99acres (Info Edge India Ltd.)

Overview

99acres, operated by Info Edge (India) Ltd., is a premier real estate portal. Its data ecosystem is complex, involving the collection of PII (names, phone numbers), financial intent (home loan queries), and location data from buyers, sellers, and brokers. Under the DPDP Act 2023, 99acres qualifies as a Data Fiduciary and likely a Significant Data Fiduciary (SDF) due to its vast user base and the sensitivity of property-linked financial data.

DPDP Readiness: Section-by-Section Analysis

Section 5 & 6 — Notice and Consent ⚠️

99acres follows a “Notice by Incorporation” model. The policy states: “By accessing or using 99acres, you agree to be bound by the terms… and privacy policy.”

DPDP Requirement: Consent must be a clear affirmative action that is free, specific, informed, and unconditional. Gap: The current “take it or leave it” bundled consent (where using the site implies acceptance of all data sharing, including with third-party NBFCs) is likely non-compliant. Users should be able to opt-out of marketing sharing while still accessing property listings. Furthermore, the notice is only provided in English, violating the Section 5 requirement for availability in 22 regional languages.

Section 8 — Obligations of Data Fiduciary ✅

The policy excels in describing its security posture. It mentions physical, electronic, and procedural safeguards that comply with Indian laws and industry standards to prevent unauthorized access.

Strength: Info Edge has historically maintained robust ISO-standard security controls, which aligns with Section 8’s mandate for “reasonable security safeguards.”

Section 9 — Processing Children’s Data 🔴

The policy has a dedicated “Children” section (Section 8 of their policy), stating the platform is not intended for users under 18. However, it lacks a mechanism to verify age or obtain verifiable parental consent.

DPDP Requirement: Fiduciaries must obtain verifiable parental consent before processing any child’s data and are prohibited from tracking or behavioral monitoring of children. Gap: As a public-facing portal with no age-gate, 99acres is currently at risk of processing minors’ data without DPDP-compliant verification.

Section 11 — Rights of Data Principal ⚠️

The policy identifies the rights to access, update, and erase data via a request to feedback@99acres.com.

DPDP Requirement: Principals have the right to access, correction/erasure, grievance redressal, and nomination. Gap: There is no mention of the Right to Nominate (Section 14), which allows a data principal to appoint a person to exercise their rights in case of death or incapacity.

Section 12 — Grievance Redressal 🔴

While a Grievance Officer is clearly listed with contact details, the escalation path is incomplete.

Gap: The DPDP Act requires fiduciaries to inform users that they can file a complaint with the Data Protection Board (DPB) if they are unsatisfied with the fiduciary’s response. This reference is entirely missing from the 99acres policy.

Section 13 & 14 — Data Retention ⚠️

Section 4 of the 99acres policy states data is kept “as long as it is necessary to provide you services.”

DPDP Requirement: Data must be erased once the purpose is fulfilled or consent is withdrawn. Gap: The “as long as necessary” language is too broad under the new Act. There are no defined timelines for when a “lead” (property query) is considered expired and should be purged from databases or shared third-party partner lists.

Section 16 — Cross-Border Transfers ⚠️

The policy notes that data may be transferred to service providers in other parts of the world.

Gap: Under Section 16, transfers are restricted to countries not “blacklisted” by the Central Government. 99acres lacks specific language committing to these transfer restrictions or explaining the safeguards used for international data flows beyond a general “reasonable steps” clause.

Risk Assessment