Overview
ICICI Bank is one of India’s largest private sector banks, offering a wide range of banking and financial services. Its operations involve handling vast amounts of sensitive personal and financial data. The bank’s current ‘Privacy Commitment’ on its Indian website (https://www.icicibank.com/privacy) was last updated on January 15, 2025. This analysis assesses its compliance with India’s Digital Personal Data Protection Act 2023 (DPDP Act 2023), which sets out a new framework for data protection in India.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
ICICI Bank’s current privacy commitment employs a bundled consent mechanism. By merely using or accessing the bank’s services, users are deemed to have agreed to the privacy commitment and consented to data processing.
What the policy says: “By using or otherwise accessing our Services, you confirm that you have read and agreed to be bound by this Privacy Commitment and consent to the collection, receipt, possession, storage, usage, dealing with, handling, processing, transfer and retention of your Customer Information by ICICI Bank as described in this Privacy Commitment.”
DPDP requirement: Consent must be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action. It must be for a specific purpose and can be withdrawn at any time. The DPDP Rules also mandate clear, independent notice disclosures.
Gap: This ‘take-it-or-leave-it’ consent model does not meet the “freely given” and “specific” standards of the DPDP Act. There is no clear mechanism for granular consent or withdrawal. Furthermore, the privacy notice does not explicitly detail all DPDP-mandated information, such as methods to exercise Data Principal rights.
Section 7 — Certain Legitimate Uses ✅
The policy clearly lists several purposes for which customer information is collected and processed, many of which align with legitimate uses under the DPDP Act, such as providing services and complying with legal obligations.
What the policy says: ICICI Bank uses customer information “To verify your identity to register you as a Customer, and create and operate your account(s) with us; To provide the Services to you; To process payments made through our Services; To comply with legal obligations.”
DPDP requirement: The Act defines “legitimate uses” to include purposes for which processing is necessary for the performance of a contract, compliance with legal obligations, or for public interest, among others.
Strength: The specified purposes are generally in line with lawful processing under DPDP. However, some broader uses like “customer analytics, to develop and offer new products and services or improve existing ones, direct marketing, telemarketing, online promotions, brand promotions” for “Visitor Information” would likely require explicit consent under DPDP if they do not fall under contractual necessity or other specified legitimate uses.
Section 8 — Obligations of Data Fiduciary (Security Safeguards) ✅
ICICI Bank expresses a commitment to protecting customer privacy and confidentiality and outlines some security measures.
What the policy says: “ICICI Bank is strongly committed to protecting the privacy of its Customers and has taken all necessary and reasonable measures to protect the confidentiality of the Customer Information and its transmission.” It also mentions the use of “128-bit encryption, which is currently the permitted level of encryption in India, for the transmission of Visitor registration and transaction requests and information.”
DPDP requirement: Data Fiduciaries must implement appropriate technical and organisational measures and take reasonable security safeguards to prevent personal data breaches.
Strength: The mention of 128-bit encryption and a commitment to reasonable measures demonstrates an effort towards securing personal data, aligning with Section 8 requirements.
Section 9 — Data Retention 🔴
The policy provides a general statement regarding data retention, lacking specific timelines.
What the policy says: “We will retain your Customer Information for as long as necessary to provide you with the Services, to comply with our legal obligations, resolve disputes, and enforce our agreements.”
DPDP requirement: Data shall be erased when the purpose for which it was collected is fulfilled or consent is withdrawn, within a reasonable period.
Gap: The use of “as long as necessary” is vague and does not provide clarity on specific retention periods or automated deletion triggers, which is a critical gap under DPDP’s emphasis on storage limitation.
Section 11 — Rights of Data Principal ⚠️
While the bank’s overseas policies (e.g., UK, UAE) detail various data subject rights aligned with GDPR, the Indian privacy commitment lacks explicit mention of Data Principal rights as enumerated in the DPDP Act.
What the policy says: The policy mentions “You are free to disable or delete these cookies by changing your web browser settings.” However, it does not explicitly list rights like the right to access, correction, erasure, data portability, or the right to nominate.
DPDP requirement: The Act grants Data Principals rights including the right to access information, correction and erasure of personal data, and the right to grievance redressal. Section 14 specifically includes the right to nominate.
Gap: The absence of a clear articulation of DPDP-specific Data Principal rights, including the critical right to nomination, makes it difficult for data principals to understand and exercise their entitlements under the new law.
Section 12 — Right of Grievance Redressal ⚠️
The policy lacks specific details on DPDP-aligned grievance redressal mechanisms.
What the policy says: The policy broadly states that the bank undertakes not to disclose information unless necessary to conform to legal requirements or comply with legal process.
DPDP requirement: Data Fiduciaries must provide readily available means of grievance redressal and respond within a prescribed period. The Data Protection Board serves as an escalation authority.
Gap: There is no explicit mention of a designated Grievance Officer for DPDP, a clear process for filing DPDP-specific complaints, or the Data Protection Board as an escalation path.
Section 16 — Cross-Border Data Transfer ⚠️
The policy’s provisions for data sharing indicate broad international transfers.
What the policy says: “we may share any information you provide to us with our group companies and their agents, counterparties and support service or data providers, wherever located.”
DPDP requirement: Cross-border transfer of personal data is only permitted to such countries or territories as may be notified by the Central Government.
Gap: The blanket statement allowing transfers “wherever located” does not align with the DPDP Act’s requirement for transfers only to notified jurisdictions, or the need for specific safeguards.
Risk Assessment
| Category | Risk Level | Justification |
|---|---|---|
| Consent Management | High | Bundled consent is a direct violation of DPDP Section 6, exposing the bank to significant penalties. |
| Data Principal Rights | High | Lack of explicit recognition and accessible mechanisms for DPDP-specific rights, including nomination and erasure, increases regulatory and reputational risk. |
| Data Retention | Medium | Vague retention policies create uncertainty and potential non-compliance with Section 9’s data erasure requirements. |
| Grievance Redressal | High | Absence of a clear DPDP-aligned grievance mechanism and Data Protection Board escalation path is a critical non-compliance. |
| Cross-Border Transfer | High | Broad “wherever located” transfer clause without adherence to DPDP Section 16’s notified countries requirement poses a substantial risk. |
| Overall DPDP Alignment | High | The policy’s general nature and lack of explicit DPDP references indicate a fundamental gap in comprehensive DPDP readiness. |