INTRODUCTION
Your personal information is being collected constantly. From mobile apps and online payments to social media and government platforms, people are asked to share their data almost daily. In many cases, more information is collected than what is actually needed to provide a service. This growing culture of data collection has made privacy a serious legal concern.
In India, companies can collect and use your personal data only if you give them permission. The Digital Personal Data Protection Act, 2023[1] makes this consent the main way to protect privacy. However, in reality, consent often exists only on paper. Users usually click “I agree” without reading long privacy notices, either because they do not fully understand them or because refusing consent means losing access to essential services.
Data minimisation means companies should only collect the information they actually need to provide a service. Indian law does not clearly enforce this rule. As a result, companies can still collect extra data legally, as long as the user has given consent. So, even when the law requires consent, personal data is not always fully protected.[2]
UNDERSTANDING DATA MINIMISATION
Data minimisation means companies should collect only the data they actually need for a service. It exists to stop companies from collect more information than necessary, which can give them too much power over users and increase the risk of misuse or surveillance. For example, a food delivery app only needs your address and order details, it doesn’t need your contacts or location history all the time.
This idea of data minimisation is recognised in other countries too. For example, the European Union’s GDPR treats it as an important rule. Under GDPR, companies must only collect the data that is really needed for a specific purpose.[3] In India, the law does not clearly enforce this. Because of that, companies can still legally collect more data than they need, even if a user has given consent.
THE GAPS IN INDIA’S DATA PROTECTION LAW
India’s data protection law, the Digital Personal Data Protection Act, 2023[4], sets rules on how personal data may be collected and used. However, the law does not clearly address several important issues, which weakens privacy protection in practice. Consent often exists only on paper and doesn’t give users real power over their information.
- Heavy reliance on consent: The law allows data collection mainly when users give consent. In reality, most people do not read or fully understand privacy notices, this means that giving consent doesn’t always give users real control over their data.
- No clear limit on how much data can be collected: Companies can collect more data than they really need, and it’s allowed under the law.
- Government exemptions: Certain provisions allow the government to bypass data protection requirements, raising concerns about unchecked data use.
- No data minimisation: Indian law does not clearly require companies to collect only the data they actually need. This means collecting extra data is still allowed. [5]
LEGAL BUT EXCESSIVE DATA COLLECTION
Even when the law allows companies to collect data with consent, it doesn’t stop them from taking more than necessary. In practice, this happens in many ways:
- Apps ask for access to location, contacts, or the microphone, even when it isn’t needed for the service.
- Data that is described as optional is often required in order to use the service.
- Companies design their apps in a way that makes people click ‘agree’ without thinking much.
These examples show that consent alone does not prevent companies from collecting more data than necessary.
CONSTITUTIONAL IMPLICATIONS
In Justice K.S. Puttaswamy & Anr. vs. Union of India & Ors[6]., the Supreme Court recognised the right to privacy as a fundamental right under the Constitution of India. The judgment made it clear that privacy includes control over personal information.
The Court emphasised that individuals should be able to decide how their personal data is collected and used. This idea, often described as informational self-determination, goes beyond mere notice or consent.
The judgment also introduced the proportionality requirement. Any interference with privacy must be necessary and limited to what is required for a specific purpose. Collecting more data than needed fails this test.
Excessive data collection therefore raises constitutional concerns. Even when consent is taken, unnecessary collection interferes with privacy beyond what is justified, making over-collection a violation of the right to privacy.[7]
COMPARATIVE INSIGHT
In Europe, the rule is simple: if you don’t need the data, you shouldn’t collect it. The GDPR clearly tells companies to collect only what is necessary for a specific purpose.
This rule is not just theoretical. Regulators in Europe actively check whether companies are collecting unnecessary data. When they find over-collection, they can impose fines or other penalties. Because of this, companies are more careful about what data they ask for.[8]
In India, the approach is different. The DPDP Act[9] mainly depends on consent and does not clearly stop companies from collecting more data than needed.
Without a clear rule on necessity, consent becomes the main justification for data collection. As a result, companies can legally collect more data than required, even when it affects user privacy. This makes India’s framework weaker when it comes to limiting excessive data collection.
SUGGESTIONS TO IMPROVE DATA PROTECTION
To make India’s data protection stronger and closer to constitutional standards, some practical steps could help:
- Introduce statutory necessity tests: Companies should only be allowed to collect data that is necessary for a specific purpose. Anything extra should not be permitted.
- Set sector-specific data limits: Certain industries, like finance or healthcare, could have clear rules on how much data can be collected.
- Stronger audits: Regulators should regularly check how companies collect and use data to make sure they are not over-collecting.
- Shift the burden to companies: Data fiduciaries should have to justify why they need every piece of data they collect.
These steps would help reduce excessive data collection and make consent meaningful in practice, protecting user privacy more effectively.[10]
CONCLUSION
Consent alone cannot ensure privacy. Without clear limits on data collection, agreeing to share information does not protect individuals. Data minimisation is essential, it ensures only what is necessary is collected, providing real privacy safeguards.
India’s current law relies too much on consent and lacks enforceable rules on minimisation. To protect privacy effectively, the law must go beyond formal compliance and make companies justify the amount of data they collect.
Author(s) Name: Nikita Borah (National Law University and Judicial Academy, Assam)
References:
[1] Digital Personal Data Protection Act, 2023, Act No. 22 of 2023 (India)
[2] D Barat, R (Vaidya) Gupte and P Anand, ‘Navigating Data Minimization Requirements under India’s DPDP Act’ (S&R Associates, 17 January 2025) https://www.snrlaw.in/navigating-data-minimization-requirements-under-indias-dpdp-act/ accessed 27 January 2026.
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1, art 5(1)(c).
[4] Digital Personal Data Protection Act, 2023, Act No. 22 of 2023 (India)
[5] Yugal Bhatt, ‘Designing Consent Under India’s DPDP Act: Why UX Is Now A Legal Compliance’ LiveLaw (20 January 2026) https://www.livelaw.in/articles/consent-digital-personal-data-protection-act-2023-519650 accessed 27 January 2026.
[6] Justice K S Puttaswamy (Retd) and Anr v Union of India and Ors (2017) 10 SCC 1 (SC).
[7] Jaya Thapa, ‘Data Privacy Vis-A-Vis the Digital Personal Data Protection Act, 2023’ (2024) International Journal of Future Multidisciplinary Research https://www.ijfmr.com/papers/2024/3/23530.pdf. accessed 29 January 2026.
[8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1, art 5(1)(c).
[9] Digital Personal Data Protection Act, 2023, Act No. 22 of 2023 (India)
[10] SISA InfoSec, ‘10 Data Protection Techniques to Follow in 2024’ (SISA, 2 January 2024) https://www.sisainfosec.com/blogs/10-data-protection-techniques-to-follow-in-2024/. accessed 29 January 2026.
