Analyzing Behavioral Profiling And Cross-Platform Tracking From the Lens of the Digital Personal Data Protection Act 2023

[Stuti and Garvit are students at Dharmashastra National Law University.]

Imagine you are searching for “gym wear” on Google. Within minutes, your Instagram feed and Facebook begin showing ads for protein shakes and fitness tips. You never searched for anything on Instagram and Facebook like that. You never gave consent to this type of data link. Yet, it occurred. These phenomena relate to behavioral profiling and cross-platform tracking, where platforms like Meta and Google create personalized profiles of individuals. The personal data is shared across various platforms to provide targeted ads and recommendations. The article examines how the current framework of consent regarding behavioral profiling and cross-platform tracking may violate the provisions of the Digital Personal Data Protection Act 2023 (DPDP Act), when enforced. It explores how the collection of behavioral information comes within the ambit of personal data and delves deeper into the concept of free consent and purpose limitation. Furthermore, to maintain the sanctity of a person’s privacy, a model of video-based consent is argued by the authors. 

Technical Aspects of Cross-Platform Tracking and Behavioral Profiling

Behavioral profiling involves collecting and examining several events or data associated with a single originating entity in order to derive insights connected to the originating entity. Its primary aim is to monitor users on a long-term basis and construct profiles based on their interests, demographics, and shopping habits. Players utilize a variety of tools such as cookies and pixels, to monitor a person online. These tools collect and process enormous volumes of personal data. This data is ultimately used for the profiling of the individual. 

The Ambit of Personal Data

Behavioral profiling, which revolves around data collection, substantially involves the personal data of individuals. Section 2(t) of the DPDP Act defines personal data as “any data about an individual who is identifiable by or in relation to such data”. The phrase “in relation to” in the definition of personal data entails the information through which a person can be directly or indirectly identified. Social media platforms such as Instagram and Facebook track users’ online activities such as the content they like and share, their connections, search history, scroll speed, etc., for the purpose of recommendations. Google collects location information with the objective of providing ads based on geographical data. These platforms collect behavioral information that links to a specific user’s identity. For instance, the extensive engagement of any user with health-related websites or pages may indicate the person’s physical state. The Justice BN Srikrishna Committee Report, which formed the foundation of the DPDP Act, stresses on the flexible definition of personal data, where a person may be indirectly identified from data that contains indirect identifiers. Hence, the collection of information related to the behaviour and mental or physical state of an individual encompasses personal data where the information relates to a specific individual.

Erosion of Free Consent and Purpose Limitation

The requirement of consent while processing personal data forms the core of the DPDP Act. The act mandates that, besides “legitimate uses,” consent of the data principals forms a crucial element for processing personal data. Section 6 of the DPDP Act stipulates that the consent must be free, specific, informed, unconditional, and unambiguous. This directive is rooted in the constitutional guarantee of informational privacy affirmed in KS Puttaswamy v. Union of India (2017) wherein Justice Nariman held, “Informational Privacy….allows an individual to control the dissemination of material that is personal to him. Unauthorized use of such information may, therefore, lead to infringement of this right.”  

This reiterates the fact that consent is non-negotiable while dealing with personal data. The provisions of the DPDP Act require data fiduciaries to obtain consent, which is explicitly stated. However, the privacy policies of various platforms are onerous, which makes it difficult for users to comprehend and understand. 

According to a study by Carnegie Mellon, the average length of a privacy policy constitutes 2500 words, which takes around 10 minutes to read. The study also revealed that these policies are read infrequently because they are hard to read.

Hence, cross-platform profiling and tracking occur without explicit consent and proper understanding of users of how their data will be processed. 

Furthermore, the consent is often conditional, which may render the data processing of platforms like Google and Meta invalid once the DPDP Act is enforced. For instance, Google’s privacy policies obtain consent to process users’ data for targeted advertising. However, when the user denies, Google charges a fee for accessing various services. This undermines the validity of consent.

Purpose limitation is another important aspect of data processing. Section 6(1) of the DPDP Act states that consent shall be obtained for the specified purpose and be limited to such personal data as is necessary for the specified purpose. However, this principle is often compromised in behavioral profiling and cross-platform tracking. Data collected for one purpose is frequently used for other purposes. According to Google's privacy policies, the location shared by users for navigation purposes is often shared across various platforms to personalize advertisements. Section 5(1)(b) of the General Data Protection Regulation (GDPR) also affirms purpose limitation where it states that data shall be collected for the specified purpose. 

Hence, it can be inferred that after the enforcement of DPDP Act, the cross-platform tracking and behavioral profiling may become invalid because currently, the consent obtained by these data fiduciaries is often futile.

A Comparative Analysis of Foreign Regulations

To critically analyze the law on behavioral profiling in India, it becomes imperative to examine how similar challenges are addressed globally.

The GDPR is accepted as the world's most robust and comprehensive data protection regulation. Unlike the Indian framework, profiling is clearly defined under GDPR. GDPR restricts and deals directly with profiling by granting autonomy to the data subjects to object to the processing of their data for any other purpose beyond consent provided. Article 22 of GDPR grants individuals the right to comprehend the reason behind an automated decision and to seek human intervention. The European Parliament and Council’s Directive 2002/58/EC on privacy and electronic communication limits the use of cookies and other tracking tools. It mandates the website to obtain informed consent before storing cookies in a user’s browser or employing any other tracking technology.

Even though the United States, unlike the GDPR, does not have a sole federal law on data protection, the California Consumer Privacy Act is a benchmark in privacy regulation, which was later expanded by the California Privacy Rights Act (CPRA). Profiling is clearly defined under CPRA. The legislation provides California residents more control over their personal data, including the right to opt out of the sale of their data, access their personal data, and have it deleted.

China's personal information protection law (PIPL) gives a comprehensive regulation on automated decision-making and behavioral profiling. Article 24 of PIPL requires personal information handlers conducting automated decisions to ensure that the process is transparent and the outcomes are fair and equitable. Apart from this, specific and informed consent is required for the collection, processing, and transfer of personal data. 

The Way Forward

With the enforcement of the DPDP Act, it will become imperative to reimagine and redesign how the consent of user is obtained on digital platforms. The current framework involves illusive consent for behavioral profiling and cross-platform tracking because the privacy policies are often verbose and difficult to interpret. In a nation where only 38% of the households are digitally literate, and where over 488 million internet users belong to rural areas, the relevance of lengthy text-based privacy policies erodes the very concept of consent.

In order to ensure that the consent is free and informed, the Data Protection Board of India, when operational, must mandate that video-based consent interfaces, especially for processing of personal data such as behavioral profiling and targeted advertising. The privacy policies in video-based consent shall be made available in English or any other language specified in the Eighth Schedule of the Constitution. This is also in accordance with section 5(3) of the DPDP Act. Privacy policies shall be explained through videos and must explicitly indicate what sort of data is collected ( e.g., search history, locations, contacts) and for what purpose (e, targeted advertising). After every policy requiring extensive processing of data such as behavioral profiling, the user must be provided with two options (“I Agree”/ “I Disagree”). This will ensure that after every explanation of the major privacy policy in a video, the user has the discretion to give or withhold consent.

The European Data Protection Board’s guidelines 05/2020 also emphasize the same. The guidelines lay down that the consent must be obtained in a layered and granular form, where the information may be presented in various forms such as written or oral statements, or audio or video messages.

Additionally, Consent should also be specific. This means that the users must be given the right to either agree or refuse to process data individually. For Instance, if a website utilizes 3 different web analytics tracking tools and obtains collective consent, it violates the essence of free consent under the DPDP regime.

The GDPR has also recognized this segregation, underlining granularity as key to maintaining user control and transparency. Moreover, the platform cannot obtain users’ consent to tracking cookies as a condition to access services, as this makes the platform’s services inaccessible to privacy-conscious individuals.

Conclusion

The DPDP Act marks a significant milestone toward protecting individual privacy. Still, the current practice of behavioral profiling and cross-platform tracking by digital powerhouses uplifts some important questions on the DPDP Act’s compliance with free consent and purpose limitation. Some strict regulations, such as granular consent, video-based consent interfaces, and user transparency, are required, as demonstrated by the global data protection framework. By enacting rigid purpose limitation compliance, specific opt-in/opt-out consent, and video-based consent interfaces, not only will the current data practices be capable of being under legal regulation, but also organizations will be held accountable and will prioritize individual autonomy over personal data. The implementation of the DPDP Act proposes an opportunity to reconsider digital consent, converting it from a formality to genuine privacy protection.