Overview
Netmeds is one of India’s biggest online pharmacies. Think about the data they have: your prescriptions, chronic illness history, biometric data, and even your family’s health details. In the world of privacy, this is “Sensitive Personal Data.” If a leak happens here, it’s not just a password—it’s your medical history. As a Data Fiduciary (the company that decides how and why your data is processed), Netmeds has a massive responsibility to protect you, the Data Principal (the person the data belongs to).
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
The DPDP Act says consent must be “free, specific, informed, and unconditional.” It shouldn’t be buried in a “by using this site, you agree” clause.
What the policy says: “By using, browsing, accessing, or purchasing from the ‘Website’ you agree to be bound by the terms of this Privacy Policy and consent to the collection… of your information.”
What the law requires: You can’t just assume someone agrees because they clicked a link. You need a clear, affirmative action (like a checkbox) that explains exactly what they are agreeing to.
The problem: Netmeds uses bundled consent. You can’t agree to buy medicine but disagree to them using your data for “marketing.” Under DPDP, these choices should ideally be separate.
Section 7 — Certain Legitimate Uses ⚠️
This section of the law covers times when a company doesn’t need your explicit “okay”—like medical emergencies or if you voluntarily gave your data for a specific reason.
What the policy says: Netmeds claims they can use your data for “internal analytical and research purposes” and “to provide you the services through third party service providers.”
What the law requires: Legitimate use is now much narrower. Using data for “marketing” or “research” usually requires explicit consent and doesn’t fall under the “legitimate use” exemptions of Section 7.
The problem: Netmeds uses very broad language that could allow them to process data for business growth under the guise of “improving services,” which might not hold up under a DPDP audit.
Section 8 — Obligations of Data Fiduciary ✅
This is about keeping the “digital doors” locked.
What the policy says: “We have implemented security policies, rules and technical measures… including firewalls, transport layer security and other physical and electronic security measures.”
What the law requires: A Data Fiduciary must take “reasonable security safeguards” to prevent data breaches.
The strength: Netmeds is part of the Reliance Retail ecosystem. Their security infrastructure is likely top-tier. They explicitly mention industry-recognized standards, which is a big plus for Section 8 compliance.
Section 9 — Data Retention 🔴
How long do they keep your medical records? The law says: “Delete it once the purpose is served.”
What the policy says: “We will retain your information and any data for the period necessary to fulfil the purposes outlined in this Privacy Policy.”
What the law requires: As soon as the specific reason for collecting the data is over (e.g., the medicine is delivered and the return period ends), the data should be scrubbed unless a specific law (like tax law) says otherwise.
The problem: “Period necessary” is too vague. Does that mean 1 year? 10 years? Forever? Netmeds doesn’t give a specific timeline, which is a major red flag under Section 9.
Section 11 — Rights of Data Principal ⚠️
This is about your power to control your data.
What the policy says: You can “access, amend, alter or require deletion” by emailing their support team.
What the law requires: You have the right to see what they have, correct it, erase it, and—critically—nominate someone else to manage your data if you are unable to (Section 14).
The problem: There is no mention of the Right to Nominate. If a regular person gets sick or passes away, their family has no clear legal path in this policy to manage that sensitive medical data.
Section 12 — Right of Grievance Redressal ⚠️
If they mess up, who do you call?
What the policy says: They provide a name (Mr. Ronald Martin) and an email address for their Grievance Officer.
What the law requires: You must have a way to complain, and if you aren’t satisfied, the policy must tell you how to escalate it to the Data Protection Board of India.
The problem: While they have an officer, they don’t mention the Data Protection Board. This leaves the “common person” thinking the company is the final judge of their own mistakes.
Section 16 — Cross-Border Data Transfer 🔴
What the policy says: “Your information may also be transferred, stored or processed in any country other than the country in which you access the Website.”
What the law requires: The government will “whitelist” certain countries where data can be sent. Companies cannot just send sensitive health data anywhere they want.
The problem: This is a blanket permission clause. It doesn’t specify which countries or what safeguards are in place, which is very risky given the sensitive nature of health records.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Health Data Privacy | Critical | Leaked medical history is permanent and sensitive. |
| Consent Validity | High | ”Browse-wrap” consent is likely invalid under DPDP. |
| Regulatory Fines | High | Failure to protect data can lead to ₹250 Cr fines. |
| Data Deletion | Medium | Lack of clear timelines leads to “data hoarding” risks. |
Recommendations
- Unbundle Consent: Give users a clear “I Agree” button that isn’t tied to just browsing. Let them opt-out of marketing while still buying medicine.
- Set an Expiry Date: Tell users, “We keep your prescription for X years to comply with pharmacy laws, then we delete it.”
- Add the “Right to Nominate”: Since this is a health app, let users name a family member who can manage their account if they can’t.
- Update Legal References: Remove references to the “IT Act 2000” and map the policy to the DPDP Act 2023 to show you’re actually following the new rules.