As per the latest report, Elara Capital expects the DPDP Bill to have a positive impact on companies/platforms that use first-party data, whereas players using or sharing third-party data (Google cookies, publisher platforms) could see a negative impact; this could potentially mean that sourcing data may become an expensive proposition for programmatic companies like Affle, as they may need to invest in enhancing their own database (first party).
This Bill mirrors the UK’s GDPR (General Data Protection Regulation) in terms of the major norms mentioned therein. Elara Capital expects that Internet platforms like Zomato, Nykaa, and Paytm may have relatively lesser monthly active users (MAUs) as compared to social/search giants like YouTube, and Meta.
However, as per Elara Capital, the former has a detailed understanding of their limited customer base, with more intelligence around their purchasing/consumption patterns. As per the report, E-commerce giants like Amazon, and Flipkart will have a big edge due to data protection, as they can earn ad revenue with the help of their first-party data, which will help provide better monetization and profitability over the medium term.
Substantial penalties
The entirety of the act's liability is placed upon the data fiduciary. The responsibility for implementing safeguards to ensure data protection also falls solely on the data fiduciary. As per Elara Capital, implementing the requirements should not pose a significant challenge for data fiduciaries, provided they approach it with seriousness and a willingness to comply.
The Bill makes it obligatory to report breaches of the principles, regardless of whether the breach is categorized as a high-security breach or not. Elara Capital further believes that the entities will feel apprehensive about the substantial penalties, given their magnitude, and failure to inform both the board and the principle in case of a data breach can lead to significant fines being imposed.
Elara Capital further suggests that rather than waiting for the possibility of never being reported and taking on the associated risks, companies could proactively reach out to a wider customer base about the data leak. This approach would involve enhancing compliance efforts and demonstrating a commitment to addressing the issue.
Inspired by EU’s GDPR
The Indian legislation has drawn significant inspiration from the EU's General Data Protection Regulation (GDPR) and is built upon its framework. The authorities have analysed the real-world challenges that arose with GDPR and incorporated those insights into the crafting of this Bill. The primary objective is to ensure the responsible processing of personal data and establish robust data privacy rights for individuals. Both regulations emphasize the handling of personal data through consent, although there are specific scenarios where consent might not be obligatory. As per Elara Capital, the Government has skilfully navigated the task by avoiding excessive amendments and appropriately identifying areas of overlap with other laws.
Challenges in accessing third-party data
As per Elara Capital, the targeted advertising technology companies operating in this domain and relying on third-party data for tailored advertisements will encounter additional challenges. Since they don't directly gather the data, using third-party data will demand heightened attention.
Elara Capital further expects well-established players involved in collecting, distributing, or selling data to swiftly adapt to the provisions of this new act. As per the report, these programmatic ad tech players could resort to either investing in their own database or recovering the higher costs from clients via higher pricing.
Small businesses, lacking substantial resources to engage established players, are focusing on diligently ensuring proper compliance. They recognize that firsthand data collection is significantly preferable to relying on third-party data access. As per the report, the bigger technology companies might be required to establish compliance requirements slightly ahead of smaller players and startups.
Benefits
Elara Capital expects companies operating multiple businesses to find common ground internally, where data exchange occurs among their various segments or units by following proper compliance. This aspect should be regarded as a protective measure for sharing information securely.
In the case of large tech giants, Elara Capital expects them to adhere to the supplementary data requirements. These companies heavily rely on technology, so many of the obligations are likely already integrated into their operations.
Furthermore, Elara Capital expects the introduction of this regulation to bring about a positive impact, leading to an enhanced safety net. Regarding children's data, obtaining verifiable parental consent is a requisite. The act has established a mechanism for addressing grievances within its provisions. The composition of the board is explicitly outlined in the act.