Table of content
- What Is Secondary Use of Data?
- Are We Using Personal Data Strictly for the Purpose for Which It Was Collected?
- Do We Need Fresh Consent for a New Use of Already Collected Data?
- What Counts as a “Compatible” Use Under the DPDPA —and Who Decides That?
- Can We Use Data for Analytics, Training AI Models, or Product Improvements?
- Is It Legal to Use Customer Data Collected for Support to Send Marketing Emails?
- Do Our Privacy Notices and Consent Forms Clearly Rule In or Out Secondary Uses?
- Best Practices for Managing Secondary Use of Data
- Conclusion
Last Updated: 2025-05-28 ~ DPDP Consultants
DPDP Act & Secondary Data Use: Rules, Consent, Compliance
In today's digital ecosystem, data is currency.
Businesses routinely collect personal data to provide services, enhance user
experiences, and improve operations. However, as regulatory frameworks like
India's Digital Personal Data Protection Act, 2023 (DPDPA) take center
stage, questions surrounding the secondary use of data have become
crucial for compliance officers, legal teams, and data governance
professionals.
This blog explores the contours of secondary data use
under the DPDPA and answers pressing questions about consent, compatibility,
and lawful processing.
What Is Secondary Use of Data?
Secondary use refers to using personal data for
a purpose other than the one for which it was originally collected. For
example, if a customer provides their email address to receive a receipt and
the company later uses it to send marketing emails, this constitutes secondary
use.
The DPDPA introduces key obligations on how and when
data fiduciaries (i.e., those who determine the purpose and means of
processing) can use personal data for secondary purposes.
Are We Using Personal Data Strictly for the Purpose for Which It Was Collected?
Short answer: Not always — and this is a compliance
risk.
Many organizations collect data for a specific, narrow
purpose but later repurpose it — for analytics, marketing, training AI, etc.
While this might seem harmless or even beneficial to the end-user, under the
DPDPA, every new use needs to be assessed for legal permissibility.
The DPDPA enshrines the principle of purpose
limitation, meaning that personal data should be used only for the
purpose explicitly stated at the time of collection, unless:
- The
new purpose is compatible with the original one, or
- Fresh
consent is obtained for the new use.
Non-compliance could result in regulatory action,
penalties, and loss of consumer trust.
Do We Need Fresh Consent for a New Use of Already Collected Data?
Yes — unless the new use is considered
"compatible" with the original purpose.
Under Section 7 of the DPDPA, the processing of
personal data must be based on free, specific, informed, unconditional, and
unambiguous consent of the data principal (the individual). If the data is
being processed for a purpose not originally disclosed, then fresh
consent is legally required, unless compatibility can be established.
For instance:
- If a
company collected location data to provide delivery services, and later
wants to use the same data to study consumer mobility patterns, fresh
consent is necessary.
Consent must also be granular — covering
distinct purposes separately. Bundling consents (e.g., service + marketing +
analytics) into one blanket agreement would not meet DPDPA standards.
What Counts as a “Compatible” Use Under the DPDPA —and Who Decides That?
This is one of the most nuanced areas of the Act.
Compatible use is not defined exhaustively in
the DPDPA but is subject to interpretation based on:
- The context
of data collection
- The nature
of the data
- The expectations
of the data principal
- The safeguards
in place
The Act gives some discretionary power to the Data
Protection Board of India (DPBI) and the Central Government to frame
guidelines and assess compatibility.
Factors to consider when determining compatibility:
- Transparency: Was
the possibility of this new use disclosed earlier?
- Expectation:
Would a reasonable person expect this secondary use?
- Impact: Is
the secondary use likely to have any adverse effect on the data principal?
- Context: Is
the use closely related to the original purpose?
Example: Using customer service call transcripts to
improve voice recognition models could be considered compatible only if
clearly stated in the privacy notice and no harm results to individuals.
Can We Use Data for Analytics, Training AI Models, or Product Improvements?
Only with clear and compatible purpose or fresh
consent.
Secondary uses like analytics, machine learning, and
product improvement require careful scrutiny. These are typically not the
primary reasons for data collection, hence:
- If
the data principal was informed at the outset that their data may
be used for these purposes, and they consented, then it is allowed.
- If
not, you need fresh consent.
Special attention should be paid to sensitive
personal data (e.g., financial, health, biometric data). For such
categories, even stricter scrutiny and safeguards apply.
Moreover, anonymized data does not fall under the
purview of the DPDPA. However, pseudonymized or indirectly identifiable data
is still protected and cannot be freely used for secondary purposes.
Is It Legal to Use Customer Data Collected for Support to Send Marketing Emails?
Not without valid consent.
If a user shared their contact details with your
support team to resolve an issue, using that information to later send
promotional or marketing messages is a clear case of secondary use.
To legally send marketing communications, you need:
- Separate
consent for marketing;
- Option
for the user to opt out or withdraw consent easily;
- Clear
mention of marketing use in the privacy notice.
Failing to do this may not only breach the DPDPA but
could also fall afoul of anti-spam and consumer protection laws.
Do Our Privacy Notices and Consent Forms Clearly Rule In or Out Secondary Uses?
They should — and this is a key area of risk.
The DPDPA mandates that consent must be based on an informed
choice. That means your privacy notice must clearly state:
- What
data is being collected
- For
what specific purposes
- Whether
any secondary uses are anticipated
- The
user’s rights to withdraw consent
- If
data will be shared with third parties for secondary purposes
Your consent forms should be:
- Granular
(each purpose has a checkbox)
- Specific
(vague language like “improve services” should be clarified)
- Transparent (no
pre-ticked boxes or bundled consents)
Best Practices for Managing Secondary Use of Data
- Purpose
Mapping: Document all purposes for which personal data
is collected and assess any proposed secondary use.
- Consent
Audit: Review whether existing consents cover new use
cases. If not, seek fresh consent.
- Privacy
Notice Review: Update privacy policies to reflect any intended
secondary uses.
- Data
Minimization: Use only as much data as needed for the new
purpose.
- Anonymization:
When possible, use anonymized data to reduce compliance burden.
- Training:
Ensure your teams understand the principles of purpose limitation and
consent.
- Governance: Set
up internal review processes for approving secondary uses.
In a post-DPDPA world, secondary use of data is no
longer a grey area. It is a well-defined, legally significant matter that
businesses must handle with diligence. Whether it's marketing, AI training, or
internal analytics, every new use of personal data demands a clear legal basis
— preferably informed consent or a solid compatibility justification.
By embedding these principles into your data
governance practices, you not only mitigate regulatory risk but also build
long-term trust with your users.
Secondary use isn’t just a compliance checkbox — it’s
a test of how responsibly you manage the digital trust placed in your
organization.
Similar Read
