Asci bats for 'privacy by design' to reduce need to take consent from users

Asci said that before the final data protection rules in India are notified, advertisement companies must also undertake data audits to check their preparedness

Advertisement companies must undertake the "privacy by design" approach before the final data protection norms are notified, to do away with the need to take repeated consent from internet users, The Advertising Standards Council of India (Asci) said on Thursday

In a whitepaper titled "Privacy and Progress: Pillars of Digital Bharat", it said, "Building a more holistic technological approach, with privacy by design as its first principle, is vital to maintaining a robust internet that puts users back in control."

According to the Digital Personal Data Protection Act 2023, which was passed in Parliament last year, companies cannot process the personal data of users unless they take an "informed consent" or have a "legitimate use". The consent would also be required for using the previously stored data.

Under the privacy by design (PbD) approach, privacy protection and consent requirements are built directly into the planning and development of digital products and services. It does away with the need to ask for permissions again and again.

Talking to Business Standard, Manisha Kapoor, chief executive officer and secretary general at Asci, said that PbD will make it easier for users to surf the internet. "We cannot put the burden of consent understanding and management so much on the consumers," she said, adding that they must only be subjected to a "reasonable consent burden".

Asci said that before the final data protection rules in India are notified, advertisement companies must also undertake data audits to check their preparedness.

Indranil Choudhury, founder at Lexplosion, which helped Asci prepare the whitepaper, said that there are several consent-related activities which need to be done. And since the final rules are not out yet, this is a "good time" to do a preparedness audit.

"So, organisations should look at various data sources that they deal in currently and see which of these require consent and what the current modality of seeking consent is," he said, adding that companies must also identify the sources of their past data and have the right mechanisms in place to seek consent for it.

Choudhury also said that companies must make sure that their vendors are also ready to apply data privacy norms.

The whitepaper said, "They [companies] should assess data collection and usage practices and try to delete any additional data collected."

It also highlighted, "Moving forward, advertising and marketing must undergo a paradigm shift, requiring close collaboration between marketing, data protection, compliance and IT teams to ensure responsible data usage."

Manisha added that while the act is a step in the "right direction", it would be key to see how much runway is given to the companies to be compliant. "A lot of changes that are done online, you may not be able to do them overnight," she said.

She also said that it would be important to note what roadmap the Centre and the advertisement industry come up with to help small and medium enterprises build the capacity to follow the data protection norms.