Overview
InMobi is a major global mobile advertising platform that helps advertisers reach users and publishers monetize their apps and websites. This involves collecting and processing vast amounts of data from users’ devices, including advertising IDs, IP addresses, location, app usage, and inferred demographics, to build profiles for targeted advertising. Given the scale and sensitivity of this data, DPDP compliance is critical.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
InMobi’s consent model often relies on indirect consent obtained through publishers (app developers) or bundled within general terms of service. This approach typically does not meet the DPDP’s “freely given” standard for consent.
What the policy says (simulated): “By using apps or websites that partner with InMobi, you agree to our collection and use of data as described in this policy.”
DPDP requirement: Consent must be free, specific, informed, unconditional, and given for a particular purpose. It must be clearly distinguishable from other matters and easily withdrawn.
The problem: Users are unlikely to give direct, specific consent to InMobi for each processing purpose. Bundled consent for an entire privacy policy is insufficient under DPDP.
Section 7 — Certain Legitimate Uses ⚠️
InMobi likely claims broad “legitimate interests” for processing data, such as “improving services,” “preventing fraud,” and “internal analytics.” Under DPDP, legitimate uses are narrowly defined (e.g., voluntary provision by the Data Principal, state functions, medical emergencies, employment).
What the policy says (simulated): “We process data to provide and improve our advertising services, prevent fraud, and for internal analytics and research.”
The problem: Many of InMobi’s general operational needs, particularly those related to ad personalization and general service improvement using extensive user data, would not qualify as “certain legitimate uses” where consent is not required under DPDP’s stricter framework.
Section 8 — Obligations of Data Fiduciary ✅
As a large, global AdTech company, InMobi is expected to implement robust security measures. Its policy likely describes technical and organizational safeguards.
What the policy says (simulated): “InMobi implements technical and organizational safeguards, including encryption, access controls, and regular security audits, to protect user data.”
Strength: This aligns well with Section 8’s requirement for Data Fiduciaries (companies handling data) to implement “reasonable security safeguards.”
Section 9 — Data Retention 🔴
Critical gap. AdTech platforms often have vague data retention clauses, using phrases that lack specific timelines.
What the policy says (simulated): “We retain data for as long as necessary to fulfill the purposes for which it was collected, for our legitimate business interests, or as required by law.”
DPDP requirement (Section 9): Data must be erased upon withdrawal of consent or when the purpose is fulfilled, within a reasonable period, and without undue delay. Specific timelines are expected.
The problem: “As long as necessary” provides no clarity or commitment on when data, especially for profiling or historical targeting, will be deleted. This leaves significant exposure under DPDP.
Section 11 — Rights of Data Principal ⚠️
InMobi’s policy likely acknowledges user opt-out mechanisms for personalized ads and perhaps a right to access/correct data via contact forms. However, the full suite of DPDP rights may be missing.
What the policy says (simulated): “Users can opt-out of personalized advertising through device settings or industry tools. Contact us to access or correct your data.”
The problem: While opt-outs are good, explicit mention of the right to erasure, the right to nominate another person (Section 14), and clear self-service mechanisms beyond just contacting support, might be absent or unclear.
Section 12 — Right of Grievance Redressal ⚠️
InMobi likely provides a contact for privacy inquiries or a Data Protection Officer. However, the process needs to align with DPDP requirements.
What the policy says (simulated): “For privacy inquiries, please contact our Privacy Officer at [email address].”
The problem: A simple email contact often lacks the formal structure and escalation path required by DPDP, which includes an internal resolution commitment (e.g., 30 days) and an escalation path to the Data Protection Board.
Section 16 — Cross-Border Data Transfer 🔴
As a global AdTech company, InMobi almost certainly transfers data across borders.
What the policy says (simulated): “Your data may be transferred to and processed in countries outside India, where our servers or service providers are located.”
DPDP requirement (Section 16): Data transfer outside India is restricted to countries notified by the Central Government. The policy should specify the countries and the safeguards applied.
The problem: A blanket statement about international data transfer without specifying countries or confirming alignment with the “notified list” (once published by the Central Government) is a major DPDP compliance gap.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | Critical | Indirect/bundled consent could be invalidated for millions of users |
| Data retention | Critical | Indefinite retention of user profiles and ad data creates huge liability |
| Cross-border transfer | High | Transfers to non-notified countries could lead to immediate fines |
| Data principal rights | Medium | Incomplete rights framework could lead to user complaints and penalties |
Recommendations
- Redesign consent mechanisms — Implement granular, explicit consent for specific processing purposes (e.g., separate for ad personalization, analytics, third-party sharing) from Data Principals directly.
- Define specific data retention periods — Clearly state how long different categories of data are retained and commit to automatic deletion triggers upon purpose fulfillment or consent withdrawal.
- Refine “legitimate uses” claims — Review and narrow down uses claimed under “legitimate interest” to strictly adhere to DPDP Section 7’s definition.
- Enhance Data Principal rights mechanisms — Provide clear, easily accessible ways for users to exercise all DPDP rights, including access, correction, erasure, and nomination (Section 14).
- Integrate Data Protection Board escalation — Update the grievance redressal process to explicitly mention the Data Protection Board as an escalation path and commit to 30-day resolution.
- Specify cross-border transfers — Identify the countries where data is transferred and commit to only transferring to jurisdictions on the Central Government’s notified list.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.