Every App Permission You Clicked 'Allow' On Is Now a Legal Document - Here's Why That Matters
You have done it hundreds of times. A new app opens. A permission request appears. Camera. Contacts. Location. Microphone. You tap Allow and move on because you just want to use the app. It takes less than three seconds and you forget about it immediately.
Under India’s Digital Personal Data Protection Act, 2023, that tap is no longer just a technical handshake between you and your phone. It is the moment at which personal data processing begins, and it is the moment at which an organisation’s legal obligations under the DPDPA attach. For businesses building apps and services in India, every permission request is now a legal document in everything but name. And most of them are not ready for what that means.
RBI's Data Localization Requirements
Under the DPDPA, a data principal has several rights they can exercise before filing a formal complaint. These include the right to access information about what personal data an organisation holds about them, the right to correct inaccurate data, the right to erase their data in certain circumstances, and the right to know who their data has been shared with.
In our simulation, let us say the data principal, a customer named Priya, received a marketing email from your organisation for a product she never signed up for. She believes your organisation obtained her email address without her consent and used it for marketing purposes. She sends a request to your organisation asking for information about what data you hold about her, where you obtained it, and on what basis you are using it for marketing.
At this point, the clock has started. The DPDPA requires that organisations respond to data principal requests. Priya has exercised a right. Your organisation must respond. If you have a data rights request process, this is where it kicks in. If you do not have one, this is where your problem begins.
Why App Permissions Are Now a DPDPA Matter
App permissions are the mechanism through which mobile applications access personal data stored on or generated by a user’s device. Camera permissions access images and video. Contact permissions access names, phone numbers, and email addresses. Location permissions access real-time and historical location data. Microphone permissions access audio.
The DPDPA defines personal data as any data about an individual who is identifiable from that data. Location data, contact lists, photos, and voice recordings all meet this definition. The moment an app requests and receives permission to access any of these, it is collecting personal data. And the DPDPA requires that every collection of personal data be based on a lawful purpose, accompanied by a clear notice to the user, and in most cases supported by specific, informed consent.
The operating system permission dialogue, the simple Allow or Deny popup that appears on Android and iOS, is not DPDPA consent. It is a technical access control. It tells the user that the app wants access to something. It does not tell them why the access is needed, what specific data will be collected, how long it will be retained, who it will be shared with, or how they can withdraw consent later. A DPDPA-compliant permission process requires all of this information to be conveyed before the user makes their decision.
The Notice Requirement and What It Demands
Section 5 of the DPDPA requires that a Data Fiduciary provide a notice to the data principal before or at the time of collecting personal data. This notice must specify what data is being collected, the purpose for which it is being collected, and how the data principal can exercise their rights under the Act.
For app permissions, this means that before an app requests access to a user’s location, it must tell the user specifically why it needs location access, what it will do with the location data, whether it will share the location data with third parties, and how long it will retain it. “We need your location to provide our service” is not a compliant notice. “We use your real-time location to show you nearby restaurants. We retain location data for 30 days. We share anonymised location data with our advertising partners” is closer to what the DPDPA requires.
This level of specificity is uncomfortable for many app developers because it makes the extent of data collection visible to users in a way that vague permission descriptions do not. But the DPDPA does not give organizations the option to obscure this information for commercial convenience.
Where the Two Regimes Diverge
The most significant tension arises in scenarios where a fintech wants to transfer data that falls under both the DPDPA’s cross-border transfer provisions and the RBI’s localization requirement.
Consider a fintech that processes payments for Indian customers but has its fraud detection systems hosted by a global vendor operating in a third country. Under the DPDPA, if the third country is on the government’s approved list, the transfer may be permissible. Under the RBI’s framework, the payment data involved in those transactions must remain in India. The two requirements point in different directions.
Another tension arises in the context of international remittances and cross-border payment products. Fintechs that process international payments must transmit transaction data across borders as part of the payment process itself. The RBI’s localization requirement includes exceptions for international transactions, but the scope of these exceptions and how they interact with the DPDPA’s transfer framework requires careful legal analysis.
The key principle that emerges from reading both frameworks together is that RBI’s localization requirement establishes a floor that cannot be lowered by the DPDPA’s more permissive transfer provisions. Where the RBI requires data to stay in India, it stays in India, regardless of what the DPDPA permits for transfers. The DPDPA’s transfer framework applies to the data that is not captured by a more restrictive sectoral requirement.
The Consent Standard for App Permissions
Beyond the notice requirement, the DPDPA requires that consent for personal data processing be freely given, specific, informed, unconditional, and given through a clear affirmative action. App permissions that are bundled together, where a user must accept all permissions to use any part of an app, do not meet the freely given standard.
An app that requires location access as a condition of using a feature that has nothing to do with location is not obtaining freely given consent for location processing. The user’s only option is to accept an unnecessary permission or not use the app at all. This is conditional consent, and the DPDPA does not recognise conditional consent as valid.
This has significant implications for how apps are designed. Permissions must be requested at the point in the user journey where they are actually needed, not bundled at installation. Each permission must be individually requestable and individually deniable without blocking access to unrelated app features. And the app must function at a basic level even if users decline permissions that are not strictly necessary for the core service.
Permissions That Go Beyond What Is Necessary
The DPDPA’s data minimisation principle requires that organisations collect only the personal data that is necessary for the purpose they have stated. Many Indian apps request permissions that go significantly beyond what their stated functionality requires.
A calculator app that requests contact access has no legitimate justification for that permission under the DPDPA. A flashlight app that requests location access cannot explain a necessary connection between location data and its core function. A news app that requests microphone access for a feature most users never use is collecting data it does not need to provide its primary service.
These over-broad permission requests were common in the pre-DPDPA environment because there was no law requiring necessity, and more data was always commercially better than less. The DPDPA changes this calculus entirely. Each permission request must now be justifiable against the necessity test, and requests that cannot be justified are not just commercially questionable. They are legally non-compliant.
The Withdrawal Problem
The DPDPA gives data principals the right to withdraw consent at any time, and requires that withdrawing consent be as easy as giving it. For app permissions, this creates a specific design obligation.
If a user wants to withdraw consent for location processing by an app, they should be able to do so within the app, not just through the operating system’s settings menu. The operating system revoke mechanism exists, but it is not intuitive for most users and it does not constitute a DPDPA-compliant withdrawal mechanism on its own.
Apps must provide an in-app mechanism for users to review what permissions they have granted, understand what each permission is used for, and revoke individual permissions without losing access to unrelated app features. When a permission is revoked, the processing of data collected under that permission must cease, and the data collected solely on the basis of that permission must be deleted unless another lawful basis exists for its retention.
The Third-Party SDK Problem
Most Indian apps include multiple third-party software development kits from analytics providers, advertising networks, crash reporting tools, and other services. These SDKs often access device permissions independently and send data to their own servers. The app developer may have no complete picture of what data each SDK is collecting and where it is going.
Under the DPDPA, the app developer is the Data Fiduciary. They are responsible for what all of their data processors, including third-party SDKs, do with the personal data the app collects. Permissions granted to the app extend to the SDKs it includes. And the user’s consent notice must accurately describe what each permission is used for, including uses by third-party SDKs.
This requires app developers to conduct a thorough audit of every SDK in their app, understand exactly what data each SDK accesses and transmits, include this information in their privacy notice and permission explanations, and maintain data processing agreements with SDK providers that bind them to DPDPA requirements.
Why ComplyPlanet
ComplyPlanet works with app developers and digital product companies to audit their permission practices, redesign their consent flows, and build data collection architectures that meet the DPDPA’s requirements without compromising product functionality.
We help you map every permission your app requests against the DPDPA’s necessity and purpose requirements, identify permissions that cannot be justified and should be removed, design permission request flows that meet the Act’s notice and consent standards, audit your third-party SDKs for data collection practices, and build in-app consent management mechanisms that support withdrawal.
Conclusion
Every Allow you have ever tapped was a moment of trust. The DPDPA is the law that decided that trust deserves to be honoured. If your app is requesting permissions it does not need, bundling consent it cannot justify, and sharing data with SDKs it does not fully understand, the time to fix that is now. Not when a user files a complaint. Now.
ComplyPlanet can help you build a permission and consent framework that is genuinely DPDPA compliant. Get in touch today.
ComplyPlanet – Your Compliance Backbone