<p>A customer buys a pair of shoes from an online store. The next morning, she receives a WhatsApp message offering her a handbag. Later that week, she gets another about a credit card. A few days later, a call-centre agent rings her about a “special festive loan”. None of these messages feels dramatic on its own. But together they create a familiar irritation – ‘How did they get my number?”. For years, marketing has been built on an assumption that more data means better targeting and consequently conversion. That assumption is now becoming dangerous. India’s Digital Personal Data Protection framework, now operationalised through the DPDP Rules, requires clearer consent notices, specific purposes for data use, stronger safeguards and breach reporting. The Act is clear and companies must be able to explain not only what data they collect, but why they collect it and how they use it.</p><p>This is not merely a compliance issue. It is a marketing issue. The CMO can no longer leave privacy to the legal department as consent is becoming part of brand experience. Consider a second example. A large retailer launches a loyalty programme. At sign-up, customers are asked for their mobile number, birthday, anniversary, location, product preferences and family details. The form is long, but the benefit is vague: “to serve you better”. Six months later, the same customer receives irrelevant offers, repeated messages and calls from partner brands. The retailer may have gained data, but it has lost trust. That is the heart of the matter. The next advantage in marketing will not come from collecting more data. It will come from earning better permission.</p><p>For Indian CMOs, this means a few practical changes. First, consent must become plain English, not some gobbledegook in small print. Customers should not need a lawyer to understand what they are agreeing to. If a brand wants to use a phone number for delivery updates, say so. If it also wants to use it for promotional WhatsApp messages, say so separately. The DPDP Rules stress that notices should be clear and tied to specific purposes. Second, companies should stop asking for data they do not use. A bank may need income details, but a shoe brand does not need a customer’s anniversary. A food delivery app may need location while fulfilling an order, but not forever. Good marketing teams should run a data check – what do we collect, where is it stored, who uses it and what business outcome does it actually serve? Third, CRM must be redesigned around preference, not bombardment. India’s telecom regulator has been tightening rules around commercial communication, spam and customer consent. TRAI’s 2025 changes seek to make commercial communication more transparent and reduce misuse. The practical lesson is simple – a customer who opted in once has not given a lifetime licence to be disturbed. Fourth, agencies and vendors must be brought inside the trust perimeter. Many breaches of customer trust happen not inside the company, but through call centres and campaign vendors. A cheap lead can become an expensive liability. Finally, brands should treat privacy as a promise, not a disclaimer assuring that the data “will be used respectfully”</p><p>As more marketing moves into digital, retail media, WhatsApp, apps and loyalty programmes, the question of trust will become sharper. That is the message every CMO should take back to the office. In summary – build a consent map, clean the database, rewrite the sign-up forms, audit vendors and make opt-outs easy. Then use the data that remains with more intelligence and restraint. In the age of consent, trust is not a legal burden, it can be an asset.</p>
<p>A customer buys a pair of shoes from an online store. The next morning, she receives a WhatsApp message offering her a handbag. Later that week, she gets another about a credit card. A few days later, a call-centre agent rings her about a “special festive loan”. None of these messages feels dramatic on its own. But together they create a familiar irritation – ‘How did they get my number?”. For years, marketing has been built on an assumption that more data means better targeting and consequently conversion. That assumption is now becoming dangerous. India’s Digital Personal Data Protection framework, now operationalised through the DPDP Rules, requires clearer consent notices, specific purposes for data use, stronger safeguards and breach reporting. The Act is clear and companies must be able to explain not only what data they collect, but why they collect it and how they use it.</p><p>This is not merely a compliance issue. It is a marketing issue. The CMO can no longer leave privacy to the legal department as consent is becoming part of brand experience. Consider a second example. A large retailer launches a loyalty programme. At sign-up, customers are asked for their mobile number, birthday, anniversary, location, product preferences and family details. The form is long, but the benefit is vague: “to serve you better”. Six months later, the same customer receives irrelevant offers, repeated messages and calls from partner brands. The retailer may have gained data, but it has lost trust. That is the heart of the matter. The next advantage in marketing will not come from collecting more data. It will come from earning better permission.</p><p>For Indian CMOs, this means a few practical changes. First, consent must become plain English, not some gobbledegook in small print. Customers should not need a lawyer to understand what they are agreeing to. If a brand wants to use a phone number for delivery updates, say so. If it also wants to use it for promotional WhatsApp messages, say so separately. The DPDP Rules stress that notices should be clear and tied to specific purposes. Second, companies should stop asking for data they do not use. A bank may need income details, but a shoe brand does not need a customer’s anniversary. A food delivery app may need location while fulfilling an order, but not forever. Good marketing teams should run a data check – what do we collect, where is it stored, who uses it and what business outcome does it actually serve? Third, CRM must be redesigned around preference, not bombardment. India’s telecom regulator has been tightening rules around commercial communication, spam and customer consent. TRAI’s 2025 changes seek to make commercial communication more transparent and reduce misuse. The practical lesson is simple – a customer who opted in once has not given a lifetime licence to be disturbed. Fourth, agencies and vendors must be brought inside the trust perimeter. Many breaches of customer trust happen not inside the company, but through call centres and campaign vendors. A cheap lead can become an expensive liability. Finally, brands should treat privacy as a promise, not a disclaimer assuring that the data “will be used respectfully”</p><p>As more marketing moves into digital, retail media, WhatsApp, apps and loyalty programmes, the question of trust will become sharper. That is the message every CMO should take back to the office. In summary – build a consent map, clean the database, rewrite the sign-up forms, audit vendors and make opt-outs easy. Then use the data that remains with more intelligence and restraint. In the age of consent, trust is not a legal burden, it can be an asset.</p>
