A Project by Meridian Bridge Strategy
Archived analysis

This page is old. FirstCry (Brainbees Solutions Ltd.) was reviewed on 2026-03-19.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
E-commerce (Mother & Baby Care)

FirstCry (Brainbees Solutions Ltd.)

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 19 Mar 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

FirstCry's privacy framework is significantly misaligned with the DPDP Act 2023. As a platform primarily serving parents and children, its reliance on 'implicit' parental consent and the use of children's data (DOB/gender) for behavioral targeting and profiling creates severe regulatory risk. The policy requires a total overhaul to implement verifiable parental consent and unbundled consent mechanisms to avoid the Act's highest tier of penalties.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-03-19
  • Company: FirstCry (Brainbees Solutions Ltd.)
  • Readiness score: 48/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Outdated legal framework — policy remains anchored in the IT Act 2000 and SPDI Rules 2011
  • Lack of Verifiable Parental Consent (VPC) — no robust mechanism to verify age or parental identity per Section 9
  • Prohibited processing of children's data — site profiles children's ages for 'relevant offers,' violating Section 9(3) ban on tracking/behavioral monitoring
  • Bundled consent — privacy acceptance is integrated into account creation with no granular opt-ins for marketing or third-party sharing
  • Absence of Data Principal Rights — no mention of the Right to Nominate (Section 14) or specific Right to Erasure
  • Grievance redressal lacks DPB escalation — fails to identify the Data Protection Board of India as the statutory authority for complaints

✅ Strengths

  • Detailed transparency on data categories — clearly lists the types of personal and sensitive data collected
  • Defined security protocols — mentions SSL encryption and adherence to 'reasonable security practices' for data protection
  • Named Grievance Officer — contact information is publicly available for dispute resolution
  • Explicit Children’s Privacy Section — recognizes the need for additional security for minor-related data, though under-compliant with new DPDP standards

Overview

FirstCry (Brainbees Solutions Ltd.) is India’s leading e-commerce platform for baby and kids’ products, handling data for millions of parents and children. Because its core business model involves processing the data of minors — categorized as a vulnerable group under the DPDP Act — the company faces an exceptionally high compliance threshold.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

FirstCry uses a “browse-wrap” or “sign-up wrap” consent model. The policy states: “By using our Website, you are agreeing to the collection and use of your Information.”

DPDP Requirement: Consent must be a “clear affirmative action” that is free, specific, informed, unconditional, and unambiguous.

Gap: Consent is currently bundled with the Terms of Use. Users cannot choose to share data for delivery while opting out of “marketing and promotional efforts.” This fails the unconditional requirement of Section 6.

Section 9 — Processing of Personal Data of Children 🔴

Critical Risk Area. This is the most significant point of failure for FirstCry.

What the policy says: “Minors under the age of 18 are not supposed to use the Website… if you are under 18… you may use FirstCry only with the involvement of a parent or guardian.” It also admits to using a child’s date of birth and gender to “send you the best offers relevant for your child.”

DPDP Requirement (Section 9):

  1. Verifiable Parental Consent (VPC): Fiduciaries must obtain consent from a parent in a manner that is “verifiable.” FirstCry’s current “involvement” standard does not meet this.
  2. No Behavioral Tracking: Processing that involves tracking, behavioral monitoring, or targeted advertising directed at children is strictly prohibited.

Gap: FirstCry explicitly uses children’s data for profiling and “relevant offers.” Under DPDP, this is a per se violation that carries penalties of up to ₹200 crore.

Section 8 — Obligations of Data Fiduciary ✅

The policy mentions that FirstCry adopts “reasonable security practices and procedures” and uses SSL technology for sensitive data.

Strength: The company demonstrates awareness of data security, which aligns with Section 8(5). However, it lacks a formal “Data Breach Notification” procedure in its public policy, which is now mandatory under Section 8(6).

Section 9 — Data Retention ⚠️

Gap: FirstCry’s retention clause is vague: “We will not remove content or information that we may be required to retain under applicable laws.”

DPDP Requirement: Section 12 (and Section 8) mandates that a Data Fiduciary must erase personal data as soon as the purpose for which it was collected is no longer served, or when consent is withdrawn. FirstCry does not provide a clear “Right to Erasure” workflow for users.

Section 11-14 — Rights of Data Principal 🔴

The policy provides for the “ability to access and edit” information, but it is missing the specific DPDP rights framework:

  • Right to Nominate (Section 14): No provision for users to nominate a representative in case of death or incapacity.
  • Right to Erasure: Not explicitly granted; the policy suggests data is retained at the company’s discretion for legal compliance without providing a deletion request mechanism.

Section 12 — Right of Grievance Redressal ⚠️

While a Grievance Officer is appointed (Brainbees Solutions Ltd., Pune), the policy fails to mention:

  • The timeframe for resolution (the Act and Rules suggest a 15-30 day window).
  • The escalation path to the Data Protection Board of India (DPB) if the user is unsatisfied.

Risk Assessment

CategoryRisk LevelDPDP SectionPrimary Concern
Children’s DataHighSection 9Behavioral profiling and lack of verifiable parental consent.
ConsentMediumSection 6Bundled consent and lack of granular opt-outs.
Data RightsMediumSections 11-14No right to nominate or clear erasure request process.
RegulatoryHighSection 15/16Reliance on IT Act 2000 terminology (SPDI) instead of DPDP 2023.

Recommendations for Compliance:

  1. Implement VPC: Deploy a “Parental Gateway” with ID verification or payment-based verification to confirm parental identity.
  2. Cease Child Profiling: Stop using children’s DOB/gender for targeted push notifications unless the Central Government provides a specific exemption.
  3. Update Privacy Notice: Issue a “Notice” in plain language (and multiple Indian languages as per Section 5) explaining what data is collected and for what specific purpose.
  4. Consent Manager: Integrate with a Consent Manager to allow users to withdraw consent as easily as it was given.

📖 Related Compliance Guides

guide Grievance Redressal Under DPDP Act 2023

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call