Overview
BookMyShow (Bigtree Entertainment Pvt. Ltd.) is India’s leading online ticketing platform for movies, events, plays, and sports. Handling millions of transactions and user profiles, it collects a wide array of personal data—from names and payment details to viewing habits and location. Given its scale and the sensitive nature of user preferences and financial data, its privacy policy’s alignment with the new DPDP Act is critical.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
BookMyShow’s policy, updated in 2020, relies on bundled consent, where agreeing to Terms & Conditions implies accepting the privacy policy. This approach does not meet the DPDP Act’s Section 6 standard for “freely given, specific, informed, and unconditional” consent.
What the policy says: “Please note that our Privacy Policy forms part of our Terms and conditions… By using our services, you agree to the collection and use of your information in accordance with this policy.”
DPDP requirement: Consent must be a clear, affirmative action for specific purposes, not hidden in general terms, and easily withdrawable.
Gap: Users don’t get granular choices. For example, you can’t agree to ticket booking but opt out of data being used for personalized advertising or shared broadly with third parties.
Section 7 — Certain Legitimate Uses ⚠️
The policy lists various uses, some of which BookMyShow might try to justify under “legitimate interests,” such as “carrying out research and analytics on our users’ demographics and behaviour” or “to personalise and enhance user experience.”
DPDP requirement (Section 7): Legitimate uses for processing data without consent are narrowly defined (e.g., voluntary provision, state functions, medical emergencies, employment). General business interests like marketing or personalization typically require explicit consent.
Gap: Many of BookMyShow’s broad purposes for data processing would likely require specific consent under DPDP, rather than falling under the “certain legitimate uses” umbrella.
Section 8 — Obligations of Data Fiduciary ✅
BookMyShow articulates reasonable security measures for protecting user data. It mentions physical, administrative, technical, and electronic safeguards and also highlights PCI DSS certification for payment data.
What the policy says: “We have implemented reasonable security arrangements including physical, administrative, technical, and electronic security measures to protect against the loss, misuse, and alteration of your personal data. We are PCI DSS certified…”
Strength: This commitment to security, including external certifications, aligns well with Section 8’s requirement for a Data Fiduciary (the company collecting and processing data) to implement reasonable security safeguards.
Section 9 — Data Retention 🔴
The policy uses vague language regarding data retention, making it difficult for users to understand how long their data is kept.
What the policy says: “We retain personal data only for as long as necessary to provide the services you have requested and thereafter for a variety of legitimate legal or business purposes.”
DPDP requirement (Section 9): Data Fiduciaries must erase personal data as soon as the purpose for which it was collected is fulfilled, or if the Data Principal (the individual whose data is being collected) withdraws consent, within a reasonable period. Specific timelines are expected.
Gap: “As long as necessary” and “variety of legitimate legal or business purposes” are too broad. There are no clear, specific timelines for different categories of data (e.g., booking history vs. marketing preferences).
Section 11 — Rights of Data Principal ⚠️
BookMyShow acknowledges some basic rights, such as updating personal data and objecting to continued use of data, implying a right to withdraw consent or request deletion.
What the policy says: “You may update any of your personal data we possess by contacting us… You may communicate your objection to our continual use and/or disclosure of your personal data… you may opt out of providing the same…”
DPDP requirement (Section 11): Data Principals have rights including access, correction, erasure (deletion), and nomination (Section 14) to designate someone to exercise these rights posthumously.
Gap: While it mentions updating and opting out, the policy doesn’t explicitly guarantee the right to erasure (right to be forgotten) unconditionally or outline the right to nomination (Section 14), which are key DPDP rights.
Section 12 — Right of Grievance Redressal ✅
BookMyShow provides a detailed, multi-level grievance redressal mechanism with clear contact points and internal response timelines.
What the policy says: “If you are yet to receive an answer you can contact our Grievance Officer - Nivedita Poonekar… In the unlikely event that your concern remains unresolved, you can take it up with our Nodal Officer - Kapil Kirti…”
Strength: The presence of a dedicated Grievance Officer and a multi-level internal escalation path (Live Chat, Level 2, Level 3 Grievance Officer, Level 4 Nodal Officer) with specified response times (e.g., 3 days, 2 days, 1 day) is a strong point for internal resolution.
Gap: Crucially, for Indian users, there is no mention of the Data Protection Board as the final escalation authority, as mandated by the DPDP Act.
Section 16 — Cross-Border Data Transfer ⚠️
The policy states that data might be transferred out of India but lacks the specificity required by the DPDP Act.
What the policy says: “If any disclosure of your personal data involves the transfer of your personal data by Bookmyshow out of India, we will take steps to reasonably ensure that the receiving jurisdiction has in place a standard of protection accorded to personal data that is comparable to the protection under India’s data protection laws.”
DPDP requirement (Section 16): Cross-border transfer of personal data is only permitted to such countries or territories as may be notified by the Central Government.
Gap: The policy’s general assurance of “comparable protection” is insufficient. It needs to explicitly state if data is transferred, to which countries, and confirm those are on the Central Government’s permitted list (once notified).
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP Act |
| Consent compliance | High | Bundled consent invalidation for millions of users |
| Data retention | Critical | Lack of clear deletion timelines leads to ongoing liability |
| Cross-border transfer | Medium | Violations if transfers are to non-permitted jurisdictions |
| Data principal rights | Medium | Incomplete rights framework, potential for user complaints |
Recommendations
- Update Policy & Refer DPDP Act: Explicitly revise the policy to reference and comply with the DPDP Act 2023, including the effective date.
- Implement Layered Consent: Introduce granular consent mechanisms, allowing users to choose how their data is used beyond core service provision (e.g., separate opt-ins for marketing, analytics, third-party sharing).
- Define Retention Periods: Provide specific, clear timelines for how long different categories of personal data will be retained, aligning with Section 9.
- Clarify Cross-Border Transfers: If data is transferred abroad, specify the receiving countries and confirm compliance with the Central Government’s notified list under Section 16.
- Enhance Data Principal Rights: Clearly outline the right to erasure and introduce the right to nomination (Section 14) with accessible mechanisms.
- Add DPB Escalation: Include the Data Protection Board as the final escalation path for grievance redressal for Indian users.