A portion of the childhood memories of a substantial number of people of India is filled with beguiling jingles, which used to run on televisions, during the advertisement breaks between shows and cricket matches. In some cases, these tiny songs or parodies, being the primary method to promote goods and services at the time, became the identity of many brands, and became so closely associated with such brands so as to be continually used alongside their names.
As time progressed, advancements in technology took place and the means to promote goods and services changed drastically. With the general population adopting social media as its primary source of entertainment, more and more businesses started relying on this medium to advertise, thereby, giving rise to a phenomenon which is popularly known as a targeted advertisement. Through these methods, a number of leading companies started sending text and web-chat messages to users with the objective of increasing their brand outreach. While initially, these messages seemed harmless, a term known as a 'personalized experience' was born, allowing companies, including the social media giants to track the limited activities of users and allowing third parties to access these activities, in order to provide the users with 'relevant' advertisements. These personalized advertisements, while portrayed as a method to streamline the social media experience of people, gave rise to various privacy concerns which continue to be a topic of heated debate at a global level.
While different countries and international organizations strive in their objective of dealing with the reach of social media, for India, which recently underwent changes to the digital data protection laws, and has been facing a number of significant issues pertaining to cybercrimes, the need to swiftly address the privacy concerns has grown stronger, especially in view of the objective of the government to transform India into a technologically advanced nation.
The Rudiments of Targeted Advertisements
In recent time, it has become a common occurrence for individuals to come across advertisements on their social media feed which relate to their activities or interactions on different e-commerce websites or with the various posts made on social media. Eerie as it may seem, these advertisements are 'targeted' and tailor-made on the basis of the 'behavior' of each user, which is collected by various third-party applications, as individuals browse social media.
While it may seem illegal, the authorization for the collection of this data is given by the user at the time of 'signing up' for taking benefit of the services, where many privacy policies made public by these companies specify that 'by signing up', the user 'permits' the use, collection and possession of limited data and information which may be shared by the companies, with 'third-party vendors' for 'various purposes', wherein, in many instances, the latter term remains un-defined, thus, opening the floodgates to the manner in which the use, collection, or possession of the data may be made.
Surprisingly, many companies collect data from users who are not even registered. Simply interacting with their services can trigger this. They often gather browser and app logs, along with basic device information, whereafter, the data may be used for advertising1.
Taking One Step Ahead – Reading of Privacy Policies
The usual method of targeted advertisements, wherein the user comes across various advertisements on the feed with which they interact, may not be as concerning at the first instance. The real issue, however, which has come to fore only during the recent past, pertains to how different businesses have initiated the practice of using personal web-chat services, for sending personalized advertisements to users on the basis of their interaction with different e-commerce or social media websites.
The authority of the business to send such personal messages lies within the policies and the trade practices adopted between the companies and the basic exchange of information of the user. Simply stated, whereas the web-chat services may claim to uphold the privacy of the users, as soon as the user clicks on any external link within these services, or shares the information pertaining to these services with another party, the web-chat servicing agency subjects the protection of the information to the policies adopted by such third-parties, thus, rendering the entire process, inherently dubious.
In the case of a globally prominent and well-reputed web-chat service, the privacy policy prima facie goes to void the company of any liability in such sharing of data by specifying that "WhatsApp considers chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves to be end-to-end encrypted by default. Once the message is received, it will be subject to the business's own privacy practices. The business may designate employees or other vendors to process and respond to messages, and it may also use the chats it receives for its own marketing purposes, including advertising on Meta.2"
The policy further specifies that "to reduce spam, help businesses send you relevant messages and improve Meta ads, WhatsApp's parent company, Meta, may receive limited info when you interact with offers and announcements in business chats marked with this icon (>>). Note: Businesses may choose to share your activity information with Meta to send you relevant messages and improve Meta ads."3
A perusal of the aforementioned clauses may give a reasonable glimpse on the varied ways in which the user's information, while seemingly safe, may have the potential of being shared with third-parties, thus, being used for the purposes of targeted advertisements. Needless to mention, that in the case of WhatsApp, its recent acquisition by Meta Inc., means that the social media giant using third-party advertisement techniques and the web-chat service providing a streamlined method for people to interact, are both owned by the same giant, thus, creating, a sort of monopoly. In such a case, any sharing of data, though not directly by WhatsApp, may have the possibility of being shared through an inadvertent cross-interaction of the user with its group companies. In the alternative, these group companies may even be on the receiving end of the information form a business, or organization, the links sent by which have been subject to an interaction by the end-user.
Another issue, which arises at this juncture, pertains to a phenomenon, which may be referred to as reverse sharing of data. This reverse sharing occurs, when a user interacts with a business or link on either of the other applications on Meta, and receives a message on WhatsApp, without having shared their details with such business. While this phenomenon seems dubious, it is needful to mention that the application provides the users with an option to 'stop' or 'report' these messages, thereby, continuing with its policy to uphold privacy.
The Line of Law
The year 2023 marked a milestone for the people of the European Union (EU) countries when the Court of Justice of EU, in the case of Meta Platforms Inc and Others v Bundeskartellamt4 dealt with the issue of targeted advertisements and held a preliminary ruling that,
"....where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection........of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user's social network account and the use of those data by that operator, must be regarded as 'processing of special categories of personal data' within the meaning of that provision, which is in principle prohibited......"
This ruling marked a significant achievement for the right to privacy of individuals by attributing responsibility to large companies and conglomerates in the cases where the user interactions were being collected without explicit consent. It also formed the foundation of separate privacy policies, which were established by companies to protect the rights of the EU users, in compliance with the ruling.
However, while the aforementioned decision was a positive development for the people residing within the EU countries, the practices which were expressly held to be 'prohibited' by the Court of Justice of the EU, lingered in other regions of the world, where such policies or rulings are yet to be brought into effect.
For India, this need was partly achieved through the enactment of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the 'DPDP Act'), which sought to 'provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto'5. By classifying the companies processing voluminous data as 'data fiduciaries' or 'significant data fiduciaries' and requiring them to seek consent from the data principals (users), the DPDP Act sought to efficiently protect a substantial currency held by any individual, viz., their personal data.
In 2025, the Government of India also published the Draft Digital Personal Data Protection Rules, 2025 (hereinafter referred to as the 'DPDP Rules'), which, while yet to be tabled, proposed additional obligations of the significant data fiduciaries, including their responsibility to undertake an annual 'data protection impact assessment' as well as an audit 'to ensure effective observance of the provisions' of the DPDP Act and the rules made thereunder. 6
Even though the DPDP Act, sans the DPDP Rules, is an undeniable milestone in the efforts made by the Indian Government towards the protection of the digital personal data of individuals, there remain certain shortcomings, which require to be addressed to attribute an unavoidable responsibility on part of the significant data fiduciaries.
One such loophole may be considered to lie within the provision pertaining to consent, wherein while directing the data fiduciaries to take informed consent from the data principals, the provision fails to account for the fact that consent was already taken by companies like Meta Inc., by way of their privacy policies, wherein, a clickwrap agreement was accepted by the users, without any further ado. Thus, giving rise to the need for provisions directing the seeking of consent for specific purposes, as highlighted within the primary ruling of the EU.
Needless to mention that India also houses a significant proportion of the population, which while informed, remains in dire need of knowledge about their rights and duties, thus, making the actual objective of the DPDP Act, difficult to realize.
That said, the DPDP Act, in itself, is a step in the right direction.
Finding a Balance
With time, social media has become an intrinsic aspect of the lives of a majority of the global population, with many individuals relying on such websites for their daily earnings. In such a situation, an expectation of complete avoidance of these websites, may be considered as entirely far-fetched. Thus, there arises a need for innovative solutions, which may limit the manner in which the data fiduciaries process the user data, while simultaneously upholding user privacy.
In its remarkable judgment dealing with the personal digital data protection, the Court of Justice of EU held that only in such cases where the users consent, with full knowledge, to make their data publicly accessible to an unlimited number of persons, should their likes or shares, or even their interaction with the websites, be considered for targeted advertisements. This particular aspect of the judgment inferred that the Court sought to strike a balance between user interactions and advertisements without completely negating the possibility of website usage.
However, it is essential to reiterate that while the judgment promises a refreshed protection to the data of users, its limitation to the region means that the privilege of such protection may only be available to a limited amount of people, while other regions may still await such landmark rulings or legislations, which work to the similar effect.
Till such a wider acceptance of the principles behind the ruling is achieved however, the buck remains in the hands of the very few.
Footnotes
1 Meta Privacy Policy, Information that we collect and receive if you use or interact with our Products but don't have an account, available at: https://www.facebook.com/privacy/policy/?annotations[0]=1.ex.41-InformationWeCollectIf.
2 WhatsApp Privacy Policy, Privacy and security for business messages, available at: https://faq.whatsapp.com/1148840052398648/?helpref=uf_share.
3 WhatsApp Privacy Policy, About interactions with business chats that include offers and announcements, available at: https://faq.whatsapp.com/263784176043634/?helpref=faq_content.
4 Meta Platforms Inc and Others v Bundeskartellamt, ECLI:EU:C:2023:537.
5 Preamble, The Digital Personal Data Protection Act, 2023.
6 Rule 12 of the Draft Digital Personal Data Protection Rules, 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
