What information must data fiduciaries provide you before collecting your personal data?

In the digital age, data is a currency—and you are the bank. Every time you log in to a website, sign up for a service, or download an app, you’re often unknowingly handing over personal information—your name, mobile number, location, shopping habits, and sometimes even more sensitive data like your Aadhaar number or health records.

But here’s the catch: before anyone can collect your personal data, they’re legally required to tell you exactly what they plan to do with it. This is not just ethical—it’s now the law under India’s Digital Personal Data Protection Act (DPDPA), 2023.

As a cybersecurity expert, let me walk you through what information every data fiduciary (like apps, websites, service providers) must provide to you before collecting your personal data, and how you can hold them accountable.

Understanding the Key Players

Before we dive in, here’s a quick breakdown:

  • Data Fiduciary: Any organization (like a tech company, hospital, bank, or social media platform) that determines the purpose and means of processing your personal data.

  • Data Principal: That’s you—the person whose data is being collected.

  • Personal Data: Any data that can identify you—name, phone number, IP address, biometrics, email, location, etc.

Under DPDPA, data fiduciaries must provide clear, specific, and accessible information before they collect your data. This ensures you give informed consent—not blind approval.

What Must Data Fiduciaries Tell You?

According to Section 5 and Section 6 of the DPDPA, data fiduciaries are required to provide you with a “notice” before or at the time of requesting your personal data. This notice must include the following critical details:

1. Purpose of Data Collection

They must clearly explain why they are collecting your data—whether it’s to provide a service, analyze your behavior, send updates, or personalize content.

🟢 Example: If you download a travel booking app, the notice should say:

“We collect your location and contact information to suggest nearby travel deals and send you booking confirmations.”

📌 Why it matters: You should know if your data is used only for booking—or also for advertising, analytics, or third-party sharing.

2. Type of Data Collected

They must list the categories of personal data they plan to collect—basic data (name, email), sensitive data (financial, health), or behavioral data (browsing history, preferences).

🟢 Example: A fitness app should disclose:

“We collect your name, age, gender, daily activity data, sleep patterns, and heart rate from wearable devices.”

📌 Why it matters: Knowing what data is collected helps you assess the privacy risk.

3. How the Data Will Be Used

The notice must specify how your data will be processed—will it be stored, shared, analyzed, or sold? And for how long will they retain your data?

🟢 Example:

“We use your data to generate fitness recommendations. Data is stored for 12 months and deleted afterward.”

📌 Why it matters: Without this, your data could be kept indefinitely or used for profiling.

4. Third-Party Sharing

If your data will be shared with other companies, vendors, advertisers, or government bodies, this must be disclosed clearly.

🟢 Example:

“We share your contact information with our delivery partners for order fulfillment. We do not sell your data to third parties.”

📌 Why it matters: Many data leaks and privacy violations happen due to third-party mishandling.

5. Your Rights as a Data Principal

You must be informed about your rights under DPDPA, such as:

  • The right to access your data,

  • The right to correction,

  • The right to erasure,

  • The right to grievance redressal,

  • The right to withdraw consent at any time.

🟢 Example:

“You have the right to request access, correction, or deletion of your data by emailing privacy@company.com.”

📌 Why it matters: Most users don’t know they can demand data erasure after deleting an app—this law makes it mandatory for the company to tell you.

6. Method to Contact for Grievances

They must provide a grievance redressal mechanism—a phone number, email, or portal to raise complaints or concerns.

🟢 Example:

“For any privacy concerns, contact our Data Protection Officer at dpo@xyz.in or call +91-9876543210.”

📌 Why it matters: You shouldn’t have to go through complicated processes to raise a data-related issue.

7. Identity of the Data Fiduciary

The notice must also include the name and contact information of the organization collecting your data—you have a right to know who is using your data.

🟢 Example:

“This data is being collected by ABC Travel Pvt. Ltd., registered in Mumbai, India. Contact: support@abctravel.in.”

📌 Why it matters: It gives you transparency and a legal path for escalation if needed.

8. Consent Withdrawal Process

You should be informed how to withdraw your consent and what impact it will have on the services provided.

🟢 Example:

“You may withdraw consent anytime through our app settings. This may limit access to personalized recommendations.”

📌 Why it matters: Consent is not a one-time approval—it’s revocable.

Real-World Scenario: Informed Consent in Action

Let’s say you install a loan comparison app. It asks for your:

  • PAN number

  • Aadhaar card

  • Bank account access

  • Location

Before giving this information, the app must show a notice explaining:

  • Why each piece of data is needed (e.g., identity verification, fraud checks),

  • Who else may access this data (like lending partners),

  • What will happen if you don’t provide it,

  • And how to delete the data after uninstalling the app.

If it doesn’t do this, it’s violating the law—and you can take action.

What Happens If Data Fiduciaries Don’t Comply?

Under the DPDPA, if a company fails to give you this mandatory information, it can face hefty penalties—up to ₹200 crore per violation.

And if your data is mishandled due to improper or hidden practices, you can:

  • File a grievance with the company,

  • Escalate to the Data Protection Board of India,

  • Demand erasure or compensation.

Practical Tips for You (The Data Principal)

✅ Always Read the Privacy Notice

Even if it seems boring, take a moment to read the permissions an app requests and why.

✅ Ask for Clarification

Use customer care or grievance contacts to ask:

  • “Why do you need this data?”

  • “How long will you store it?”

  • “Can I delete it later?”

✅ Use Consent Managers (when available)

DPDPA allows you to manage consents centrally through authorized Consent Managers—tools that help you view, approve, or revoke permissions easily.

✅ Avoid Apps That Don’t Provide Transparency

If a site or app skips explaining their data usage, don’t use it. Trustworthy services are upfront and DPDPA-compliant.

Conclusion

The Digital Personal Data Protection Act, 2023 is not just a policy—it’s a shield that empowers every Indian citizen to take control of their personal data. The requirement for data fiduciaries to provide clear and full information before collecting your data ensures that you are no longer in the dark about what happens to your digital identity.

Whether you’re booking tickets, ordering groceries, or uploading documents—you deserve to know how your data is being used. The next time an app or website asks for your details, pause and ask: “What will you do with my data?” If they can’t answer, they don’t deserve your trust.

Because in the digital world, informed consent is your superpower.

rahulsharma

Posts