Every app that collects your personal data in India must first tell you exactly what data it is collecting and why, and then get your explicit consent before proceeding. Under the Digital Personal Data Protection Act, 2023 (DPDP Act), apps can only collect data that is necessary for the service they provide — a calculator app has no legitimate reason to access your contacts or location. You have the right to refuse unnecessary permissions, withdraw consent at any time, request deletion of your data, and file complaints if an app misuses your information. Violations carry penalties of up to Rs 250 crore.
Why this matters
The average Indian smartphone user has 40-80 apps installed, and most of them collect far more data than they need. Your photo gallery app reads your contacts. Your food delivery app tracks your location 24/7. Your flashlight app wants access to your camera and microphone. Before the DPDP Act, there was no comprehensive law stopping this overreach. Now there is. Understanding your rights helps you take control of the most personal device you own — your phone.
Your rights
1. Right to know what data is being collected (Section 5)
Before an app collects any personal data, it must give you a clear, readable notice explaining:
- What specific personal data it will collect (name, phone number, location, contacts, photos, health data, financial data)
- The specific purpose for which it needs each type of data
- How long it will retain the data
- Whether it will share the data with any third party and who
- How to contact the app's Data Protection Officer or Grievance Officer
In practice: This notice should appear before the consent screen, not buried in a 10,000-word privacy policy. If an app does not tell you what data it collects before asking for permissions, it is violating Section 5 of the DPDP Act.
2. Right to refuse unnecessary permissions
You can deny any app permission that is not necessary for its core function. Under Section 4 of the DPDP Act (purpose limitation), an app can only collect data that is reasonably necessary for the purpose for which it was downloaded.
Examples of unnecessary permissions:
| App Type | Unnecessary Permission | Why It Is Suspicious |
|---|---|---|
| Calculator | Contacts, Camera, Location | A calculator needs none of these |
| Flashlight | Contacts, SMS, Phone | Only needs camera (for flash) |
| Weather app | Contacts, SMS, Phone logs | Needs location only |
| Music player | Contacts, Camera, Location | Needs storage only |
| Shopping app | Contacts, Camera (beyond barcode) | Needs location for delivery; rest is excess |
In practice: On Android, go to Settings > Apps > [App Name] > Permissions to review and revoke permissions. On iOS, go to Settings > Privacy & Security to manage app permissions. Regularly review which apps have access to sensitive data.
Important: If an app refuses to work unless you grant unnecessary permissions, this may violate the DPDP Act's purpose limitation principle. A legitimate app should function for its core purpose even if you deny non-essential permissions.
3. Right to data minimisation (Section 4)
The DPDP Act establishes the principle that personal data should be collected only to the extent necessary for the specified purpose. This means apps should not collect more data than they need, should not retain data longer than necessary, and should not use data for purposes beyond what was disclosed to you.
In practice: If you downloaded a food delivery app and it collects your browsing history, social media activity, and contact list, this exceeds what is necessary for delivering food. You can challenge this by filing a complaint with the app's Grievance Officer.
4. Right to withdraw consent (Section 6)
You can withdraw your consent at any time. Once you withdraw, the app must stop collecting and processing your data. Withdrawal must be as easy as giving consent — if you gave consent with one tap, withdrawal should not require navigating a maze of settings.
In practice: Look for "Delete Account" or "Privacy Settings" in the app. If there is no easy way to withdraw consent, file a complaint. After deleting the app, also send a written request to the company asking them to delete all data they have collected about you.
5. Right to data deletion (Section 12)
When you stop using an app, you have the right to request that the app developer delete all your personal data. Simply uninstalling the app from your phone does not delete the data already collected and stored on the company's servers.
In practice: Before uninstalling, go to the app settings and request account deletion. Follow up with an email to the company's Data Protection Officer requesting confirmation of data deletion. Under the DPDP Act, they must respond within 90 days.
6. Special protections for children's data (Section 9)
Apps must obtain verifiable parental consent before processing data of users under 18. They must verify the age and identity of the parent or guardian. Behavioural tracking and targeted advertising aimed at children is completely banned.
In practice: If your child uses apps, check whether the apps have proper age verification mechanisms. Report apps that collect children's data without parental consent to the cybercrime portal.
Step-by-step: How to protect your data from apps
Step 1: Audit your current app permissions
Right now, open your phone settings and review the permissions granted to each app. Revoke any permissions that are not essential for the app's core function — especially contacts, location (when not using the app), camera, microphone, and phone.
Step 2: Read the permission request before tapping "Allow"
When an app requests a new permission, read what it is asking for and ask yourself: "Does this app need this to do what I downloaded it for?" If the answer is no, tap "Deny."
Step 3: Use "While Using the App" for location
For apps that need location (maps, ride-hailing, weather), choose "Allow While Using the App" instead of "Always Allow." This prevents the app from tracking you when you are not actively using it.
Step 4: Delete unused apps
Every installed app is a potential data collector. If you have not used an app in 30 days, delete it. Before deleting, request account deletion through the app's settings.
Step 5: Check for data breaches
Services like Have I Been Pwned (haveibeenpwned.com) let you check if your email or phone number has been exposed in a data breach. If it has, change your passwords immediately and monitor your accounts for suspicious activity.
What if things go wrong
If an app collects data without your consent
File a complaint with the app developer's Grievance Officer (contact details should be in the app's privacy policy or "About" section). If not resolved, escalate to the Data Protection Board of India.
If an app denies service for refusing permissions
This may be a violation of the DPDP Act if the denied permissions are not necessary for the service. Document the behaviour (screenshot the permission request and the service denial) and file a complaint.
If your data is leaked through an app
Under Section 8(6) of the DPDP Act, the app developer must notify the Data Protection Board and you about the breach. If they fail to notify you, file a complaint. You can also file a complaint on cybercrime.gov.in if the breach caused or may cause financial harm.
Documents and resources you need
- DPDP Act, 2023: Available on meity.gov.in
- Your phone's privacy settings: Android (Settings > Privacy) / iOS (Settings > Privacy & Security)
- App's privacy policy: Check the Play Store or App Store listing
- Grievance Officer contact: In the app's settings or privacy policy
- Data Protection Board of India: For escalated complaints
- Have I Been Pwned: https://haveibeenpwned.com (check for data breaches)
- Cybercrime portal: https://cybercrime.gov.in (for data-related crimes)
Common myths
Myth: If an app is on the Play Store or App Store, it is safe. Reality: App store listing does not guarantee data privacy compliance. Many apps on official stores collect excessive data. Review permissions independently.
Myth: Deleting an app deletes your data. Reality: Uninstalling an app removes it from your phone, but the company retains all data already collected on its servers. You must separately request account and data deletion.
Myth: Free apps can collect whatever data they want because you are not paying. Reality: The DPDP Act makes no distinction between free and paid apps. Both must follow the same consent, purpose limitation, and data minimisation rules.
Myth: Only big apps like WhatsApp and Facebook collect data — small apps do not. Reality: Many small and lesser-known apps collect excessive data. In fact, smaller apps may have weaker security, making them higher-risk.
The law behind this
| Protection | DPDP Act Section | Meaning |
|---|---|---|
| Notice before collection | Section 5 | App must tell you what data it collects and why |
| Consent for processing | Section 6 | You must explicitly agree |
| Purpose limitation | Section 4 | App can only collect what is necessary |
| Withdraw consent | Section 6(4) | You can revoke permission anytime |
| Data deletion | Section 12 | You can demand your data be erased |
| Children's data | Section 9 | Parental consent required; no behavioural tracking |
| Data breach notification | Section 8(6) | App must inform you of breaches |
| Penalties | Section 18 | Up to Rs 250 crore for violations |
Frequently asked questions
Can an app track my location without my knowledge? Not legally. Under the DPDP Act, location data is personal data that requires your consent. On modern smartphones, you can set location permissions to "While Using the App" or deny them entirely. If an app tracks your location without consent, it violates both the DPDP Act and your phone's operating system policies.
What about pre-installed apps that I did not choose? Pre-installed apps (bloatware) must also comply with the DPDP Act. Review their permissions and revoke anything unnecessary. If a pre-installed app cannot be uninstalled, you can usually disable it through settings.
Do Indian data privacy laws apply to foreign apps like Instagram or TikTok? Yes. The DPDP Act applies to any entity processing personal data of individuals in India, regardless of where the company is based. Foreign apps serving Indian users must comply.
How do I find an app's Grievance Officer? Check the app's privacy policy (usually linked from the app's settings or the app store listing). The DPDP Act and IT Intermediary Guidelines require companies to provide Grievance Officer contact details prominently.