In today’s hyper-connected world, every click, scroll, and swipe generates data — and for a growing network of data brokers, that data is gold.
Most internet users in India have no idea that their digital footprints — location data, shopping habits, app usage, even caste and religion — are quietly being harvested, analyzed, and sold. This quiet industry thrives in the shadows, operating with little oversight, and posing a serious threat to individual privacy and democratic values.
Who Are Data Brokers?
Data brokers are entities that collect and trade personal data, often without direct interaction with the individual. They don’t just gather information — they buy it from apps, scrape it from public sources, and stitch together detailed profiles of millions of people.
Globally, companies like Acxiom, Experian, and Oracle dominate this business. But in India, while the market is still maturing, several telecom firms, analytics platforms, and adtech companies already operate in a similar capacity — often without disclosing the full scope of their data practices.
No Consent, No Control- The Problem of Indians-
In India, the average smartphone user has over 40+ apps installed, many of which access contacts, camera, SMS, location, and more — often with blanket permissions. These apps frequently share user data with third parties.
What’s worse: India currently has no mechanism for people to know which entities hold their data, how it is being used, or how to stop it. There is no centralized registry of data brokers, no obligation to inform data principals about resale, and no clear opt-out system.
This creates a fertile ground for misuse — from personalized scam targeting to discriminatory profiling based on income, religion, or caste.
Legal Loophole-
India’s Digital Personal Data Protection (DPDP) Act, 2023 is a landmark step, but it still falls short when it comes to the secondary market of data trading.
While the Act emphasizes consent and purpose limitation, there is:
- No direct reference to data brokers,
- No audit or licensing requirement for entities reselling data,
- And no empowered Data Protection Board yet with real enforcement.
This is in sharp contrast to the U.S. Federal Trade Commission (FTC) or EU’s GDPR, which at least provide mechanisms to complain, opt out, or penalize violators.
RISKS-
Unchecked data brokerage can lead to:
- Political microtargeting and manipulation
- Scams tailored to an individual’s habits or weaknesses
- Credit profiling and insurance exclusion
- Location tracking for stalking or malicious targeting
- Disinformation spread based on interests and language preferences
In a country like India, where personal data often includes sensitive identifiers (religion, caste, health), this can have dangerous consequences — especially for vulnerable populations.
Needs of India-
To protect citizens in the digital economy, India needs:
- A public registry of licensed data brokers
- Mandatory disclosures when user data is bought or sold
- Strong opt-out rights with real-time controls
- Enforcement authority under the DPDP Board
- Awareness campaigns to help people understand and reclaim their digital privacy
We must treat data not just as a resource, but as an extension of a person’s autonomy and dignity.
India is building the world’s largest digital infrastructure — but are we also building the safeguards to protect its most valuable asset: the people’s data?
If your digital life can be bought and sold without your knowledge, are you truly free in the digital world?
By - Aakansha Tandekar
