing a standard for implementing data privacy regulations is a multiple step process. The first is a clear understanding of the legal implications for the industry is required so the regulations need to be inferred by legal professionals.

Secondly, a policy for the advertising industry needs to be established by legal professionals along with technology experts. The third is a technical mechanism to propagate the policy across different entities is developed by technology experts for e.g. consent collection and propagation mechanism, data rights frameworks etc.

It is imperative that Indian adtech service providers, publishers, agencies, and advertisers collaborate amongst themselves and with international standard setting organisations. IAB has already started the first step, CJPP India Chapter meetings, to develop interoperable standards to help shape a future of responsible policy and technical standards for DPDPA. By working together, we can ensure a thriving digital advertising ecosystem that prioritises both innovation and consumer trust.

-Shivendra Misra, director-APAC of IAB Tech Lab.