It is a common perception that Privacy and Personal Data Monetization cannot co-exist. GDPR is normally considered as the extreme left of centre approach to Privacy and would have a strong view against Personal Data Monetization. The US is a slightly liberal approach more favourable to industry with permitted data brokers and selling of personal data.
India needs to find a midway and the solutions have to be found within the framework of DPDPA 2023 and the forthcoming rules.
While we are set to discuss this topic in today’s seminar in Bengaluru as part of the International Data Privacy Day celebration at Infosys, some brief thoughts on the topic are shared here.
Monetization as a Concept may be defined as “Conversion of Data into a monetary value in cash or kind and includes processes preparatory to conversion of data into a financial reward for an organization”.
In other words the term “Monetization” is not limited to “Sale of a set of Personal Data” for cash. Even profiling of an individual which may be later used for advertising by the same organization should be considered as “Monetization”. If the advertising is provided as a service to other organization, it is obviously equivalent to “Monetization by Sale”.
In view of this use of Google Ads itself is to be termed as “Monetization”.
However most of the Advertising is done on the basis of “De-identified” or “Anonymised data principal” in which case there may be a debate if we need to be liberal and not consider “Anonymised profiling” as monetization. This view will hold if we are prepared to agree that “Meta Data” without the associated identify of a data principal is not “Personal Data”. This also is a debatable view particularly with the GDPR mindset.
We must understand that “Monetization” has to be viewed as part of a legitimate business as long as there is no infringement of Privacy. However for targeted advertising the identity of the data principal is required and hence anonymous profiling and advertisement based on such anonymised profiling would not suffice.
On the other hand, given a proper consent, a data principal should be capable of permitting the use of his personal data for marketing with or without consideration. Without such freedom, the exploitation of privacy will continue surreptitiously and as “Dark Patterns”. Transparent disclosure followed by an explicit consent is therefore the solution to “DPDPA Compliant Monetization”.
This sort of “Consent to Monetize” is recommended under DGPSI framework supported by a “Data Monetization Policy”. Such consent can also be considered as “Special Consents” and along with “Consent for discovery of purpose” can be mandated with a higher degree of diligence such as “Witnessing the Consent”.
Technology solutions may not be available at this point of time for “DPDPA Compliant Consent” but they are under development in the Naavi laboratory itself and will be released in due course.
Let us discuss these and other global practices during the seminar today…
Naavi
