Raghav Tankha 
Smartphones and tablets were once limited in reach due to being prohibitively expensive. Gradually, over the last decade they have become affordable and as a result, have found themselves in the hands of both urban and rural Indians as well as deeply penetrated in the global market. This proliferation of smartphone and tablet devices which generate a large amount of sensitive personal data which include information about mental health, sexual preference, photos and bank accounts has prompted various jurisdictions to enact data protection legislation.
In recent times, we find a continuous assault on the data security systems of major companies, with multiple data breaches being reported and widespread compromising of user data. This is why it is important for stakeholders to understand various aspects of the issue and mechanisms are put in place to ensure users’ protection from bad actors.
One crucial subset of data privacy and protection concerns is targeted/behavioural/contextual advertising. The nomenclature here is not important. Simply put, it means that a user’s interest in a topic is used to tailor advertisements to their interests. There are also advertisements or targeted news which are location based and display content based on a user’s location. Critics of these types of advertisements argue that this constitutes an invasion of privacy and places too much information in the hands of companies. Further, they argue that if this sensitive data is compromised, it will have serious implications for the user.
The arguments criticising targeted advertisements on the basis of the possibility of the compromising of user data can be countered by pointing out that there is no digital system under the sun which can claim to be completely safeguarded against a possible data breach.
Simply because data may be compromised is no grounds to argue in favour of bringing legislation outlawing targeted or behavioural advertising. In fact, it can be argued that this form of advertising is mutually beneficial to both the users who desire products and the companies who produce them as it helps the latter generate revenue and consequently makes services more affordable provided that certain safeguards are in place.
What is the statutory framework in India on targeted advertising?
The data protection regime in India has been in a limbo since 2017 when the Union government indicated to the Supreme Court that a data protection legislation was in the works. The current framework in India is the Information Technology Act of 2000 and, in particular, the Information Technology Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011.
Once the Digital Personal Data Protection Act is brought into force, these Rules will be repealed.
According to the 2011 Rules, what constitutes ‘sensitive data or information’ is found in Rule 3. These include passwords, financial information, information about physical, psychological and mental health condition and sexual orientation etc.
For these categories of information, under the current framework, obtaining consent is mandatory by virtue of Rule 5, which pertains to the collection of information and obligates entities collecting sensitive personal data to refrain from collecting it. This is unless the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf, and the collection of the sensitive personal data or information is considered necessary for that purpose.
Further, Rule 5 (7) makes it mandatory to provide an opt out option to the user prior to the collection of information including sensitive personal data or information, as well as an option to withdraw the consent once provided. Thus, these Rules do not expressly address the issue of targeted advertisements, even though they do so indirectly.
The Digital Personal Data Protection bill, 2023, has recently been enacted, although it has not yet come into force. Section 9 (3) of the bill prohibits tracking or behavioural monitoring of children or targeted advertisements directed at them. The question of targeted advertisements directed towards adults being legalised was put across to the Minister of Electronics and Technology, Ashwini Vaishnaw, in August 2023.
He reportedly said that the principles around transfer of data are clear, i.e. what data can be collected, the purposes for which it can be used and for what duration it can be used. According to the minister, if some ‘behaviour tracking data’ is being utilised and is not required to fulfil the purpose for which data is being collected, then that will become illegal. The minister had also stated that there would be accountability for social media companies and big tech, especially if the consent framework was violated.
This indicates that the government’s view is that companies cannot force individuals into providing consent which is unnecessary for providing the service.
This is crystalised in Section 6 of the Digital Personal Data Protection Act which makes it mandatory for data to be used for the specified purpose provided after the consent of the user is sought. Section 6 (1) specifies that the consent must be specific, informed, unconditional and unambiguous. This principle will apply across the board, including to targeted advertisements.
Section 6 (1) provides an example of a telemedicine app and explains that if the app asks for the consent for providing telemedicine services and also asks for access to a mobile contact list, even if the user consents to both, the consent provided for the contact list will be invalid because it was not necessary for the service being provided.
It may therefore be argued that if targeted advertising is not necessary for a company to provide its services but the consent is clubbed and obtained, such consent will be invalid. Therefore, it is better to not club consent for targeted advertising and instead have an explicit opt-in or opt-out which will mitigate this problem.
However, Section 6(5) of the Act places the consequences of withdrawing consent on the user of a service indicating that if consent is withdrawn, the company can refuse to provide a service. This means companies have the liberty to deny a service once an individual withdraws consent.
Therefore, while on the one hand companies have been allowed to deny services for withdrawal of consent, the consent sought must not be a blanket one and must be tailored to the specified purpose. There appears to be a contradiction in the intent of Section 6 as far as targeting advertising is concerned as compelling a company to provide a service despite the refusal to provide consent to the terms and conditions and privacy policies of a company does not appear to be borne out from section 6(5) of the Digital Personal Data Protection Act.
What does this signify?
The Indian law as it stands today does not deal with targeted advertisements for adults explicitly but it does so implicitly. Such advertisements will be governed by the 2011 Rules till the Digital Personal Data Protection Act, 2023 is brought into force. If a company is using sensitive personal data or information such as on mental and physical health and sexual orientation to provide you advertisements, they will necessarily have to seek your consent and give you an option to withdraw it.
There is clear utility and arguably mutual benefit to both the user and provider of targeted advertisements and information. There are transparency measures and controls which exist, giving users information about targeted ads. For instance, if you have an Android smartphone and use the Google News Feed App, depending on what kind of experience you wish to have, either you can enable a setting which allows Google to provide news or ads relevant to your interests or not. Companies such as Google are providing more controls to users for their advertising experiences, but accessing them requires a conscious effort on the part of the individual.
It is important to note that the storage of such sensitive personal information in the database of a company can inhibit how individuals use and interact with their devices because of the feeling of being continuously tracked or monitored. There have been allegations that data is being sold for financial gain by data brokers. There are also allegations that phones are listening in on conversations and providing advertisements. There is a greater need for transparency and mandatory requirement of seeking consent if there is substance to these allegations. Listening into conversations to provide advertisements without consent poses serious ethical problems.
As with all smartphone permissions, discretion is given to the user to manage permissions based on what is necessary and what they are comfortable with. For instance, if you want to talk to someone over a messaging app, it would be unreasonable for you to deny the permission for the microphone. To upload or share photographs, the permission for the gallery or camera must be provided. The same is true for those who may want to be served targeted ads.
A balanced approach towards targeting advertisements to mitigate concerns of individuals is to disable targeted advertisements by default and require an explicit choice to opt-in for them. If a company is implementing the required technical and security safeguards, then there is no reason to do away with targeted advertisements for adults.
Similarly, if the approach is that an app which does not necessarily require permission for targeted advertisements for it to function makes targeted advertisements illegal, then it will deprive those users who want to opt for targeted advertisements.
Therefore, it would be advisable for all apps to ask for prior permission. Individuals should be easily able to access and control their advertisement experience.
To conclude, while it may seem attractive to criticise companies for providing targeted advertisements and demand its prohibition, there is a fundamental flaw in this approach. The flaw is that every individual is different, and while one individual may not want targeted advertisements, another might. What is crucial is for there to be increased transparency around the data collection and processing practices for the purpose of advertising.
Explicit consent must be required for targeted advertising. Targeted advertising should be disabled by default and should require individuals to explicitly opt in for them, which will mitigate the concerns of those who do not wish to see targeted advertisements and are content with seeing random advertisements.
The best practice would be to make the consent for targeted advertising optional instead of adopting a take it or leave it approach in providing services to individuals. This is despite the fact that the Digital Personal Data Protection Act places the consequences for refusing consent on the individual and lays down that a company can refuse to provide the service but without affecting the use of the service prior to the withdrawal of consent.
To conclude, given the contradiction in Section 6 of the Digital Personal Data Protection Act, the key will be to examine the nature of the service being provided on a case-to-case basis and to see whether targeted advertisements are necessary for providing the service.
Raghav Tankha is a lawyer practising in Delhi. Views are personal.