The Digital Personal Data Protection Act, 2023 (DPDP Act) is not just another piece of legislation, signals a major shift in how businesses in India are expected to collect, process, and protect personal data. While full enforcement is still underway, the compliance obligations it introduces are immediate and real. Failure to act responsibly can result in serious legal, financial, and reputational consequences.
In this post, we’ll explore the core obligations under the DPDP Act through a real-world-inspired case study from the fitness and wellness industry, a sector where personal and sensitive data is often collected casually, without legal due diligence. Alongside, we’ll break down the relevant legal provisions and what your business needs to do now to prepare.
Case Study: The Fitness Studio That Posted a Client’s “Transformation” Without Consent
Imagine a boutique fitness studio that recently ran a 90-day body transformation challenge. One of the winners, a working professional, lost significant weight and agreed verbally to be featured on the studio’s Instagram page.
Eager to show off the results, the studio posted a side-by-side photo with full body images, the client’s name, and a caption describing her “discipline, low self-esteem at the beginning, and emotional journey.” The post received praise—but the client’s employer came across it and expressed concerns about professional boundaries being crossed.
The client, now embarrassed and angry, contacted the studio, requesting immediate removal. When the studio hesitated—citing that she had “agreed earlier”—the matter escalated. She threatened legal action under the Digital Personal Data Protection Act, 2023, citing violation of privacy, unauthorised processing of personal data, and lack of proper consent.
What Went Wrong: Key Legal Violations
This seemingly harmless marketing post potentially violated several key provisions of the DPDP Act:
1. Lack of Valid Consent (Section 7, DPDP Act)
The Act mandates that personal data can be processed only after obtaining free, specific, informed, and unambiguous consent through a clear affirmative action.
In this case, the studio relied on a casual verbal “okay” rather than a signed consent form or written acknowledgment. This fails the test of lawful processing under Section 7.
2. Disclosure of Sensitive Personal Data Without Purpose Limitation (Section 5 and 6)
The post didn’t just show the client’s image; it shared personal narrative details like emotional struggles. Such sensitive personal data, including health-related inferences, is protected under a stricter standard of processing.
The Act enforces purpose limitation, meaning data collected for one purpose (e.g., fitness assessment) cannot be used for another (e.g., online promotion) without fresh consent.
3. Right of the Data Principal to Withdraw Consent (Section 7(4))
The Act grants individuals the right to revoke consent at any time, and businesses must facilitate an easy opt-out mechanism.
The studio’s refusal or delay in removing the content violates this statutory right and exposes it to potential regulatory penalty.
4. Breach of Processing Obligation (Section 8)
The studio failed in its duty of care in ensuring the lawful and fair processing of personal data.
Even if consent had been properly taken, the studio had a continuing obligation to assess the risk of harm, including reputational and emotional harm to the individual.
What Could Have Been the Consequence?
Under the penalty framework of Section 33, the Data Protection Board may impose monetary fines depending on the nature and gravity of the breach:
- Up to ₹250 crore for non-compliance with data fiduciary obligations.
- Up to ₹125 crore for breach of data principal rights (such as right to withdraw consent or be informed).
This doesn’t even include the reputational harm and potential civil damages under tort law, especially in cases of emotional distress.
Advisory for Business Owners and Service Providers
Whether you’re in wellness, retail, HR tech, finance, or even education—if you collect, store, share, or publish customer data, the DPDP Act applies to you.
Here’s what your business needs to start doing right now:
✅ Implement a Written Consent Policy
- Consent forms must be documented, purpose-specific, and revocable.
- Include fields for name, scope of data usage, platform, and duration.
✅ Train Your Team
- Everyone from the receptionist to your social media intern must understand what counts as personal and sensitive personal data.
- Conduct periodic training on handling client data securely and lawfully.
✅ Update Your Privacy Policy
- Your website, service agreements, and onboarding forms must reflect DPDP compliance.
- Clearly explain data usage, retention, and rights of customers.
✅ Facilitate Withdrawal & Grievance Redressal
- Clients must have an easy channel to revoke consent or file a complaint.
- Appoint a Grievance Redressal Officer as per the draft rules.
Caution: “We Didn’t Know” Will Not Be a Defence
In an era where data is currency, ignorance is not bliss—it’s liability. The DPDP Act imposes strict fiduciary obligations on businesses. Even if enforcement is phased, compliance must begin now. Delays can be dangerous.
At Unimarks Legal Solutions, we advice businesses in building robust data governance frameworks, drafting watertight consent and privacy policies, and training teams to navigate the legal intricacies of data compliance. We also offer compliance audits and incident response support in case of breach or exposure.
Conclusion: Privacy Is the New Trust
Posting client stories, testimonials, or transformation journeys may be great for business. But in the post-DPDP era, it must be done legally and ethically. Consent isn’t a checkbox—it’s a legal contract. And one slip can cost your business dearly.
Be informed. Be compliant. Be trustworthy.
If an IP dispute is impacting your revenue or brand in Chennai or anywhere in Tamil Nadu, don’t wait. Connect with Trademark Lawyers or Legal Consultants in Chennai to review your documents, stress-test your legal position, and outline clear, actionable options to enforce you trademark rights.
Author:
Suresh Kumar is an Advocate at the Madras High Court and Managing Attorney at Unimarks Legal Solutions, Chennai. Since 2008, he has focused on trademark enforcement and litigation across the Madras HC IP Division, Commercial Courts, and District Courts in Tamil Nadu.
Disclaimer: The content provided here for Information purpose only; it shall not be construed as a legal advice. Last reviewed: August 2025.
