Are Purchased Lead Lists Legal Under DPDP?
Liability Check
Under the DPDP Act, purchased lead lists are a ticking time bomb for your business. Processing personal data without explicit, verifiable consent from each individual is a major violation, risking massive penalties up to ₹250 Crore.
Why Are Purchased Lead Lists Legal Under DPDP? is at Risk
Many Indian businesses, from e-commerce startups in Gurgaon to financial advisors in Mumbai, mistakenly rely on bought lists for quick customer acquisition. However, the DPDP Act mandates **explicit, informed, and verifiable consent** from every Data Principal *before* processing their personal data. With purchased lists, you almost never have this. The burden of proof is squarely on *you* to demonstrate valid consent for every entry. Imagine the Data Protection Board demanding consent records for 10,000 leads from an old list – you won't have them. This isn't merely a marketing issue; it's a **fundamental legal basis for processing** problem that carries severe financial and reputational risks.
Common Violations
- 1.Processing personal data from third-party lists without obtaining fresh, explicit consent from each Data Principal.
- 2.Failing to provide Data Principals (from these lists) with an easy mechanism to withdraw consent or exercise their 'Right to Erasure'.
- 3.Inability to prove that valid consent was obtained for each individual on the purchased list, violating the 'burden of proof' clause.
The Immediate Fix
Immediately stop all new purchases of lead lists. For existing lists, segment them: any personal data processed requires fresh, explicit consent. If you cannot obtain it, you must delete that data to mitigate risk. Implement a robust, DPDP-compliant consent mechanism for all future lead generation.
Projected Compliance Deadline: Immediate