Navigating the murky waters of adtech privacy

The advertising industry in India has experienced rapid advancements in advertising technology or adtech. Advertisers can monitor individuals across diverse digital channels and create profiles for personalised advertising. However, this raises privacy considerations in a complex market with intricate data exchanges between players in the data supply chain.

Adtech is not regulated strictly, and the legal framework for data protection is still evolving. Existing data protection law primarily governs the processing of certain sensitive personal data, which requires consent. Other personal information processing is not so controlled. Adtech players have been able to gather vast amounts of personal data without restriction.

Existing law does not differentiate between entities carrying out different data processing roles. However, the new personal data law, the Digital Personal Data Protection Act, 2023 (DPDPA), holds only data fiduciaries liable, while data processors have no statutory obligations. Adtech participants should understand their roles under the DPDPA, as they may be both data fiduciaries and data processors depending on their processing activities.

For example, a demand management platform (DMP) may be both a data fiduciary and a data processor if it processes user data for its own analytics and on behalf of a client. Some organisations perform multiple roles, combining functions such as those of demand-side platforms, supply-side platforms, and DMPs. Players must have robust data processing agreements that clearly delineate processing roles for different activities and set out liability for the processing of user information.

The DPDPA requires the processing of personal data to be lawful, primarily through consent. This is in the absence of a ground that permits processing personal data for an organisation’s legitimate interests. A consent-based adtech regime is therefore likely, posing challenges for the market. Borrowed from European jurisprudence, consent standards under the DPDPA are stringent, in contrast to existing privacy practices. Consent requests and privacy notices will require a complete overhaul. As most players in the adtech industry are not user-facing, the DPDPA will compel them to rely on third parties to obtain consent for their own processing of personal data, exposing them to liability for third-party acts. The shift to consent-based advertising, with users able to opt out, will be a hurdle for business models dependent on ad-based revenues. Businesses may restructure their offerings to make personalisation an essential and inseparable part of their product or service and deny access to users who do not accept targeted advertising. This should be done with caution and only where personalisation is essential to avoid liability for forcing consent on users.

The DPDPA prohibits the tracking and targeting of advertisements aimed at children, namely those under 18. To avoid heavy penalties, publishers must implement robust age verification processes to avoid advertisements targeting minors. The law is widely worded, and almost all internet services will need to put in place age-aware mechanisms. This has implications for companies targeting children and also generating ad revenue, such as social media and OTT platforms.

While the DPDPA brings much-needed clarity and privacy regulation to the adtech industry, further guidance will be needed. This includes the exemption for data made publicly available by an individual, as its scope is unclear. Whether an organisation can use social media users’ public activity, such as likes and comments, to profile and target advertisements, particularly with minors, is unknown.

Adtech companies in India should review their processing activities, adopt global best practices and comply with the upcoming data protection law. They must revise data collection practices, provide robust consent mechanisms and analyse processing purposes and roles.

Advertisers may adopt alternative models that replace traditional adtech while preserving user privacy. Examples are federated learning of cohorts, topic APIs and in-session marketing. These allow some form of targeted advertising using minimal or no personal data. By prioritising data protection and ethical practices, adtech companies can live with the evolving regulatory landscape while maintaining consumer trust.

Ada Shaharbanu is a senior associate and Archita Sharma is an associate at Spice Route Legal.