Though 41% of the websites analysed by PwC India specified data principal rights—such as correction, access, and erasure—in their website privacy policies, only 9% sought consent that was free, specific, and informed.

The finding is based on a PwC India analysis of the websites of 100 Indian enterprises for compliance with the Digital Personal Data Protection Act 2023.

The report stated that 90% of organisations reviewed provided a privacy notice to data principals when collecting data through their websites. Since such a notice is the first step adopted by any organisation entering the digital world, the high level of compliance does not indicate the presence of a robust data privacy framework.

On the aspect of third-party transfers, 43% of organisations surveyed were found lacking in providing a well-defined purpose for which personal data was shared with third-party data processors.

Key Insights

Below are some key takeaways from the report:

Consent: Only 9% of organisations collected consent that can be considered free, specific, and informed. In such cases, mainly bundled consent—single consent for multiple purposes—was obtained. Of the websites surveyed, 48% provided the option to withdraw consent. However, the process of withdrawing consent was not as easy as providing it. Consent was obtained in multiple regional languages only by 2% of organisations.

Cookies: The report found that 16% of organisational websites displayed a cookie consent banner to users, highlighting that their personal data will be collected and processed by the organisation. Thirty-three percent of organisations displayed a cookie notice informing users that the website (or any third-party service used by the website) they are navigating used cookies. Information technology, hospitality and aviation sectors were ahead in obtaining cookie consent and giving users control over their online experiences.

Privacy Notices: When collecting data through their websites, 90% of organisations provided a privacy notice to data principals, and 80% mentioned what personal data was collected by them in their privacy notice.

Data Principal Rights: The right of data principals, such as erasures, access and correction, along with the mechanisms to exercise them were displayed by 41% of organisations. While most organisations in the IT, hospitality, consumer and pharma sectors and super apps had processes to honour data subject rights, they did not provide dedicated email addresses or online forms for support.

Breach Notification: Only 4% of organisations proactively published a breach notification mechanism on their website. Organisations from IT and fintech sectors were found to have breach notifications in place as they have presence in countries with stringent data privacy laws and are already compliant with them.

Data Protection Officer: Around 74% of organisations listed contact details of a person or a team for queries around data processing. Of these organisations, 54% proactively provided the contact details of their DPO. For queries with regard to data protection, 17% listed the email IDs of customer care or other functions.

Data Retention: Of the organisations analysed, 54% stated the data retention period on their websites. These were predominantly from industries such as fintech, e-commerce and IT, along with regulated sectors such as banking, insurance and aviation. Organisations from consumer, retail, realty and manufacturing need to define data retention periods and guidelines in line with the Act.

Children’s Personal Data: One out of 10 schools provided a privacy notice customised to children and did age verification to check if a user is minor. Such schools stated that they process children’s data only after obtaining parental or guardian consent. Age, which is a qualifying criteria, was not captured when users availed of many digital services, indicating the absence of parental consent.

"For organisations in India, it is not only an opportunity to streamline their data collection and processing processes but to also build customer confidence and overall stakeholder trust, apart from enhancing their global competitiveness. Shifting the focus from 'privacy as an Act requirement' to 'privacy by design' can help India Inc. contribute significantly to the growing digital Bharat," said Sivarama Krishnan, partner and leader, risk consulting, PwC India.