Your go-to hub for Expert Insights,
Publications, and Resources
on
data privacy and compliance

Our resources provide the essential tools, guides, and insights to help your business stay ahead of data privacy regulations. From practical templates to expert articles, we ensure you have everything you need to navigate compliance with confidence.

Last Updated: 2025-05-28 ~ DPDP Consultants

DPDP Act & Secondary Data Use: Rules, Consent, Compliance

Illustration showing data flow and consent for secondary use under the Digital Personal Data Protection Act.

In today's digital ecosystem, data is currency. Businesses routinely collect personal data to provide services, enhance user experiences, and improve operations. However, as regulatory frameworks like India's Digital Personal Data Protection Act, 2023 (DPDPA) take center stage, questions surrounding the secondary use of data have become crucial for compliance officers, legal teams, and data governance professionals.

This blog explores the contours of secondary data use under the DPDPA and answers pressing questions about consent, compatibility, and lawful processing.


What Is Secondary Use of Data?

Secondary use refers to using personal data for a purpose other than the one for which it was originally collected. For example, if a customer provides their email address to receive a receipt and the company later uses it to send marketing emails, this constitutes secondary use.

The DPDPA introduces key obligations on how and when data fiduciaries (i.e., those who determine the purpose and means of processing) can use personal data for secondary purposes.


Are We Using Personal Data Strictly for the Purpose for Which It Was Collected?

Short answer: Not always — and this is a compliance risk.

Many organizations collect data for a specific, narrow purpose but later repurpose it — for analytics, marketing, training AI, etc. While this might seem harmless or even beneficial to the end-user, under the DPDPA, every new use needs to be assessed for legal permissibility.

The DPDPA enshrines the principle of purpose limitation, meaning that personal data should be used only for the purpose explicitly stated at the time of collection, unless:

  1. The new purpose is compatible with the original one, or
  2. Fresh consent is obtained for the new use.

Non-compliance could result in regulatory action, penalties, and loss of consumer trust.


Do We Need Fresh Consent for a New Use of Already Collected Data?

Yes — unless the new use is considered "compatible" with the original purpose.

Under Section 7 of the DPDPA, the processing of personal data must be based on free, specific, informed, unconditional, and unambiguous consent of the data principal (the individual). If the data is being processed for a purpose not originally disclosed, then fresh consent is legally required, unless compatibility can be established.

For instance:

  • If a company collected location data to provide delivery services, and later wants to use the same data to study consumer mobility patterns, fresh consent is necessary.

Consent must also be granular — covering distinct purposes separately. Bundling consents (e.g., service + marketing + analytics) into one blanket agreement would not meet DPDPA standards.


What Counts as a “Compatible” Use Under the DPDPA —and Who Decides That?

This is one of the most nuanced areas of the Act.

Compatible use is not defined exhaustively in the DPDPA but is subject to interpretation based on:

  • The context of data collection
  • The nature of the data
  • The expectations of the data principal
  • The safeguards in place

The Act gives some discretionary power to the Data Protection Board of India (DPBI) and the Central Government to frame guidelines and assess compatibility.

Factors to consider when determining compatibility:

  1. Transparency: Was the possibility of this new use disclosed earlier?
  2. Expectation: Would a reasonable person expect this secondary use?
  3. Impact: Is the secondary use likely to have any adverse effect on the data principal?
  4. Context: Is the use closely related to the original purpose?

Example: Using customer service call transcripts to improve voice recognition models could be considered compatible only if clearly stated in the privacy notice and no harm results to individuals.


Can We Use Data for Analytics, Training AI Models, or Product Improvements?

Only with clear and compatible purpose or fresh consent.

Secondary uses like analytics, machine learning, and product improvement require careful scrutiny. These are typically not the primary reasons for data collection, hence:

  • If the data principal was informed at the outset that their data may be used for these purposes, and they consented, then it is allowed.
  • If not, you need fresh consent.

Special attention should be paid to sensitive personal data (e.g., financial, health, biometric data). For such categories, even stricter scrutiny and safeguards apply.

Moreover, anonymized data does not fall under the purview of the DPDPA. However, pseudonymized or indirectly identifiable data is still protected and cannot be freely used for secondary purposes.


Is It Legal to Use Customer Data Collected for Support to Send Marketing Emails?

Not without valid consent.

If a user shared their contact details with your support team to resolve an issue, using that information to later send promotional or marketing messages is a clear case of secondary use.

To legally send marketing communications, you need:

  1. Separate consent for marketing;
  2. Option for the user to opt out or withdraw consent easily;
  3. Clear mention of marketing use in the privacy notice.

Failing to do this may not only breach the DPDPA but could also fall afoul of anti-spam and consumer protection laws.


Do Our Privacy Notices and Consent Forms Clearly Rule In or Out Secondary Uses?

They should — and this is a key area of risk.

The DPDPA mandates that consent must be based on an informed choice. That means your privacy notice must clearly state:

  • What data is being collected
  • For what specific purposes
  • Whether any secondary uses are anticipated
  • The user’s rights to withdraw consent
  • If data will be shared with third parties for secondary purposes

Your consent forms should be:

  • Granular (each purpose has a checkbox)
  • Specific (vague language like “improve services” should be clarified)
  • Transparent (no pre-ticked boxes or bundled consents)


Best Practices for Managing Secondary Use of Data

  1. Purpose Mapping: Document all purposes for which personal data is collected and assess any proposed secondary use.
  2. Consent Audit: Review whether existing consents cover new use cases. If not, seek fresh consent.
  3. Privacy Notice Review: Update privacy policies to reflect any intended secondary uses.
  4. Data Minimization: Use only as much data as needed for the new purpose.
  5. Anonymization: When possible, use anonymized data to reduce compliance burden.
  6. Training: Ensure your teams understand the principles of purpose limitation and consent.
  7. Governance: Set up internal review processes for approving secondary uses.


Conclusion

In a post-DPDPA world, secondary use of data is no longer a grey area. It is a well-defined, legally significant matter that businesses must handle with diligence. Whether it's marketing, AI training, or internal analytics, every new use of personal data demands a clear legal basis — preferably informed consent or a solid compatibility justification.

By embedding these principles into your data governance practices, you not only mitigate regulatory risk but also build long-term trust with your users.

Secondary use isn’t just a compliance checkbox — it’s a test of how responsibly you manage the digital trust placed in your organization.