Overview
Airtel (Bharti Airtel Limited) is one of India’s largest telecommunications companies, offering mobile, broadband, and digital services to millions. Given the vast amount of personal and sensitive data they handle — call records, location data, financial transactions, identity proofs — their privacy policy is crucial for DPDP compliance.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Airtel’s policy states that “By using our services, you agree to the collection and use of your information in accordance with this policy.” This sounds like implied consent, which isn’t always granular enough for DPDP. While they mention “secure methods like online prompts, OTPs, or click-through approvals when processing or sharing your data with trusted partners,” this isn’t for all data processing.
What the policy says: “By using our services, you agree to the collection and use of your information in accordance with this policy.” and “We may ask for your consent through secure methods like online prompts, OTPs, or click-through approvals when processing or sharing your data with trusted partners.”
DPDP requirement: Consent must be free, specific, informed, unconditional, and for a lawful purpose. It should be easily withdrawn.
Gap: For many core services, consent appears to be “take it or leave it,” which doesn’t meet the “freely given” standard for all processing purposes. There’s no clear mechanism for granular, separate consent for different data uses (e.g., core service vs. marketing).
Section 7 — Certain Legitimate Uses ⚠️
Airtel lists several reasons for using data, including “Enhancing Your Experience,” “Offering Custom Services & Offers,” and “Research and create new products or services.” Under DPDP, “Legitimate Uses” (Section 7) are narrowly defined, typically for state functions, medical emergencies, or voluntary provision by the individual, not broad commercial purposes without explicit, granular consent.
Gap: Airtel’s broad claims for “enhancing experience” or “custom offers” would likely require explicit, specific consent under DPDP, not a general claim of legitimate use.
Section 8 — Obligations of Data Fiduciary ✅
The policy mentions a commitment to “securely collect and share some of your data,” and that “trusted partners… follow strict security protocols.” It also states they “maintain a spam-free and scam-free network by blocking suspicious activities and taking proactive steps to detect and prevent unauthorised access.”
Strength: Airtel generally commits to security measures, mentioning encryption and access controls implicitly through their overall security approach, which aligns with Section 8’s call for “reasonable security safeguards.” They also explicitly mention PCI-DSS for financial data where applicable.
Section 9 — Data Retention 🔴
Major gap. The policy is vague about how long data is kept.
What the policy says: In the FAQ, “What happens to my information if I delete my account? Your information is no longer used for any processing activities. But we are required to hold it in a secured database by law. You can check out our retention policies section for more information.” and “Can I delete my data? Some data may be deleted upon request, while other data is retained for legal compliance.”
DPDP requirement (Section 9): Data Fiduciaries must erase data once the purpose is fulfilled or consent is withdrawn, within a reasonable period. Retention periods should be clear.
Gap: No specific retention periods are defined anywhere in the policy, nor is there a link to a separate “retention policies section.” This lack of clarity is a significant non-compliance risk.
Section 11 — Rights of Data Principal ⚠️
Airtel acknowledges some key rights for the Data Principal (the individual whose data is collected).
What the policy says: “You can access, update, or delete your data anytime via the Airtel app or website, subject to applicable laws, and we may request information to verify your identity.”
Partial compliance. While access, correction, and deletion are mentioned, the policy does not mention the right to nominate another person to exercise rights on their behalf (Section 14 of DPDP Act). The mechanisms for exercising these rights could also be more clearly defined.
Section 12 — Right of Grievance Redressal ⚠️
Airtel provides contact details for customer support and a specific Data Protection Officer (DPO) / Nodal Grievance Redressal Officer.
What the policy says: “If you’re not satisfied with our response, share your concern with our Data Protection Officer (DPO): Mr. Nitin Grover Designation: Nodal Grievance Redressal Officer Email: Content.Grievance@airtel.com”
Gap: While a DPO is listed, there’s no mention of the Data Protection Board as an escalation authority, which is a key part of DPDP’s grievance framework. There’s also no explicit commitment to a 30-day response timeline.
Section 16 — Cross-Border Data Transfer 🔴
The policy discusses “Internal Sharing” with Airtel group companies and “Third Parties” but does not explicitly mention or detail any cross-border transfer of user data.
DPDP requirement (Section 16): Data transfer outside India is permitted only to countries notified by the Central Government, and with specific safeguards.
Gap: This omission is critical. Given Airtel’s global affiliations and digital services, it’s highly likely data is processed or stored internationally. The lack of transparency on which countries, what data, and under what safeguards is a significant compliance failure.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance for non-compliance |
| Data retention | Critical | Undefined retention period exposes vast datasets |
| Consent compliance | High | Broad/implied consent may be invalid under DPDP |
| Cross-border transfer | Critical | Lack of disclosure and specific safeguards |
| Data principal rights | Medium | Incomplete rights framework, missing nomination |
| Grievance redressal | Medium | No DPB escalation, potential for unresolved issues |
Recommendations
- Define clear data retention periods — Specify how long each category of data is kept, linking to specific legal or business purposes, and implement automated deletion.
- Implement granular consent mechanisms — Provide clear options for users to consent (or decline) specific data uses beyond what’s strictly necessary for service provision.
- Explicitly address cross-border transfers — Disclose if data is transferred abroad, to which countries, and what legal safeguards (e.g., standard contractual clauses) are in place.
- Reference the DPDP Act 2023 — Clearly state alignment with the Act and map policy sections to relevant DPDP provisions.
- Include Data Protection Board escalation — Clearly state that if internal grievance redressal is unsatisfactory, users can escalate their complaint to the Data Protection Board.
- Add nomination rights (Section 14) — Inform users of their right to nominate another person to exercise their rights in case of death or incapacity.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.