Overview
Goibibo (owned by MakeMyTrip) is one of India’s biggest travel platforms. Think about what they know about you: your passport details, COVID-19 vaccination status, location history, and even your food preferences.
In legal terms, Goibibo is the Data Fiduciary — the entity that decides why and how your data is processed. You are the Data Principal — the person the data actually belongs to. Because they handle such sensitive info, the DPDP Act 2023 sets a very high bar for how they must treat you.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
Goibibo still uses the “old school” way of getting permission, which is a major red flag under the new law.
What the policy says: “By using or accessing the Website… the User hereby agrees with the terms of this Privacy Policy.”
What the law requires: Consent must be affirmative. This means a user must check a box or take a clear action. You can’t just say “because you clicked our link, we can track you.” It must also be granular, meaning you should be able to agree to a flight booking without being forced to agree to marketing calls.
The problem: Goibibo bundles everything together. Under Section 6, this “take it or leave it” approach is likely invalid.
Section 7 — Certain Legitimate Uses 🔴
This is where things get shaky. Goibibo claims some very broad “legitimate” reasons for using your data.
What the policy says: “Any Personal Information… is our property. We may use it… for any legitimate purpose including without limitation the commercial sale thereof to third parties.”
What the law requires: Section 7 of the DPDP Act is very strict. You can only process data without specific consent for limited things like “voluntary provision” for a specific service or state functions.
The problem: Claiming that selling your data is a “legitimate purpose” or that your data is “their property” directly contradicts the spirit of the DPDP Act. The law says you own your data; they are just its custodians.
Section 8 — Obligations of Data Fiduciary ⚠️
Goibibo promise to protect your data, but they also try to wash their hands of any responsibility for their partners.
What the policy says: “How the said service providers/suppliers use the information shared with them is beyond the purview and control of Goibibo… we cannot be made accountable for the same.”
What the law requires: A Data Fiduciary (Goibibo) is responsible for ensuring that any Data Processor (the hotels or airlines they share your info with) also protects that data.
The problem: You can’t just pass the buck. If Goibibo shares your data with a hotel that has a leak, Goibibo can still be held liable for not having a proper contract in place to protect you.
Section 9 — Data Retention 🔴
How long does Goibibo keep your passport scan or travel history? They don’t really say.
What the policy says: “Goibibo will retain your Personal Information… for as long as is reasonably necessary.”
What the law requires: Once the “purpose” is served (e.g., you finished your trip), the company must erase your data unless a law requires them to keep it for taxes or audits.
The problem: “Reasonably necessary” is too vague. Under DPDP, once you delete your account or the booking is over, they need a clear timeline for hitting the “delete” button.
Section 11 — Rights of Data Principal ⚠️
The law gives you the right to see what they have on you, fix errors, and even nominate someone else to handle your data if you pass away.
What the policy says: They provide a link to delete your account and an email to withdraw consent.
The problem: They are missing the new Right to Nominate (Section 14). They also don’t clearly explain how a user can get a summary of all their data that Goibibo has shared with dozens of third-party “partners.”
Section 12 — Right of Grievance Redressal ⚠️
What the policy says: They provide an email address (privacy@go-mmt.com) for complaints.
What the law requires: You must have a way to complain to the company, but if they don’t solve it, you have a right to go to the Data Protection Board of India.
The problem: Goibibo’s policy doesn’t mention the Board or the steps to take if their internal support team ignores your privacy concerns.
Section 16 — Cross-Border Data Transfer ⚠️
What the policy says: “Data… shall be primarily processed in India and such other jurisdictions where a third party… may process the data.”
The problem: The DPDP Act says the government can “black-list” certain countries where data cannot be sent. Goibibo’s policy is too broad. They need to be specific about where your data goes and ensure those countries have decent protections.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | 🔴 High | Using “implied consent” could lead to massive fines. |
| Data Selling | 🔴 High | Claiming data ownership is a direct violation of DPDP principles. |
| Partner Liability | ⚠️ Medium | Disclaiming liability for partners doesn’t hold up under Section 8. |
| Deletion Policy | 🔴 High | Keeping data indefinitely is now a punishable offense. |
Recommendations for Goibibo (and your business)
- Stop “Browse-Wrap” Consent: Use a clear pop-up that asks users to “Accept” the privacy policy before they create an account.
- Separate the Toggles: Let users agree to “Flight Booking” but opt-out of “Selling my data to partners.”
- Update the “Property” Language: Remove claims that user data is the company’s property. In the DPDP era, you are the Data Principal (the owner).
- Specific Retention: Tell users exactly when data is deleted (e.g., “Transaction logs are kept for 7 years for tax, but your search history is deleted after 180 days”).
- Mention the Board: Update the grievance section to include the Data Protection Board as the final authority.