Introduction
The coming into force of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), with its myriad compliances, has had widespread implications for companies – more so, for B2C companies. In this age of digital advantages, B2C companies have been making the most of the benefits of the digital age that are available to them – whether it is by way of marketing to attract new customers or taking steps to retain existing ones. The first rule of these businesses is, arguably, building a loyal customer base. Towards this end, these companies adopt several methods to promote customer loyalty and increase the rate of client retention.
The lure of loyalty points has proven a very strong motivator, and the promise that a customer's cumulative spends will be rewarded with gifts and discounts appears to have a particularly strong appeal to customers. This is evident from its widespread adoption across the board by most B2C companies. While several businesses give customers the option of purchasing products online and collect personal data from the customer to enable the payment and /or delivery of these products; loyalty programmes go a step further in retaining customer purchase history for extended periods of time along with their personal data.
Is 'specified purpose' specific enough?
There are primarily two ways in which customers sign up for these loyalty programmes – online and through company employees in their stores, both of which require the customer to submit a record of their personal data with the company. The first step as per the DPDP Act should be to obtain consent from the data principal, accompanied or preceded by a notice informing the data principal of the personal data being processed, the purpose for the same, and the manner in which the data principal may exercise her rights.
This requirement of prior consent is one of the cornerstones of the DPDP Act and there are very few circumstances that are exempt from this requirement. These exemptions are referred to as 'legitimate use' under the Act and detailed in Section 7. However, apart from requirement of prior consent, the remaining provisions of the Act including the obligations of data fiduciaries and the rights available to data principles will still continue to apply even for the circumstances covered under the legitimate use provision.
One could argue that the collection and processing of this customer personal data could possibly fall within the 'legitimate use' provision under Section 7(a)1 of the DPDP Act – which provides an exemption from obtaining the data principal's2 consent, if the data principal has 'voluntarily' provided her personal data to the data fiduciary3 for a 'specified purpose'4. However, unless the term 'voluntarily' is strictly interpreted as consent provided by the customer pre-emptively for services requested by her and not based on a requirement of / request by the company, the purpose of the Act will be defeated. Any other interpretation of voluntarily will obfuscate the need for prior consent to be obtained in cases where the notice for consent is drafted specifically enough.
This interpretation is supported by the Illustrations5 for Section 7(a), in which specified purpose appears to have been used for services requested by the data principal, and for a single activity or purpose as opposed to an ongoing activity. This can also be inferred from the fact that as per the phrasing of Section 6(4)6 of the DPDP Act, the right to withdraw consent and its ease is only available if consent was the basis of processing the personal data in the first place. In case of processing under the specified purpose clause, the Illustrations appear to link the ceasing of data processing with the purpose having been served.
The only way a company's loyalty programme would fall within the realms of legitimate use as defined in the Act, would be if:
- The request does not originate from the company, and the customer pre-emptively requests that she is enrolled in the loyalty programme and provides her personal data to the company for this purpose; and
- The company processes the personal data specifically to enrol the customer for the loyalty programme and record her points; and
- The data is not used for any purpose beyond the enrolment for the loyalty programme and maintaining a record of points; and
- The personal data is erased once the purpose is served; and
- The customer has not indicated that she does not consent to the use of her personal data for this purpose.
Considering the practical realities of loyalty programmes, it is highly unlikely that a loyalty programme will fall strictly in this category. Thus, this exemption is more likely to apply to a request from the customer for delivery of products to a particular address or sending the invoice to a phone number or email id.
Challenges of compliance
It is clear that the aforementioned companies will need to ensure that they comply with the provisions of the DPDP Act with regard to personal data collected under loyalty programmes. However, there are a few specific provisions that providers of loyalty programmes might need to pay special heed to especially considering the bulk of the data collected over the years, and the foreseeable practical hurdles of ensuring compliance with regard to the data already in their possession.
This includes provisions pertaining to retaking consent from existing customers enrolled in such programmes, tracking use of these accounts to assess when the specified purpose is no longer being served, the possibility of having to serve a notice before deletion of personal information, identifying children's data that may have been collected, tracking down processors and other third parties to whom the data has been given, and identifying the other purposes for which the data is being used. There is no doubt that companies have a colossal task to undertake in complying with the DPDP Act vis-à-vis this personal data.
One unique problem that is being presented by personal data collected during sign-ups for these loyalty programmes, pertains to when these sign-ups happen in-store. Most stores do not obtain memberships on paper, neither do they have separate screen available for the customers. Thus, it may be assumed that the information is collected by the employees as is very commonly done and promoted at billing counters. This would effectively mean that unless carried out specifically only for billing purposes, such signups would be in violation of the Act since 'prior' written notice and consent could not have been obtained.
Conclusion
It is apparent from a reading of the Act that loyalty programmes, which were originally adopted as a means to increase business, might just end up being more trouble than they are worth unless steps are immediately taken and appropriate changes are made. If a business does wish to have a loyalty programme, it needs to ensure strict compliance with every aspect of the DPDP Act.
Footnotes
1. Section 7(a) of the DPDP Act states that a Data Fiduciary may process personal data of a Data Principal for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.
2. Section 2 (j) of the DPDP Act defines "Data Principal" as the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
3. Section 2 (i) of the DPDP Act defines "Data Fiduciary" as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
4. Section 2 (za) of the DPDP Act defines "specified purpose" as the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder;
5. The Illustrations to Section 7(a) of the DPDP Act are as follows:
(I) X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt.
(II) X, an individual, electronically messages Y, a real estate broker, requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of accommodation available on rent. Subsequently, X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X;
6. Section 6(4) of the DPDP Act states that where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
