Author: Chitranjan Srivastava, NALSAR University of Law, Hyderabad

The growing popularity of loyalty and reward-based mobile applications has significantly changed the way consumers interact with businesses in the digital age. Applications offering cashback, discounts, reward points and exclusive benefits have become an integral part of everyday life attracting millions of users. However, behind these incentives lies an extensive system of personal data collection and processing, raising important concerns regarding consumer privacy. This paper examines the privacy challenges associated with loyalty and reward-based mobile applications, with a particular focus on issues such as informed consent, consumer profiling, targeted advertising, third-party data sharing and data security. The study adopts a doctrinal and comparative approach by analysing relevant Indian laws, judicial decisions and scholarly literature, while also drawing comparisons with the European Union’s General Data Protection Regulation (GDPR). The research finds that although India has taken important steps towards protecting privacy through the recognition of privacy as a fundamental right and the enactment of the Digital Personal Data Protection Act, 2023, several concerns continue to persist in practice. Consumers often share personal information without fully understanding how it is collected, used or shared by digital platforms. The paper concludes that effective privacy protection requires not only strong legal safeguards but also greater transparency, accountability and consumer awareness. Achieving a balance between technological innovation and the protection of individual privacy is essential for building consumer trust in an increasingly data-driven digital economy.

Keywords:- Consumer Privacy, Loyalty Programs, Digital Personal Data Protection Act, 2023 (DPDPA), Data Protection, Informed Consent, Consumer Profiling.

Mobile applications have become an integral part of the customer’s daily life in the digital economy. The convenience and accessibility of mobile platforms is leading more and more users to turn to them, whether to order food, shop online, make digital payments or book services. With this technology growth, loyalty and reward based mobile applications have become a big part of the digital consumer culture. Applications that provide cashback, reward points, exclusive discounts and personalized benefits are likely to have consumers returning to that platform time and time again. These loyalty programs are used by businesses to attract and retain customers and at the same time to increase their profits and market presence.

These applications appear beneficial for the consumers, but they also raise serious concerns about privacy and data protection. Loyalty programs are not just the reward systems but a tool for collecting and analyzing the information of consumers. The data collected for the purpose of qualifying users for these programs often include personal information, such as names, phone numbers, email addresses, spending patterns, transaction history, location data etc. Every interaction with these apps helps create a detailed consumer profile which companies can use for market analysis, customer segmentation and targeted advertising.

The issue becomes more concerning because many consumers are unaware of the extent to which their personal information is collected, stored and shared. Privacy policies or terms of service are often long and technical documents, making it difficult for an average user to fully understand the implications of consent. Consequently, consumers are often willing to trade their personal data for perks and convenience without understanding the long-term privacy hazards. Although targeted marketing can offer a personalized experience to users, it also induces discomfort among users who worry that their information may be shared with third parties or used for purposes other than those for which it was collected.

Another major concern associated with loyalty and reward-based applications is the increasing practice of consumer profiling. By monitoring purchase behaviour and digital activities, companies can predict consumer interests and influence purchasing decisions. These kinds of practices blur the line between engaging with customers and digital surveillance. Thus, the commercialization of personal data has become one of the key concerns of the digital marketplace. Loyalty apps also tend to store sensitive information in huge amounts, making them attractive targets for hackers and cybercriminals. Such apps are vulnerable to data breaches that could expose consumers to identity theft, financial fraud and misuse of their data.

Concerns of digital privacy have gained greater prominence in India after the recognition of privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India. Digital Personal Data Protection Act, 2023 has also been passed keeping in mind the increasing need for regulation of collection and processing of personal data in the digital space. Nonetheless, questions remain as to the adequacy of current legal safeguards to protect against privacy concerns raised by loyalty and reward-based mobile applications in particular. The aim of this research paper is to investigate the different privacy concerns of the consumers related to loyalty and reward-based mobile applications especially in terms of informed consent, data profiling, targeted advertisement and data-sharing practices. The paper also aims at discussing whether the existing legal regime in India is sufficient to protect the consumers in a data driven economy.

The issue of consumer privacy in digital platforms has been the subject of increasing academic and legal attention over the last decade, particularly as a result of the rapid expansion of data-driven technologies and mobile applications. Most of the existing scholarship on loyalty and reward-based mobile applications has focused on the relationship between personalized consumer experiences and the extensive collection of personal data. Researchers have pointed out that modern loyalty programs are no longer just ways to reward consumers for their repeat purchases but they have evolved into complex systems for profiling and analyzing consumer behaviour. These applications enable companies to gather detailed information on consumer preferences, spending habits, location patterns and online activities which can later be used for targeted advertising and commercial decision-making.

Legal scholars have also explored whether existing data protection regimes are adequate to govern digital platforms and mobile applications. The General Data Protection Regulation (GDPR) of the European Union is one of the most rigorous legal frameworks for data protection internationally and has been the subject of much discussion due to its focus on transparency, informed consent, data minimization and accountability. The GDPR has been noted by scholars to have greatly enhanced consumer rights through the recognition of principles such as the “right to be forgotten” and the imposition of stricter obligations on data controllers. In contrast, Indian data protection law has been criticized for lagging behind fast-paced technological developments. It was, however, in Justice K.S. Puttaswamy v. Union of India that privacy was recognized as a fundamental right and this was a watershed moment in Indian privacy jurisprudence. The implementation of the Digital Personal Data Protection Act, 2023 is yet another milestone towards having a structured legal framework with respect to the collection and processing of personal data in India.

Despite the growing body of literature on digital privacy, several gaps still remain. There is a growing body of literature on digital privacy, but there remain some gaps. Much of the existing scholarship considers social media platforms, e-commerce websites or general mobile applications more broadly with comparatively little work specifically considering loyalty and reward-based applications. Furthermore, most of the available research is either technology or business perspective based and lacks in consumer protection and legal accountability in the Indian context. The other topic that remains somewhat unexplored is the effect of behavioural profiling and targeted marketing on consumer sovereignty and consent within loyalty environments. By particularly analyzing consumer privacy issues resulting from loyalty and reward-based mobile applications through the lens of Indian data protection and consumer legislation, this study seeks to address these gaps.

Another important aspect highlighted in existing literature relates to the issue of data sharing and cybersecurity risks associated with loyalty and reward-based applications. Researchers have noted that these apps often collect enormous volumes of customer data, such as transaction histories, payment information, purchase patterns and location-based information. Because of this concentration of personal data, loyalty programs are more appealing to cybercriminals and raise the possibility of financial fraud, identity theft, and unlawful access to private customer information. Additionally, researchers have noted that consumers frequently don't know how their data is transferred between various organizations, such as commercial partners, analytics companies and third-party advertisers. Critics argue that excessive data sharing weakens consumer control over personal information and creates serious concerns regarding transparency and accountability. Existing scholarship therefore emphasizes the need for stronger security safeguards, clearer consent mechanisms, and stricter regulatory oversight to ensure that commercial interests do not override consumer privacy rights in digital ecosystems.

The present paper adopts a primarily doctrinal method of legal research to examine consumer privacy concerns arising from loyalty and reward-based mobile applications. The doctrinal approach has been used because the study mainly focuses on analyzing existing legal frameworks, judicial decisions, statutory provisions, privacy policies and scholarly literature relating to data protection and consumer privacy. Using this method, the study assesses whether current legal safeguards are adequate to protect consumer interests in the digital sphere and how personal data is collected, analyzed and used by loyalty-based programs.

Both primary and secondary sources of data are used in the study. Statutory provisions like the Information Technology Act of 2000 and the Digital Personal Data Protection Act of 2023, as well as relevant clauses under consumer protection law are few examples of primary sources. Judicial decisions, particularly Justice K.S. Puttaswamy v. Union of India, have also been examined to understand the constitutional recognition of privacy and its implications for informational privacy in the digital age. In addition to domestic legal sources, the research also refers to international frameworks such as the General Data Protection Regulation (GDPR) of the European Union in order to compare global standards of data protection and consent mechanisms with the Indian legal framework.

The research further incorporates a comparative analytical approach by evaluating how different jurisdictions address issues relating to informed consent, data minimization, consumer profiling and accountability of digital platforms. Such comparison helps in identifying gaps within the Indian framework and understanding possible reforms that may strengthen consumer privacy protections in India.

This study has also made considerable use of secondary sources, such as books, journals, scholarly papers, academic commentary and regulatory reports. These resources shed light on current discussions about the privacy paradox, surveillance capitalism, behavioural profiling and targeted advertising in applications that rely on rewards and loyalty. Privacy policies of selected mobile applications have additionally been examined to understand practical data collection practices and the extent of consumer awareness regarding data sharing and profiling.

The chosen methodology is appropriate for this research because the topic primarily involves legal interpretation, analysis of regulatory frameworks and examination of privacy-related concerns emerging from technological advancements. The research attempts to critically evaluate whether the current legal framework sufficiently protects consumer privacy in increasingly data-driven digital marketplaces by combining doctrinal and comparative analysis with relevant academic literature.

In the digital economy, the rise of loyalty and reward-based mobile applications has significantly changed the dynamic between businesses and customers. By providing discounts, reward points, special offers, and individualized perks, apps like Swiggy One, Zomato Gold, Amazon Pay Rewards and PhonePe cashback systems promote recurring customer engagement. These programs serve as sophisticated systems for gathering and analyzing personal data even if their primary purpose seems to be user convenience. Every transaction performed on these platforms produces useful consumer data about food choices, surfing habits, payment methods, location information and spending patterns.

This phenomenon reflects what scholars commonly describe as the “privacy paradox”. Consumers willingly disclose a lot of personal information in exchange for benefits and convenience, despite their regular concerns about online privacy and the exploitation of personal data. The short-term advantages of loyalty programs frequently outweigh the long-term effects of behavioural tracking and data collection. In reality, users never realize how much their data is monitored, saved, and used for profit by digital platforms.

The idea of surveillance capitalism is closely linked to the economic model that supports these applications. According to this concept, companies use personal data as a commercial asset to forecast customer behavior and increase revenue through targeted advertising and customized marketing tactics. Businesses justify these actions by claiming that they enhance user experience, but critics contend that ongoing behavioural surveillance compromises customer autonomy and privacy. Because the damage brought about by excessive data collection is not usually immediate or obvious, the problem becomes much more troubling. Rather, the effects take time to manifest through consumer choice manipulation, profiling and loss of control over personal data.

From a legal perspective, this raises important questions regarding the extent to which consumers can meaningfully consent to data extraction practices. Loyalty applications create an imbalance between companies with advanced data analytics capabilities and regular consumers who often don’t know how their data is processed because they rely on frequent digital interactions. Therefore, the privacy paradox serves as an example of a larger struggle between economic interests, technological advancement and the defense of individual rights in digital marketplaces.

Consent forms the foundation of modern data protection law. Under the Digital Personal Data Protection Act, 2023 (DPDPA), consent for processing personal data must be free, informed, specific, unconditional and unambiguous. Additionally, legislation requires that data fiduciaries give explicit notice about the type of personal information being gathered and the intended use of that information. However, there are serious questions about whether consumer permission is truly informed based on how loyalty and reward-based mobile applications actually operate.

Most privacy policies used by loyalty programs are complex, long and challenging for regular consumers to comprehend. Consumers never carefully read complicated agreements that contain crucial information on behavioral profiling, third-party data sharing and targeted advertising. Consequently, clicking “I Agree” becomes less of a meaningful exercise of informed choice and more of a formal duty. In order to receive rewards and services provided by the application, users are essentially forced to consent to significant data gathering techniques.

The validity of consumer consent in digital environments is further complicated by the problem of bundled consent. Customers have few practical options because many programs require agreement of lengthy data processing conditions in order to grant access to loyalty rewards. This creates consumers in a “take it or leave it” situation where they may not be able to access rewards or platform features if they refuse to consent. The question of whether consent obtained under such circumstances may be really regarded as voluntary is raised by such activities.

A comparison with the General Data Protection Regulation (GDPR) of the European Union reveals a comparatively more robust approach to informed consent. The GDPR places more stringent requirements on data controllers while emphasizing openness, data minimization and freely given consent. Consent obtained by forceful or manipulative digital tactics may not meet the requirements of legitimate consent, as European jurisprudence has increasingly acknowledged. On the other hand, even though the DPDPA is a significant advancement in Indian data protection law, there are still issues with its actual application and methods of enforcement.

In Justice K.S. In Puttaswamy v. Union of India, the Supreme Court acknowledged the constitutional importance of informational privacy, affirming it as a fundamental right under Article 21 of the Constitution. This constitutional recognition supports the claim that excessive data collecting techniques and opaque consent mechanisms may violate the principles of personal autonomy and dignity in the context of loyalty applications.

One of the most significant privacy concerns associated with loyalty applications is the extensive practice of consumer profiling. All interaction customers have with loyalty platforms helps to build comprehensive behavioral profiles that show their purchasing patterns, consumption habits, lifestyle choices and financial circumstances. Companies are eventually able to utilize this data to forecast customer behavior with a high degree of precision.

Companies are able to implement highly customized advertising tactics through the use of behavioural profiling. Consumers may receive recommendations and advertisements that are especially catered to their browsing habits, past purchases and interests. Businesses frequently claim that this kind of customisation improves the user experience, but critics contend that by quietly influencing purchases and taking advantage of psychological vulnerabilities, targeted advertising may compromise consumer autonomy.

These issues are only partially addressed by the current Indian legal system. Financial information, passwords, and biometric data are among the categories of “sensitive personal data” that are mostly protected under the Information Technology Act, 2000. However, even though transactional and behavioral data gathered by loyalty applications might reveal extremely sensitive information when combined and examined, they often fall outside of these conventional boundaries. This illustrates how outdated legal frameworks are unable to handle contemporary kinds of digital surveillance and behavioral analytics.

The DPDPA attempts to address some of these concerns through principles such as purpose limitation and data minimization. Ideally, these principles mandate that companies only gather data that is required for a certain lawful purpose. However, the wide discretion given to data fiduciaries in defining what is “necessary” raises questions about how effectively excessive profiling activities can be curbed.

Concerns about consumer profiling are also raised by the 2019 Consumer Protection Act. When consumers are tricked or exploited, the use of psychologically targeted personalised advertising may constitute unfair trade practices. However, detailed guidelines addressing algorithmic targeting and the behavioral advertising in loyalty ecosystems have not yet been created by Indian regulatory bodies. Companies have a great deal of freedom in creating data-driven marketing systems with little responsibility thanks to this regulatory gap.

The extensive sharing of consumer data with third parties is another significant problem with loyalty programs. Information is regularly shared by loyalty platforms with linked business partners, payment processors, analytics firms and advertisements. Even while privacy policies are typically utilized to disclose such activities, these disclosures are frequently ambiguous and do not give consumers a clear picture of how their information will be used in the end.

Third-party data sharing creates serious accountability concerns because consumer information may pass through multiple entities beyond the original platform. Customers find it more challenging to track how their personal data is used or whether sufficient security measures are being taken once it enters complex commercial networks. As a result, customers essentially lose control over how their personal information is shared.

Data fiduciaries are subject to specific requirements under the DPDPA concerning processing done by third parties. However, when data processors themselves depend on subcontractors or other business partners, enforcement becomes difficult. Another issue that comes up is the degree to which platforms should continue to be held accountable for data misuse by outside parties functioning inside larger digital advertising ecosystems.

Comparatively, the GDPR adopts a more detailed accountability framework by imposing stricter contractual obligations upon both controllers and processors. European jurisprudence has further expanded the concept of joint responsibility in cases involving third-party tracking technologies and embedded digital plugins. These advancements show a greater understanding of the realities of contemporary data-sharing platforms and the necessity of measures for collective accountability. In India, the absence of similarly detailed enforcement standards creates uncertainty regarding how liability should be distributed across digital ecosystems involving multiple commercial actors. Consequently, consumers often remain inadequately protected when their information is transferred across complex networks of advertisers, analytics providers and affiliated entities.

An enormous amount of financial and personal data is stored in loyalty and reward-based mobile applications which makes them appealing targets for illegal access and hacks. Globally, data breaches involving digital platforms are becoming more frequent, putting customers at risk for identity theft, financial fraud and unlawful use of private data.

The possible consequences of cybersecurity failures increase significantly when a lot of consumer data is concentrated on a single platform. Users frequently don’t realize the security concerns involved with disclosing personal information via loyalty apps. Because these apps are constantly gathering and updating consumer data, a hack might cause long-term exploitation of personal profiles and behavioural data in addition to typical financial loss.

The existing provisions relating to data security in India are Section 43A of the Information Technology Act, 2000 and the SPDI Rules which mandate companies processing sensitive personal information to implement reasonable security practices and procedures. But enforcement in this framework has often been criticized as insufficient, as liability is generally based on finding negligence and actual harm to consumers.

The DPDPA brings in stricter obligations on breach notification and data protection duties. However, there are still concerns about implementation, enforcement capacity and institutional preparedness. The success of data protection law does not depend only on the statutory recognition of rights, but also on the capacity of regulatory authorities to investigate violations and to impose meaningful punishments.

Again, a comparison with the GDPR shows the relatively stronger enforcement structure adopted within the European Union. GDPR authorities have considerable powers to investigate and have charged heavy penalties on companies for data protection breaches and poor cybersecurity measures. Such strict enforcement mechanisms have led to greater corporate accountability in handling consumer information.

The DPDPA provides several rights to consumers as data principals including the right to access information, correct inaccurate data and seek erasure of personal information. In theory, these rights give consumers more control over how their information is processed by loyalty applications. But in practice, these protections are not perfect.

One of the biggest concerns is lack of consumer awareness. Many people still do not know their legal rights in terms of protection of their personal data and rarely make use of the remedies at their disposal. Moreover, grievance redressal mechanisms are typically dealt with internally by the same companies that collect the data, raising issues of independence and effectiveness.

Another issue is the conflict between consumer rights and corporate interests. Reasons cited by loyalty platforms for holding on to consumer data include fraud prevention, regulatory compliance and the keeping of transaction records. As a result, requests for data erasure or restriction of data processing may be refused for commercial or operational reasons.

The DPDPA is still in its early stages as far as judicial interpretation goes, as the legislation is quite new. Thus, the extent of data principal rights in digital loyalty ecosystems is yet to be clarified by the Indian courts. This creates uncertainty as to the future evolution of principles such as informed consent, data minimization and right to erasure in future privacy jurisprudence.

In the end, the success of consumer privacy protection in loyalty and reward-based applications depends on a careful balancing act between technological innovation and constitutional values of dignity, autonomy and informational self-determination. While India has taken significant steps to strengthen digital privacy regulation, there are significant gaps in enforcement, transparency and accountability. Tackling these issues will require stronger regulatory oversight, clearer consent standards and greater consumer awareness of the value and risks of personal data in the digital economy.

The analysis undertaken in this research reveals an increasing conflict between the economic goals of reward-based and loyalty-based mobile applications and the preservation of user privacy. Although these apps offer real advantages like discounts, cashback offers and customized services, they also heavily rely on the gathering and processing of personal information. Because of this, customers frequently participate in digital ecosystems where ease and benefits come at the expense of having less control over their personal data. Thus, this paper’s main research issue highlights a basic problem for contemporary privacy law: how can consumer privacy be safeguarded without impeding digital commerce and technical advancement?

The fact that privacy is now recognized by both statute and the constitution is one of the main advantages of the contemporary Indian legal system. The Digital Personal Data Protection Act, 2023 offers a specific legal framework controlling the processing of personal data, and the Supreme Court’s ruling in Justice K.S. Puttaswamy v. Union of India declared privacy as a fundamental right. The current framework offers better accountability measures, clearer requirements for data fiduciaries and a broader acknowledgment of consumer rights than the previous situation under the Information Technology Act, 2000. These changes show that Indian law is headed in the right way.

The research does, however, also point out a number of flaws that reduce the efficacy of current safeguards. Informed consent is the first issue. The majority of consumers do not read or comprehend lengthy privacy policies, despite the DPDPA’s requirement that consent be precise and informed. As a result, consent frequently ceases to be a meaningful exercise of choice and instead becomes merely a procedural necessity. Second, the legislation still gives companies a great deal of flexibility in determining how much data collecting and profiling may be deemed essential for commercial objectives. This raises the potential for excessive data collection under the guise of customer engagement and personalization.

Additionally, the data shows that regulatory enforcement is still a problem. Only when consumers are able to successfully use their legal rights do they have any significance. The public’s understanding of data protection rights is still comparatively low. Many people do not know that they have the right to see, update or remove personal information. Furthermore, the practical application of the DPDPA in the context of loyalty applications is problematic due to the lack of comprehensive judicial interpretation and developing regulatory structures.

These results point to the necessity of a more consumer-focused approach to privacy legislation. These results point to the necessity of a more consumer-focused approach to privacy legislation. Privacy notices should be made simple and presented in ways that are easy for ordinary users to comprehend. Instead of combining behavioural profiling with third-party data sharing under broad terms and conditions, separate and specific consent should be needed. Additionally, sector-specific regulations pertaining to targeted advertising, consumer profiling and loyalty programs should be issued by regulatory authorities. These steps would increase consumer protection while giving companies more clarity.

Ultimately, loyalty and reward-based mobile applications are probably going to continue to play a significant role in the digital economy. Therefore, the goal of regulation should be to guarantee that commercial success is attained in a way that respects consumer autonomy, transparency and informational privacy rather than to restrict innovation. To ensure that the advantages of digital loyalty programs do not come at the expense of fundamental privacy rights, a balanced regulatory strategy that incorporates effective enforcement, consumer awareness and responsible corporate behaviour is essential.

Customer relations in the digital economy have completely changed as a result of the quick growth of loyalty and reward-based mobile applications. These platforms rely on the massive collection and processing of personal data even while they provide concrete advantages like discounts, cashback, reward points and customized services. This research has shown that the privacy issues surrounding these applications go well beyond standard data collection practices. Loyalty applications build comprehensive digital profiles of users through consumer profiling, behavioral tracking, targeted advertising and third-party data sharing, often without the users’ full awareness of how their information is being used. The study also brought attention to the privacy paradox, which occurs when consumers voluntarily trade personal information for instant benefits while still worrying about the security and improper use of that information.

The study also looked at how well India’s legal system addressed these issues. The adoption of the Digital Personal Data Protection Act, 2023 and the acknowledgement of privacy as a basic right in Justice K.S. Puttaswamy v. Union of India are important advancements in strengthening consumer rights and data protection. However, the investigation showed that issues with third-party data sharing, behavioural profiling, informed permission, regulatory enforcement and consumer awareness still exist. The DPDPA offers a significant legal basis, but its efficacy will ultimately depend on how well it is implemented, how closely regulations are monitored and how effectively consumers may use their rights.

In conclusion, consumer privacy in loyalty and reward-based mobile applications is a matter of personal liberty and informational self-determination in the digital age, not just a technical or commercial issue. Privacy protection must continue to be at the core of digital governance as companies depend more and more on personal data as a valuable economic resource. Building a reliable and customer-driven digital ecosystem requires a balanced strategy that fosters innovation while guaranteeing responsibility, transparency and significant consumer control over private information.

Articles & Journals

• Lars Meyer-Waarden, The Influence of Loyalty Programme Membership on Customer Purchase Behaviour, 7 Eur. J. Mktg. 87 (2008).

• Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power 94-96 (2019).

• Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability 1–6 (2014).

• Aleecia M. McDonald & Lorrie Faith Cranor, The Cost of Reading Privacy Policies, 4 I/S: J.L. & POL'Y FOR INFO. SOC'Y 543, 543–68 (2008).

• Patricia A. Norberg, Daniel R. Horne & David A. Horne, The Privacy Paradox: Personal Information Disclosure Intentions Versus Behaviors, 41 J. CONSUMER AFFS. 100, 100–26 (2007).

• Organisation for Economic Co-operation and Development (OECD), Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use Across Societies 23–25 (2019).

Cases

• Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).

• Google Spain SL v. Agencia Española de Protección de Datos, Case C-131/12, ECLI:EU:C:2014:317 (Ct. Just. Eur. Union May 13, 2014).

Statutes & Regulations

• Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023).

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

• Organisation for Economic Co-operation and Development (OECD), OECD Privacy Guidelines (2013).

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 Apr. 2016 (General Data Protection Regulation), art. 7(4).

• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 3, Gazette of India (Apr. 11, 2011).

• Consumer Protection Act, No. 35 of 2019, § 2(47), India Code (2019).

Report

• Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians 146–150 (2018).