Overview
Lenskart is one of India’s largest optical prescription eyewear retailers, operating online and through physical stores. Given the sensitive nature of data they handle — including medical information (eye power, prescriptions), biometric data (for virtual try-ons), and financial details — their privacy policy needs to be robust and fully compliant with the DPDP Act, 2023. They process data from millions of customers across India and beyond.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Lenskart’s policy indicates a bundled approach to consent, where users implicitly agree to data collection and processing by using their services or providing information. This is typical of older privacy policies.
What the policy says: “By providing your Personal Information to Lenskart, you consent to the collection, use, storage, and processing of your information…” and “You may also choose to withdraw your consent by contacting us…”
DPDP requirement: Consent must be free, specific, informed, unconditional, and unambiguous. It needs to be given for a specific purpose, and the Data Principal (the individual whose data is collected) must be able to withdraw it easily and specifically for different processing activities.
Gap: While withdrawal is mentioned, the initial consent appears to be a blanket acceptance. Lenskart collects data for varied purposes like personalization, marketing, and service improvement, but there’s no clear mechanism for granular consent (e.g., agreeing to service processing but declining marketing data use). This “take it or leave it” method might not meet the DPDP’s “freely given” standard.
Section 7 — Certain Legitimate Uses ⚠️
The policy lists purposes for data processing that include “improving services,” “personalization,” “marketing and promotions,” and “fraud prevention.”
DPDP requirement: Section 7 of the DPDP Act defines “Certain Legitimate Uses” (also called legitimate purposes) very narrowly, focusing on scenarios where consent isn’t strictly needed, such as voluntary data provision, state functions, medical emergencies, or employment. Processing for general “marketing” or “personalization” typically requires explicit consent and would not qualify as a legitimate use without it under the DPDP Act.
Gap: Several of Lenskart’s stated processing purposes, especially for marketing and personalization, would likely not fall under the DPDP’s restrictive definition of legitimate uses. Without explicit, specific consent for these, such processing could be non-compliant.
Section 8 — Obligations of Data Fiduciary ✅
Lenskart’s policy outlines several security measures to protect user data. A Data Fiduciary is the entity that determines the purpose and means of processing personal data (Lenskart, in this case).
What the policy says: “We maintain reasonable physical, electronic and procedural safeguards to protect your Personal Information. We use secure servers, encryption technology, and firewalls to prevent unauthorized access… Only authorized personnel have access to your information.”
DPDP requirement: Data Fiduciaries must implement “reasonable security safeguards to prevent a data breach.” This includes technical and organizational measures proportionate to the risk.
Strength: The policy demonstrates an awareness of security obligations, mentioning specific measures like encryption and access controls. This generally aligns with the DPDP’s requirement for reasonable safeguards.
Section 9 — Data Retention 🔴
This section is crucial for demonstrating compliance, but Lenskart’s policy uses common, vague language.
What the policy says: “We retain your Personal Information for as long as necessary to fulfill the purpose(s) for which it was collected, provide our services, resolve disputes, comply with legal obligations, and enforce our agreements.”
DPDP requirement: Data Fiduciaries must cease to retain personal data as soon as the purpose for which it was collected is satisfied, or upon withdrawal of consent, and erase it within a reasonable period. There must be a clear policy on retention.
Gap: The phrase “as long as necessary” is insufficient under the DPDP Act. There are no specific retention timelines provided for different types of data (e.g., eye prescriptions, purchase history, marketing data). This lack of clarity means users have no idea when their data will be purged, creating a significant compliance risk.
Section 11 — Rights of Data Principal ⚠️
A Data Principal is the individual to whom the personal data relates. Lenskart acknowledges some key rights.
What the policy says: “You have the right to access, update, correct, restrict processing, and withdraw your consent… You also have the right to data portability…”
DPDP requirement: The Act grants Data Principals several rights, including the right to access information, correct it, erase it, nominate another person (Section 14) to exercise rights on their behalf, and the right to grievance redressal.
Partial compliance: Lenskart’s policy covers some fundamental rights like access, correction, and withdrawal of consent. However, it does not explicitly mention the right to nominate another person to exercise rights on their behalf (a key provision in DPDP Section 14). The mechanisms for exercising these rights could also be more clearly defined as per DPDP standards.
Section 12 — Right of Grievance Redressal ⚠️
Providing a clear channel for complaints is a cornerstone of data protection.
What the policy says: “If you have any questions, concerns, or complaints regarding this Privacy Policy or our data practices, please contact our Grievance Officer…” It provides a name, email, and address.
DPDP requirement: Data Fiduciaries must have a readily available Grievance Redressal Mechanism, typically involving a Grievance Officer. Importantly, the DPDP Act establishes the Data Protection Board of India as an escalation authority if internal grievances are not resolved satisfactorily within a specified timeframe (generally 30 days).
Gap: While a Grievance Officer is clearly named, the policy does not mention the Data Protection Board of India as an escalation path. It also doesn’t commit to a specific response timeframe (like the 30-day period expected under DPDP), stating only “reasonable timeframe.”
Section 16 — Cross-Border Data Transfer ⚠️
Data transfer across borders is a common practice for global companies but is tightly regulated under DPDP.
What the policy says: “Your Personal Information may be transferred to and stored in countries outside of India where our service providers or affiliates may be located. These countries may have different data protection laws than India.” It states “appropriate measures will be taken” for protection.
DPDP requirement: Under Section 16, cross-border data transfer is permitted only to such countries or territories as may be notified by the Central Government. The policy needs to be specific about the destination countries and the legal basis for transfer.
Gap: Lenskart’s policy does not specify which countries data might be transferred to. It also lacks any reference to the Central Government’s notification process, which will be critical once the DPDP Act is fully enforced. The blanket statement on “appropriate measures” is not detailed enough for DPDP compliance.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | High | Bundled consent invalidation could lead to non-compliance for millions of users |
| Data retention | Critical | Indefinite retention of sensitive health and financial data = major exposure |
| Cross-border transfer | Medium | Non-compliance once government notifies permitted jurisdictions |
| Data Principal rights | Medium | Incomplete rights framework, especially missing nomination right |
Recommendations
- Introduce granular consent: For new users, implement separate checkboxes for different processing purposes (e.g., core service, marketing, analytics, third-party sharing).
- Define specific retention periods: Clearly state how long different categories of data (e.g., prescription history, marketing data, transaction logs) will be kept and when they will be automatically deleted.
- Update for DPDP Act 2023: Explicitly reference the DPDP Act and map policy sections to corresponding provisions, especially for Data Principal rights.
- Add DPDP Board escalation: Include the Data Protection Board of India as the final grievance escalation step after internal resolution, along with a 30-day response commitment.
- Specify cross-border transfers: Name the specific countries where data may be transferred and the safeguards in place, aligning with future government notifications.
- Implement nomination mechanism: Clearly inform users of their right to nominate another person to exercise their DPDP rights (Section 14).
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.