In India, technology is getting really popular, especially because more and more things are going digital, and the Covid-19 pandemic made it happen even faster. More people in India are using the internet a lot. But because the digital world is growing so fast, people are worried about how startups are taking care of data and keeping it safe.
In response to these concerns, India’s Rajya Sabha passed the Digital Personal Data Protection (DPDP) Act 2023 in August 2023. The government wants to change how they use our personal digital info. They are learning from the past and present to come up with smart solutions for the future full of technology.
The DPDP Act categorizes startups, including those raising Series C or Series D funding, as data collection businesses at their core. Any startup in India involved in collecting and processing personal data is considered a “data fiduciary” under this act. This means they decide why and how they use our personal information.
The DPDP Act has a cool part. It lets data move easily between countries, making things simpler for startups. It also wants businesses to use data responsibly, making them think if data is something good to keep or could cause problems.
For startups that want lots of users, the DPDP Act makes them think about whether people agreed to their data being used.
Mehak Khanna, Partner at Khaitan & Khaitan, highlights that DPDP Act compliance will add to the cost for companies. The penalties for non-compliance can be substantial and up to Rs 250 crore.
Arun S Prabhu, Partner at Cyril Amarchand Mangaldas, emphasizes that the government is aware of the impact on business and innovation. While startups might receive certain exemptions, responsibility and sustainability are crucial. Startups need to be mindful of their data practices, as acquiring entities will now scrutinize not only the data itself but also the associated consents.
The DPDP Act represents a shift in the evaluation of startup data during mergers and acquisitions. Acquirers will assess not only the data but also the validity of consents.