India’s new privacy law gives meaning to the small boxes and consent buttons we’ve taken for granted for so long
Rakesh Raghuvanshi
Every time you download an app, visit a website, or even connect to a public Wi-Fi system, you see a “Privacy Notice” flash on your screen. Most people scroll to the bottom and tap “Accept.” This may be because the notice is too long to read, or too complex or because “Such a big company can surely be trusted.”
But that small reflex is one of the few moments when you still have control over your personal data. And when we say personal, we mean very personal: data that can be used to identify you, but also to target you and even impersonate you.
Every online action leaves a mark. Those marks combine to form what is known as your “digital footprint.” This may be a term you have heard or read countless number of times till date, but this is when it is important to understand it fully. You digital footprint includes everything you do online. This includes your searches, downloads, messages, purchases, and even how long you pause on a video or link.
When you book a ride, for instance, the app records your location and route. When you shop online, it tracks your spending, brand preferences, and browsing time. Over months, these details build a highly accurate picture of who you are, what you like, and how you live.
This footprint is valuable to advertisers, data brokers, and sometimes even criminals. When used responsibly, it makes life convenient through personalisation and faster service, like your shopping app showing you clothes similar to those you usually buy. When used unethically, it lets telemarketers calls you with offers you couldn’t care less about. And when used by criminals, these details can be used to impersonate you, or to target you for online scams.
India’s new Digital Personal Data Protection Act (DPDPA) turns your casual click on the “I Accept” button into something meaningful.
For years, privacy notices were unreadable on purpose. They ran for pages, filled with vague phrases such as “may collect” or “might share”, leaving users none the wiser. The DPDPA changes that. It requires every organisation to write privacy notices in clear, simple language. Each notice must explain what data is being collected, for what purpose, how long it will be stored, and with whom it will be shared.
While talking about data privacy and the consent of the user, it is also important to talk about how this consent is manipulated, sometimes subtly, other times not so much.
Some companies subtly imply that you cannot use their service unless you share certain personal data, even when that information is not essential to the service. For example, you might not be allowed to move to the next page, complete a purchase, or create an account unless you check a consent box. The service is made conditional on consent, turning what should be a choice into a requirement.
The other, and more dangerous form of coercion, are psychological design tricks known as dark patterns. The most common dark pattern is that the “Accept All” button is often bright and large, while the “Manage Settings” link is small and dull. Other times, subscribing to updates about future offers from a company takes one click. When you try unsubscribing, however, it takes several clicks and three to four web pages. Sometimes, wording itself is deceptive; it’s almost never ‘No, I don’t want to share my data.” Instead, the option says, “Yes, I will miss out”, leaving you feeling left out and unsure of your decision.
These practices exploit fatigue and habit. They are designed to secure your consent without your full understanding. The DPDPA seeks to stop this by requiring that consent be free, specific, and informed. In other words, a company can no longer claim your confusion as permission.
The first change that the DPDPA brings in is to ensure that the privacy notices are no longer too long to read, complicated in their language and confusing to understand. A good notice answers basic questions directly. What data are you collecting? Why do you need it? Who else will see it? How long will you keep it? How can I withdraw consent?
If any of these answers are missing or vague, the notice is unreliable. Phrases like “to improve services” or “for marketing purposes” are warning signs. A transparent company will spell out specifics such as “to personalise search results” or “to recommend products based on past purchases.”
Honest notices are usually short, clear, and specific about what happens next. They read like conversations, not contracts.
It is also important to remember that the DPDPA is India’s first comprehensive privacy law. It introduces penalties of up to Rs 250 crore for serious violations and applies to anyone handling digital personal data, including private companies, startups, government departments, even small businesses.
Its most important feature is accessibility. Unlike earlier data protection drafts filled with legal jargon, the final draft of this law uses plain language. It expects the same from companies. The logic is simple: people cannot consent to what they do not understand.
The Act rewards clarity. If an organisation obtains clear consent, explains its purpose properly, and gives users a simple way to withdraw it, it can avoid several penalties in the event of accidental lapses. Transparency is not only good ethics; it is good compliance.
This is not a technical reform. The DPDPA is written for the public. It gives citizens the right to understand what happens to their information. The law shifts the burden of clarity from the user to the organisation. But it also expects individuals to read and make informed choices. Privacy now depends on participation from both sides. It is a shared responsibility between those who handle data and those who give it. Every user has a part to play by reading and making conscious choices. The law gives us the language; we must use it.
Ignoring privacy notices allows vague practices to continue. Each blind acceptance adds to a culture where users are expected not to care. That culture is what the DPDP aims to change.
At the same time, it helps if we remember that data privacy applies to more than retailers or large companies. Every school, hospital, retailer, or transport operator that collects names, phone numbers, or addresses is now part of the digital data ecosystem. A clinic that stores your test results or a small shop that uses an online payment app must handle that information responsibly and explain how it will be used.
This shift is likely to lead to new ideas around consent, such as privacy dashboards in local languages and simpler withdrawal mechanisms for non-English users. The more transparent the ecosystem becomes, the easier it will be for citizens to trust it.
Ignoring privacy notices might seem harmless, but it quietly shapes how data about you circulates. Your name, contact details, shopping patterns, and location data can be combined to predict your habits and preferences. Over time, these predictions influence what ads you see, what credit offers you receive, even the prices shown to you online.
Once your data is shared across multiple databases, reclaiming it becomes almost impossible. Reading those few lines before clicking “Accept” is a small but significant act of control.
Hence, the next time a privacy pop-up appears, take a moment to see if it explains what it collects and why. Check whether there is an option to opt out or delete your data. If the notice feels vague, reconsider. If it feels clear and respectful, that is a sign of a company that values your trust. And more importantly, it implies that the company is following the law.
The DPDP Act has given India a chance to rebuild digital trust from the ground up. It can do this by demanding honesty from companies and awareness from individuals. So, the next time you see that privacy notice, pause before you click. The few seconds you spend reading it are not wasted. They are an actually act of ownership over your own life.
