Law4u - Made in India
Home
Lawyer Signup Download Apps

Can platforms sell personal data collected from users legally under Indian law?

ECommerce Law

Answer By law4u team

In today’s digital economy, platforms often collect personal data from their users, which can include sensitive information such as names, email addresses, phone numbers, location, browsing history, and even financial data. The sale or sharing of such personal data to third parties raises significant concerns about data privacy, consumer rights, and security.

Under Indian law, the sale of personal data is not straightforwardly legal unless certain conditions are met. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Personal Data Protection Bill, 2019 (which is soon to be enacted as law) define how personal data should be handled. This article outlines whether platforms can legally sell personal data under these laws and what protections exist to safeguard user privacy.

1. Legal Framework for Data Protection in India

a. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 are part of the Information Technology Act, 2000 (IT Act). These rules regulate the collection, storage, and transfer of sensitive personal data. Key provisions include:

  • Rule 3: Platforms must take reasonable security measures to protect personal data.
  • Rule 5: Consent is required for the collection of sensitive personal data, such as financial details or health records. The user must explicitly agree to share such data.
  • Rule 6: Personal data must only be used for specific purposes, and platforms are not allowed to use or disclose the data for purposes not originally consented to by the user.

Under these rules, platforms cannot sell or share personal data with third parties unless they have the user’s explicit consent. Selling data to third parties would generally violate the user’s privacy rights, unless it is for legitimate purposes as defined under the law.

b. Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 (PDP Bill) is a comprehensive piece of legislation aimed at safeguarding personal data and privacy in India. It is largely inspired by the European Union’s General Data Protection Regulation (GDPR). Key provisions relevant to the sale of personal data include:

  • Section 4: Defines personal data and sensitive personal data. The law mandates that sensitive personal data can only be processed for specific purposes and with explicit consent from the individual.
  • Section 6: Platforms must ensure that data collection is done with the informed consent of the data subject (user). The user must be told how their data will be used, and platforms are obligated to offer them choices about how their data is handled.
  • Section 12: The data subject (user) can withdraw their consent at any time, and platforms must respect this decision.
  • Section 24: The sale of personal data by data fiduciaries (platforms) to third parties is prohibited unless it is for a legitimate purpose and with explicit consent.

This bill puts strong restrictions on the sale or transfer of personal data and emphasizes the importance of data protection and user consent. Non-compliance with these provisions can lead to severe penalties, including fines and other legal actions.

2. Can Platforms Sell Personal Data?

Under both the IT Rules, 2011 and the Personal Data Protection Bill, 2019, platforms cannot legally sell personal data to third parties without the explicit consent of the user. If a platform collects personal data and intends to share or sell this data for marketing or other commercial purposes, it must:

  • Obtain explicit consent from the user at the time of data collection.
  • Clearly explain the purpose for which the data will be used and the parties with whom it will be shared.
  • Allow the user to opt out of the sale of their data.

If platforms fail to comply with these requirements, they could face legal action and penalties under the PDP Bill or the IT Act.

3. Consumer Consent and Rights

a. Importance of Informed Consent

The Personal Data Protection Bill, 2019 establishes that user consent must be:

  • Informed: Users should understand what data is being collected and how it will be used.
  • Voluntary: Users should not be coerced into giving consent and should have the option to refuse.
  • Explicit: Consent must be obtained for each specific purpose, such as sharing or selling the data to third parties.
  • Revocable: Users have the right to withdraw consent at any time.

b. Right to Data Access and Deletion

  • Under the PDP Bill, users have the right to:
    • Access the personal data platforms hold about them.
    • Delete or request the rectification of inaccurate data.
    • Withdraw consent for the processing of their data at any time, and the platform must comply.

These rights ensure that user data is not only protected but that users maintain control over their personal information.

4. Penalties for Non-Compliance

a. Under the Information Technology Act, 2000

  • Platforms that fail to protect personal data or misuse it may face penalties under the IT Act, including:
    • Fines for failure to comply with security practices and data protection requirements.
    • Imprisonment for individuals found guilty of unauthorized access or data theft.

b. Under the Personal Data Protection Bill, 2019

  • The PDP Bill outlines severe penalties for violating data protection rules:
    • Fines: Up to ₹15 crores (or 4% of the platform's total turnover, whichever is higher) for violations of data protection laws, including selling personal data without consent.
    • Criminal Liability: In cases of deliberate misuse or fraudulent activities, the platform or individuals could face criminal charges.

c. Class Action Suits

Consumers also have the right to file class-action suits if their personal data is misused or sold without consent, leading to legal liability for the platform.

5. Example Scenario

Example:

An e-commerce platform collects personal data from its users during registration, such as email addresses, purchase history, and phone numbers. The platform decides to sell this data to third-party marketing agencies for targeted advertisements. However, they do not inform users or obtain their explicit consent for this data sale.

Legal Implications:

The platform could face severe penalties under the Personal Data Protection Bill, 2019, for selling user data without consent. Affected users can file complaints, and the platform may be forced to pay compensation and face legal action.

Conclusion

No, platforms cannot legally sell personal data collected from users under Indian law without the explicit consent of the user. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Personal Data Protection Bill, 2019 clearly regulate the collection, usage, and sharing of personal data. Platforms must adhere to stringent consent and data protection provisions. Failure to do so can lead to severe penalties, including fines and criminal charges, thus ensuring that user privacy is protected.

Our Verified Advocates

Get expert legal advice instantly.

Advocate Lakhte Husain Rizvi

Advocate Lakhte Husain Rizvi

Banking & Finance, Cheque Bounce, Corporate, Cyber Crime, International Law, Patent, Trademark & Copyright

Get Advice
Advocate T A Kasim

Advocate T A Kasim

Cyber Crime, Documentation, Immigration, International Law, Landlord & Tenant, Property, Trademark & Copyright

Get Advice
Advocate Ashish Kumar

Advocate Ashish Kumar

Civil, Court Marriage, Criminal, Cyber Crime, Family, Motor Accident, Property, Wills Trusts

Get Advice
Advocate Marrikunta Purushothama Reddy

Advocate Marrikunta Purushothama Reddy

Civil,Corporate,GST,NCLT,Property,RERA,Tax,Wills Trusts,Trademark & Copyright,

Get Advice
Advocate Bharat R Waghmare

Advocate Bharat R Waghmare

Arbitration, Bankruptcy & Insolvency, Banking & Finance, Breach of Contract, Cheque Bounce, Child Custody, Civil, Consumer Court, Corporate, Court Marriage, Customs & Central Excise, Divorce, Documentation, GST, Domestic Violence, Family, High Court, Labour & Service, Landlord & Tenant, Motor Accident, Muslim Law, Property, R.T.I, Recovery, RERA, Startup, Succession Certificate, Supreme Court, Tax, Wills Trusts, Revenue, Trademark & Copyright, NCLT, Patent, Medical Negligence, Media and Entertainment, Insurance, Anticipatory Bail

Get Advice
Advocate Ravinder Saroha

Advocate Ravinder Saroha

High Court,Criminal,Civil,Family,Divorce,Cheque Bounce,Armed Forces Tribunal,Landlord & Tenant,Motor Accident,R.T.I,RERA,Labour & Service,Cyber Crime,Consumer Court,

Get Advice
Advocate Sundar Singh Tomar

Advocate Sundar Singh Tomar

Anticipatory Bail, Arbitration, Armed Forces Tribunal, Bankruptcy & Insolvency, Banking & Finance, Breach of Contract, Cheque Bounce, Child Custody, Civil, Consumer Court, Corporate, Court Marriage, Customs & Central Excise, Criminal, Cyber Crime, Divorce, Documentation, GST, Domestic Violence, Family, High Court, Immigration, Insurance, International Law, Labour & Service, Landlord & Tenant, Media and Entertainment, Medical Negligence, Motor Accident, Muslim Law, NCLT, Patent, Property, R.T.I, Recovery, RERA, Startup, Succession Certificate, Supreme Court, Tax, Trademark & Copyright, Wills Trusts, Revenue

Get Advice
Advocate Ajay Chawla

Advocate Ajay Chawla

Arbitration, Consumer Court, Civil, Banking & Finance, Breach of Contract, Cheque Bounce, Child Custody, Bankruptcy & Insolvency, Domestic Violence, Documentation, Court Marriage, Corporate, Family, NCLT, Trademark & Copyright, Wills Trusts, Revenue, Patent, Property, Recovery, Succession Certificate, Medical Negligence, Landlord & Tenant, Labour & Service, Insurance, Cyber Crime, Divorce, Criminal

Get Advice

ECommerce Law Related Questions

Discover clear and detailed answers to common questions about ECommerce Law. Learn about procedures and more in straightforward language.

20-Jan-2026 | ECommerce Law

Are cross-border data transfer and storage rules mandatory for foreign e‑commerce platforms operating in India?
Read Now By Law4u
20-Jan-2026 | ECommerce Law

Are call recordings, chat logs, and screenshots admissible as evidence in e‑commerce disputes?
Read Now By Law4u
20-Jan-2026 | ECommerce Law

Can a platform legally charge listing fees or commissions under the current regulatory framework?
Read Now By Law4u
20-Jan-2026 | ECommerce Law

Are online marketplaces required to display shipping charges, taxes, and delivery timelines upfront?
Read Now By Law4u
20-Jan-2026 | ECommerce Law

Can platforms sell personal data collected from users legally under Indian law?
Read Now By Law4u
20-Jan-2026 | ECommerce Law

What is the legal recourse for consumers against delays in delivery or misrepresented products?
Read Now By Law4u
See More Questions