A Project by Meridian Bridge Strategy
Compliance Guide

DPDP Legitimate Use Guide

Learn when DPDP allows processing without consent, what qualifies as legitimate use and what still needs care.

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

DPDP Action Sheet

Use this before your next workflow goes live. It keeps the useful parts visible and turns DPDP into checks your team can actually answer.

For DPDP Legitimate Use Guide, the DPDP question is how personal data enters the workflow, where it is stored, which tools touch it, what purpose was explained, and how deletion or withdrawal will work.

Check my data flow

1. Lead Forms

Check:

  • What data are you collecting?
  • Is the purpose clear at the point of collection?
  • Is marketing consent separate from service communication?
  • Can the user withdraw consent later?

Common mistake: one checkbox that silently covers newsletters, sales calls, partner sharing and remarketing.

2. Email and WhatsApp

Check:

  • Who is on the list?
  • Where did consent come from?
  • Is the list imported from a vendor, event, webinar, scrape or old CRM?
  • Can you prove the source of consent?

Common mistake: treating every lead as permanently marketable.

3. Ads and Retargeting

Check:

  • Are pixels or ad platforms receiving identifiable user behavior?
  • Are audiences built from customer lists?
  • Are lookalike or remarketing audiences using personal data?

Common mistake: assuming "the ad platform handles it" means your company has no DPDP responsibility.

4. Website Analytics

Check:

  • Which tools run on the site?
  • Are IP address, device identifiers, session IDs or form fields being captured?
  • Is analytics used only for measurement, or also for profiling and targeting?

Common mistake: installing tools first and asking privacy questions later.

5. Vendor List

Make a quick list:

  • CRM
  • Email platform
  • WhatsApp provider
  • Analytics
  • Ad pixels
  • Form tool
  • Landing page builder
  • Webinar tool

For each vendor, answer: what data goes there, why, who can access it and how deletion works.

6. This Week's Action

Map one campaign from first click to final follow-up. Mark every place personal data is collected, enriched, shared, uploaded or used for targeting.

If your team cannot answer where the data came from and where it goes next, start with a data flow map before rewriting policy copy.

Book a DPDP clarity call

Now think about your work. Where does personal data enter your workflows? Where does it sit? Who else touches it?

Frequently asked questions

Can I process data for debt recovery under Legitimate Use?

No, the DPDP Act does not explicitly list debt recovery as a legitimate use. You must rely on the original consent provided during the service signup, ensuring the notice included debt collection as a purpose.

Does Legitimate Use cover background checks for new hires?

Yes, processing data to determine employment suitability is generally covered under Section 7. However, you must delete any data collected from unsuccessful candidates once the hiring decision is finalized.

Can I use "voluntary disclosure" to send promotional SMS?

No, if a customer gives their number only to receive a digital receipt, you can only send that receipt. Using that number for promotional messages requires a separate, affirmative consent notice.

Real-World Examples Companies struggling with this issue

Telecom

Airtel

48

Airtel's privacy policy, updated in June 2024, makes an effort towards transparency but doesn't fully align with the DPDP Act 2023. Key gaps include ambiguous data retention, lack of explicit cross-border transfer details, and broadly defined legitimate uses which could fall short of DPDP's specific consent requirements.

⚠️ Vague data retention periods — 'as long as necessary' language
⚠️ Lack of explicit DPDP Act 2023 references throughout
+5 more gaps detected
Mar 2026 View Report
Healthcare

Apollo 24/7

35

Apollo 24/7's privacy policy is detailed about data collection but remains largely anchored to the IT Act 2000 and SPDI Rules. Given it handles highly sensitive medical data, the lack of explicit DPDP Act 2023 alignment, especially concerning granular consent, specific data retention, and DPB redressal, poses significant compliance risks.

⚠️ No explicit DPDP Act 2023 reference — still relies on IT Act 2000 framework
⚠️ Consent mechanism bundled, not 'freely given' per Section 6
+5 more gaps detected
Feb 2026 View Report
Fintech

Bajaj Finserv

62

Bajaj Finserv shows strong technical security but fails on the DPDP Act’s requirement for 'unbundled' consent. While their retention transparency is better than most, their control over your data remains heavily weighted in favor of the company rather than the individual.

⚠️ Bundled consent includes marketing and AI camera tracking in one click
⚠️ No mention of the Data Protection Board for grievance escalation
+4 more gaps detected
Mar 2026 View Report
Book clarity call