A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Gaana was reviewed on 2026-05-10.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Entertainment

Gaana

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 10 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Gaana’s privacy policy remains anchored in the legacy IT Act 2000 framework. While it is transparent about 'what' it collects, it fails the DPDP Act’s 'how'—specifically regarding granular consent, the right to erasure (Section 9), and the newly mandated rights of data principals. As a major consumer-facing app handling behavioral and preference data of millions, the lack of a DPDP-compliant notice and consent manager presents a high regulatory risk.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-10
  • Company: Gaana
  • Readiness score: 48/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Primary reliance on IT Act 2000 and SPDI Rules 2011 — lacks explicit alignment with DPDP Act 2023
  • Bundled consent model where usage of the app implies agreement to all data practices
  • Vague data retention policy using 'as long as necessary' terminology without erasure triggers
  • Absence of 'Right to Nominate' under Section 14 for the data principal
  • No reference to the Data Protection Board of India for grievance escalation
  • Notice does not provide the mandatory list of data processors or specific transfer locations

✅ Strengths

  • Detailed list of data categories collected, including device information and social media links
  • Clear identification of a Grievance Officer with contact details
  • Transparency regarding third-party SDKs and advertising partners
  • Explicit mention of parental consent for users under 18 (though verification methods are weak)

Overview

Gaana (owned by Gamma Gaana Ltd. / Times Internet) is one of India’s leading music streaming services. Its data ecosystem is heavily reliant on advertising-led monetization, requiring the tracking of user preferences, location data, and device identifiers. Under the Digital Personal Data Protection (DPDP) Act 2023, such extensive behavioral profiling requires a significant shift from ‘implied’ to ‘explicit’ consent.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Gaana uses a legacy “Notice and Consent” model. The policy states that by accessing the service, the user is “consenting to the collection, storage, and use” of information.

DPDP requirement: Section 6 requires consent to be free, specific, informed, unconditional, and an unambiguous indication of intent through an affirmative action.

Gap: Gaana’s consent is bundled. Users cannot opt-out of advertising tracking while opting-in to the music service itself. The “notice” is not provided in multiple languages as suggested by the DPDP framework, nor is it “itemised” to show specifically what data is used for which purpose.

Section 8 — Obligations of Data Fiduciary ⚠️

The policy mentions “reasonable security practices and procedures” and “ISO/IEC 27001” standards. While this aligns with the spirit of Section 8, the DPDP Act introduces a higher burden of “completeness” and “accuracy” of data.

Gap: There is no explicit mention of the obligation to notify the Data Protection Board and affected users in the event of a personal data breach, which is a mandatory requirement under Section 8(6) of the Act.

Section 9 — Data Retention & Erasure 🔴

Critical gap. Gaana’s policy states data is kept “for as long as the purpose for which it was collected continues” or as “required by law.”

DPDP requirement: Section 9(1) mandates that a Data Fiduciary must erase personal data as soon as the purpose of collection is met or consent is withdrawn.

Gap: The policy does not provide a mechanism for the user to trigger “Right to be Forgotten” or a clear timeline for when data is purged after account deactivation.

Section 11 — Rights of Data Principal ⚠️

The policy allows users to “review and correct” information. However, it lacks the expanded suite of rights introduced by the DPDP Act:

  • Right to Erasure: Not explicitly defined as a statutory right.
  • Right to Nominate: There is no provision for a user to nominate another person to exercise their rights in case of death or incapacity (Section 14).
  • Summary of Data: No mechanism exists for a user to request a summary of personal data processed and the identities of all other Data Fiduciaries/Processors with whom data has been shared.

Section 12 — Right of Grievance Redressal ⚠️

Gaana has appointed a Grievance Officer, meeting the legacy requirements of the IT Act.

Gap: To be DPDP compliant, the policy must inform the user that they have the right to exhaust this internal grievance process and then approach the Data Protection Board of India. Gaana’s policy is silent on this external escalation path.

Section 16 — Cross-Border Data Transfer ⚠️

The policy states that information may be transferred to and maintained on computers located outside the user’s state or country where privacy laws may differ.

Gap: Under DPDP Section 16, the Central Government may restrict the transfer of personal data to certain notified countries (negative list). Gaana’s policy uses a blanket transfer clause that does not account for these future restricted jurisdictions or provide the required safeguards for international transfers.

Risk Assessment

CategoryRisk LevelMitigation Required
Consent ArchitectureHIGHImplement a Consent Manager (Section 6) with granular check-boxes.
Data ErasureHIGHAutomate deletion workflows for inactive accounts and withdrawn consent.
User RightsMEDIUMUpdate UI to allow for “Nomination” and “Request for Summary.”
Notice ComplianceMEDIUMProvide a “Notice” at the time of collection in 22 scheduled languages if requested.

Conclusion

Gaana’s current privacy policy is a classic “Web 2.0” document—focused on broad permissions for data monetization while offering minimal control to the user. To reach DPDP compliance, Gaana must move away from the “Terms of Use” style agreement and adopt a “Privacy by Design” framework that treats consent as a revocable and specific transaction rather than a one-time entry fee.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Data Breach Notification Compliance

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call