Sreenitya
The phrase “data is the new oil” is a new business expression associated with aggregation and analysis of personal data generated from various users of different digital platform which are sold to several data brokers, advertisers, financial institutions, etc.[1] Many networking sites like, Google, Meta, and other related platforms, known as digital platforms (“Digital Platforms” / “Platforms”), generate their major revenue from sale of such analytical data based on behaviour, preferences, and demography collected from millions of users. This act of generation of revenue through the sale of data is generally known as Data Monetization.
MEANING OF DATA MONETIZATION
Data Monetization is a process of generation of economic value through collection, processing and facilitation of data by digital platforms, viz., amazon, google, meta, etc,. Data Monetization can be facilitated directly and indirectly.
Methods of Data Monetization – based on:
- Data licensing – Platforms distribute datasets in anonymized form to different business entities for economic benefits.
- Targeted Advertising – Platforms convert user data into revenue by enabling advertisers to deliver highly personalized marketing messages to specific audiences.
- Internal Optimization – Platforms utilize the collected data to optimize algorithms and user engagement.
- Data Brokerage – Platforms act as an intermediary by collecting, aggregating, analysing, and selling user data to third parties for financial gain.
These methods of data monetization has several legal implications with respect to the current Indian regulatory framework.
DATA REGULATORY FRAMEWORK IN INDIA
The current Indian legal framework on Data Monetization is primarily governed under Information Technology Act, 2000 (IT Act) and Digital Personal Data Protection Act, 2023. Further, Indian Constitution, Competition Act, 2002, and Consumer protection Act, 2019 define the boundaries of permissibility of Data Monetization.
CONSTITUTION OF INDIA
The Constitution considers personal data of an individual as an intrinsic part of privacy of an individual under Article 21, Right to life and personal liberty via Supreme Court’s landmark case, Justice K.S. Puttaswamy (Retd.) V. Union of India (Puttaswamy I)[1]. The Court held that aggregated data that has ability to profile an individual creates threat to the privacy of such individual. However, if any such data aggregation doesn’t amount to infringement of privacy, satisfies the legality test and is proportionate to the legitimate aim of the institution, it can be inferred that such processed data can be monetized.
Further, to safeguard the privacy of the personal data of an individual, the Parliament has rolled out legislations for the current dynamic times.
INFORMATION TECHNOLOGY ACT, 2000
The Information Technology Act, 2000 served as the foundation for personal data protection in India, with Section 43A imposing civil liability on digital platforms to implement reasonable safeguards for Sensitive Personal Data or Information (SPDI)[1], further supported by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which require prior consent before collecting or sharing such data with third parties. These provisions are repealed with the effect of Rule 6 of the DPDP Rules, 2025[2]. Additionally, Section 72A of the Act criminalizes disclosure of personal data without user consent, and any data monetization beyond the scope of a platform’s privacy policy may amount to breach of contract, violation of the Consumer Protection (E-Commerce) Rules, 2020, and an offence under the IT Act, resulting in reputational and financial risks[3]. Further, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 impose obligations on intermediaries to safeguard user privacy by performing various acts of due diligence, like, publication of privacy policy, verification of details of the concerned users, report cyber security incidents, and other reasonable measures to ensure safe accessibility to the platform[4]. However, due to limitations such as coverage limited to SPDI and applicability mainly to body corporates, this framework is being replaced in a phased manner by the Digital Personal Data Protection Act, 2023 from November 2025 only in relation to personal data protection.
DIGITAL PERSONAL DATA PROTECTION ACT, 2023 & DIGITAL PERSONAL DATA PROTECTION RULES, 2025
This law establishes a comprehensive, consent-based framework for the processing and protection of personal data in India, while recognizing user rights and introducing safeguards to prevent misuse that may result in financial or reputational harm in different facets. For instance, firstly, the Act provides enhanced protection for children’s data by prohibiting behavioural monitoring and targeted advertising directed at children[1]. Secondly, processing personal data without valid consent is considered unlawful and may attract penalties of up to INR 250 crore per instance of non-compliance[2]. Thirdly, a platform that process data, assumes the role of Data Fiduciary when the procured personal data of the users is monetized and shares it with third parties, which might attract liability for any misuse by such third parties[3]. Additionally, the Act restricts cross-border data transfers to countries notified by the Central Government, making transfers to non-notified jurisdictions a statutory violation[4]. Lastly, the Act is being implemented in a phased manner and continues to evolve with emerging data practices.
COMPETITION ACT, 2002
The Competition Act, 2002 aims to promote fair business practices and prevent abuse of market power. However, corporate entities, in pursuit of commercial advantage, may sometimes misuse their dominant position to gain an unfair edge in the market. Such conduct, particularly when driven by data-driven strategies, may not only distort competition but also expose digital platforms and corporate bodies to data protection risks and other related legal and regulatory implications. For instance, under Section 4 of the Competition Act, 2002, digital platforms holding a dominant market position are prohibited from abusing such dominance, including through coercive data-sharing practices[1]. Further, platforms such as WhatsApp may be scrutinized where users are compelled to share personal data as a condition for accessing services, thereby enabling the platform to gain an unfair competitive advantage under the guise of enhancing user experience or privacy[2]. Similarly, concerns have been raised against Amazon and Flipkart for allegedly leveraging consumer data to favour certain sellers and manipulate market dynamics. Such coercive data-sharing and data-driven market manipulation may attract sanctions under competition law[3]. Notably, the National Company Law Appellate Tribunal upheld the order of the Competition Commission of India in CCI v. Google LLC (Android Case)[4], affirming a penalty of INR 1,337.76 crore on Google LLC for abuse of its dominant position in the Android ecosystem through mandatory pre-installation of Google applications that enabled extensive data collection from users and devices. Accordingly, digital platforms must avoid monetizing data through forced consent or manipulative market practices, as such conduct may expose them to significant regulatory scrutiny and substantial penalties.
CONSUMER PROTECTION ACT, 2019
The Act safeguards the interests of consumers, including users of digital platforms, by recognizing them as consumers of goods and services, which extends to the consumption of data and use of digital services of the concerned digital platforms. Accordingly, under Section 2(47) of the Consumer Protection Act, 2019, digital platforms may be held liable for engaging in deceptive trade practices where the data monetization aspect is obscured within lengthy privacy policies, consent is obtained through confusing or misleading forms, dark patterns are used to nudge users into sharing data, or personal data is automatically collected without clear and informed consent[1]. In this regard, the Central Consumer Protection Authority, through Guidelines for Prevention and Regulation of Dark Patterns, 2023, specifically targets practices such as pre-ticked consent boxes, hidden opt-out options, forced data sharing, and manipulative user interface designs[2]. Additionally, the Consumer Protection (E-Commerce) Rules, 2020 emphasize the need for transparent disclosure of data usage and mandate obtaining active and informed user consent, thereby discouraging automatic consent mechanisms and strengthening the protection of user data[3].
LEGAL WAYS OF MONETIZING DATA
By being vary of the risks, data can still be monetized when manoeuvred well through the legal provisions.
- Consent based data monetization
DPDP Act regulates data monetization. So, digital platforms can monetize data upon obtaining purpose-specific consent from the user via a consent dashboard and “opt-in”-“opt-out” mechanisms to provide personalised services with transparent terms[1].
- Anonymization of personal data
The DPDP Act applies only to the extent of protection of the data that contributes to the identification of an individual. However, aggregation of all such personal data can result in anonymization of the data. Companies with robust anonymization technologies, can monetize the anonymized data without facing much legal consequences.
- Research exemptions
The digital platforms are exempted from processing personal data for the purpose of research and statistical purposed, provided such act corroborate an identifiable person. Platforms can utilize this aspect by partnering with academic or public institutions for monetizing data in the interest of the public.
CONCLUSION
It is therefore can be summed up that data monetization is still an evolving space that is well guarded to the extent practicable to law in the present times. However, there is always room for improvement in terms of bifurcating the security and business aspect in the legal arena by incorporating a few suggestions like, updating the consent policy of the platforms in line with the current DPDP Act & Rules. It shall always be remembered that the current legal landscape is not against data monetization, rather deterrent to coercive data exploitation.
[1] Section 7(b) (i) & (ii) of the DPDP Act, 2023
[1] Section 2(47) of Consumer Protection Act, 2019
[2] Annexure 1: Specified Dark Patterns of Guidelines for Prevention and Regulation of Dark Patterns, 2023
[3] Rule 6 (4) of Consumer Protection (E-Commerce) Rules, 2020
[1] Section 4 of Competition Act, 2002
[2] I.A No. 280 of 2025 in Competition App. (AT) No. 1 of 2025
[3] COMPETITION COMMISSION OF INDIA Case No. 40 of 2019
[4] CA (AT) (Ins.) No. 105 of 2023
[1] Section 9 of DPDP Act, 2023
[2] Section 8(5) and section 8(6) read with Schedule 1 of DPDP Act, 2023
[3] Section 7 of DPDP Act, 2023
[4] Section 16 of DPDP ACT, 2023
[1] Section 43A Information Technology Act, 2000
[2] Meity Notifies Final Digital Personal Data Protection Rules 2025, written by Vikrant Rana, Anuradha Gandhi and Prateek Chandgothia in S.S.Rana &Co. Article available at: https://ssrana.in/articles/meity-notifies-final-digital-personal-data-protection-rules-2025/
[3] Section 72A of Information Technology Act, 2000
[4] Rule 3 of Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
[1] (2017) 10 SCC 1
[1] World Economic Forum, Personal Data: The Emergence of a New Asset Class (2011); see also The Economist, “Data is the New Oil” (06th May 2017).
