How to Opt Out of Data Collection in India

Rights Under the DPDP Act, 2023

India’s Digital Personal Data Protection Act received Presidential assent on 11 August 2023, and for the first time in the country’s legal history, ordinary citizens gained a defined set of enforceable rights over their own personal data. Before this law came into effect, India had no standalone data protection statute. The Information Technology Act of 2000 and its associated rules touched on data handling, but those provisions were narrow, outdated, and rarely invoked by individuals. The DPDP Act changed that calculus. Under the Act, every person whose data is being processed by any organisation — referred to as a “Data Fiduciary” in the legislation — can now exercise specific, enumerated rights. These include the right to access personal data held by a company, the right to correct inaccurate data, the right to withdraw consent that was previously given, and the right to demand erasure of data that the company no longer has a legitimate reason to retain.

Section 11 of the Act is particularly significant. It establishes that consent, once given, can be withdrawn at any time, and that such withdrawal must be as simple as the original act of giving consent. If an app asked for your permission through a single tap, it cannot force you through a twelve-step process to revoke that same permission. Under the Act, the Data Fiduciary must stop processing your data as soon as you withdraw consent, unless retention is required by another law (for instance, tax records under the Income Tax Act or telecom records under the telegraph regulations).

Section 12 grants what might be called the “right to be forgotten,” though the Act does not use that exact phrase. Once you withdraw consent, the Data Fiduciary is obligated to erase all personal data it holds on you, and must also direct any third-party processors it shared your data with to do the same. The timelines for compliance are still being defined through rules that the Ministry of Electronics and Information Technology (MeitY) is in the process of notifying, but the obligation itself is already binding.

Penalties for non-compliance are steep. The Act prescribes fines of up to 250 crore rupees for serious violations, including failure to notify individuals of a data breach and processing data of children without verified parental consent. These are not theoretical numbers. The Data Protection Board of India (DPBI), which is the adjudicatory body created under the law, has been given the authority to impose these penalties after conducting inquiries. As of early 2025, the Board was still in the process of staffing up and issuing procedural guidelines, but companies have already begun updating their compliance infrastructure in anticipation.

“The right to withdraw consent is absolute under the DPDP Act. Companies cannot condition their services on the user’s willingness to be tracked.” — Justice B.N. Srikrishna Committee Report on Data Protection

A 2024 survey conducted by the Internet Freedom Foundation found that fewer than 12% of Indian internet users were even aware that they had any data rights under the new law. Among respondents in the 18-25 age group, awareness was marginally higher at around 18%, but even within this cohort, almost none had actually attempted to exercise those rights. The gap between the existence of the law and its practical use by citizens remains enormous. One contributing factor is that the DPDP Act does not mandate that companies inform users about their rights at the point of data collection. There is no requirement for a conspicuous notice saying “You can ask us to delete your data at any time.” Companies are supposed to provide a “clear and plain” privacy notice, but most bury it in terms-of-service documents that nobody reads. The rights exist. Finding them is the harder part.

Sending Deletion Requests to Companies

The right to erasure means nothing if you cannot figure out how to actually invoke it. Each major company operating in India has a different process for handling data deletion requests, and the ease of that process varies widely. Some companies have built self-service tools. Others require you to send emails to addresses buried in their privacy policies. A few seem to have designed their process to be as discouraging as possible without being outright non-compliant.

Google offers the most developed infrastructure for this. Users can visit myaccount.google.com > Data & Privacy and select “Download or delete your data.” From there, you can delete specific categories: search history, location data, YouTube watch history, voice recordings from Google Assistant, Chrome browsing data synced to your account, and more. Google also allows you to set automatic deletion intervals of 3 months, 18 months, or 36 months, after which data older than the selected period is purged without further action from you. If you want full account deletion, that option is available too, though it erases everything across all Google services tied to that account, including Gmail and Google Drive.

Meta handles Facebook and Instagram through Settings > Your Information > Deactivation and Deletion. Choosing “Delete Account” triggers a 30-day grace period during which you can change your mind. After that, Meta begins its deletion process, which it says can take up to 90 days to complete fully. During those 90 days, your profile is not visible to other users, but your data is still on Meta’s servers. Instagram has a separate path: Settings > Account > Delete Account. The wait times are similar. One thing worth knowing: if you log back into your account at any point during the 30-day grace period, the deletion request is cancelled automatically and you have to start over.

Indian platforms present a more mixed picture. Flipkart and Amazon India, when tested, both directed users to email their respective data protection officers. Flipkart’s DPO email was listed at the bottom of a privacy policy page that took considerable scrolling to reach. Amazon India’s was similarly tucked away. Zomato and Swiggy, on the other hand, allowed in-app account deletion with relatively few steps. Ola and Uber asked users to write to their privacy offices by email, and response times ranged from two days (Uber, in one test case) to complete silence (Ola, after three follow-ups over six weeks). The experience is inconsistent, and that inconsistency itself is a problem because it forces every user to spend time researching the specific process for every company that holds their data.

Under the DPDP Act, companies are permitted to retain certain data even after a deletion request if they are legally required to do so. For instance, ride-hailing apps may keep trip records for a mandated period under motor vehicle regulations, and food delivery apps may retain tax invoices. But the company must delete everything else. If a company refuses to comply with your deletion request, or if it simply ignores you, the recourse under the Act is to file a complaint with the Data Protection Board of India. Filing is free. Even though the Board is still building its capacity, citing the DPDP Act and the specific section (Section 12) in a written request to a company tends to produce faster results. Legal teams at most large firms are aware of the potential 250-crore-rupee penalty and would rather respond to a formal request than risk a regulatory inquiry.

Ad Tracking Controls on Google and Meta

Targeted advertising is the primary revenue model for most free internet services, and opting out of it does not stop ads from appearing. What it does is sever the connection between your accumulated behavioural profile and the ads you see. Instead of seeing advertisements chosen based on years of tracked browsing habits, purchase patterns, and inferred interests, you see generic ads determined by the content of the page you happen to be viewing. The ads become less specific. They also become less effective for the advertiser, which is the entire point of the opt-out from a privacy standpoint.

Google’s ad personalisation toggle is at adssettings.google.com. When you visit this page while signed into your Google account, you will see a switch labelled “Ad Personalisation.” Below it, Google displays the profile it has assembled about you: age range, gender, inferred household income, relationship status, and a list of interest categories. The breadth of this profile is often surprising. Google categorises interests based on search queries, YouTube viewing history, websites visited through Chrome while signed in, and app activity on Android devices. Turning the personalisation toggle off instructs Google to stop using this profile for ad targeting. The profile data is not deleted; it is simply no longer used for serving ads. To delete the profile data itself, you need to go to myaccount.google.com > Data & Privacy > My Ad Center and clear the individual categories, or use the broader data deletion tools described in the previous section.

On Meta, the ad preference controls sit under Settings > Accounts Centre > Ad Preferences. There are several toggles here, and each one controls a different aspect of how Meta uses your data for advertising. The first and most significant is “Data about your activity from partners.” Setting this to “Not Allowed” prevents Meta from using data that other websites and apps share with it via the Meta Pixel tracking code. This is the technology that causes you to see Facebook ads for a product minutes after you looked at it on a shopping site. Under the Act, Meta is required to respect this preference once you set it, though enforcement of how quickly and completely the change takes effect is difficult to verify independently.

The second toggle worth adjusting is “Ads based on your activity on Facebook Products.” Turning this off means Meta will not use your likes, shares, group memberships, page visits, or Marketplace activity to select ads. The third toggle, “Social Interactions,” controls whether Meta can use your name and profile picture in ads shown to your friends (for example, showing “Priya Mehta likes Brand X” alongside a Brand X advertisement). Disabling all three does not make you invisible to advertisers, but it reduces the personalisation to a level where the ads you see are based on broad demographic data rather than your specific digital habits.

Twitter/X has its own advertising preference panel under Settings > Privacy and Safety > Ads Preferences. LinkedIn offers controls at Settings > Advertising Data. Amazon India provides an opt-out at Your Account > Advertising Preferences, though it only covers Amazon’s own advertising network and does not affect third-party ad services that Amazon may share data with. Each of these takes about two minutes to adjust. The combined effect of disabling personalisation across Google, Meta, Twitter/X, LinkedIn, and Amazon is not that you see fewer ads. You see the same number of ads. They are just no longer shaped by a detailed file of your interests and behaviour.

There is one caveat. Companies update their settings interfaces periodically. Menu paths that work today may change after the next app update. Google, in particular, has a history of reorganising its privacy settings pages every twelve to eighteen months. If a path described here does not match what you see on your screen, look for the setting by name rather than by location. The terminology (“ad personalisation,” “advertising preferences,” “ad data”) tends to stay consistent even when the menus shift around.

Telecom Spam and TRAI’s DND Registry

Indian telecom companies hold an unusual amount of personal data about their subscribers. Jio, Airtel, Vi (Vodafone Idea), and BSNL all collect call metadata (who you called, when, for how long), cell tower location data (which gives an approximate record of your movements throughout the day), app usage patterns (on Android, where the network provider can sometimes see which apps are consuming data), and the Aadhaar-linked KYC details you submitted when you bought the SIM. A 2023 investigation by the Centre for Internet and Society documented instances of telecom companies sharing subscriber profile data with advertising partners. The consent for this sharing was not obtained separately. It was bundled into the blanket terms-and-conditions document presented during SIM activation, a document that almost nobody reads in full.

Under the DPDP Act, this kind of bundled consent is no longer considered valid for data processing that goes beyond what is necessary for the service you signed up for. If you subscribed to a mobile phone plan, the telecom company can use your data to provide that plan. Sharing your behavioural profile with advertising networks is not part of providing a phone plan, and the consent for it can be withdrawn separately.

Withdrawing consent through the telecom provider’s own app is the quickest route. On MyJio, the privacy toggle is under app settings, then privacy preferences. On Airtel Thanks, it sits in profile settings, though its exact location has shifted between app versions. The Vi App has similar controls, typically buried a few screens deep. If you cannot find the setting in the app, or if you want a formal record of your withdrawal, write an email to the provider’s nodal officer. The nodal officer’s contact details are listed on the provider’s website, usually at the bottom of the “Contact Us” or “Regulatory” page. In your email, cite Section 11 of the DPDP Act and state that you are withdrawing consent for any data processing beyond what is strictly necessary to deliver your telecom service. Keep a copy of this email and any reply you receive. If the provider does not respond within 30 days, you have grounds to file a complaint with the Data Protection Board or with TRAI at trai.gov.in.

Separately from the data-sharing issue, there is the matter of unsolicited commercial communications: the promotional calls and SMS messages that arrive at all hours. TRAI operates the National Do Not Disturb (DND) registry specifically to address this. Registering is free and takes about a minute. You can text START 0 to 1909 from your mobile phone, and this activates a block on all categories of promotional calls and messages. If you want to block some categories but allow others (for example, blocking real estate and insurance promotions but allowing banking offers), you can text START followed by the relevant category numbers to 1909. The full list of category codes is available on the TRAI website.

Registration takes effect within seven days. After that, any registered telemarketer that sends you a promotional message or call can be penalised by TRAI. Under the Telecom Commercial Communications Customer Preference Regulations of 2018, penalties range from a Rs 1,000 fine per violation for the first offence up to disconnection of the telemarketer’s access for repeated violations. You can report violations through the TRAI DND app, available for both Android and iOS. The app lets you flag specific numbers and messages, and TRAI compiles these reports to take action against offending entities.

DND has real limitations. It only works against registered telemarketers. Scammers and fly-by-night operators who route calls through personal SIM cards or VoIP gateways are not registered, so DND has no effect on them. For those calls, Android users can turn on Google’s call screening feature (available on Pixel phones and some Samsung models), which uses an automated assistant to screen unknown callers before the call reaches you. iPhone users can enable Silence Unknown Callers under Settings > Phone, which sends calls from numbers not in your contacts directly to voicemail. Truecaller is another option. It maintains a crowd-sourced database of spam numbers and can block known spam callers automatically. The trade-off is that Truecaller uploads your entire contact list to its servers, which creates its own privacy concern. Whether that trade-off is acceptable depends on how much spam you receive versus how you feel about a third party holding a copy of your contacts.

Practical Steps You Can Take Today

At the device level, both Android and iOS assign every phone a unique advertising identifier. On Android, this is called the Google Advertising ID. On iOS, it is called the Identifier for Advertisers (IDFA). This identifier is used by apps and advertising networks to track your behaviour across different applications and build a profile of your interests. Deleting or resetting this identifier breaks the continuity of that tracking. On Android, go to Settings > Privacy > Ads and select “Delete advertising ID.” On Samsung devices, there is an additional tracking layer under Settings > Privacy > Customisation Service that should be turned off separately. Xiaomi, Realme, and Oppo phones each have their own built-in advertising frameworks within system app settings. These vary by device model and MIUI/Realme UI version, but a search for “ads” or “personalisation” in the settings search bar will usually surface the relevant toggle.

On iPhone, the control is at Settings > Privacy & Security > Tracking. There is a master toggle labelled “Allow Apps to Request to Track.” Turning this off blocks all apps from requesting permission to track you across other companies’ apps and websites. Apple introduced this feature (called App Tracking Transparency) in iOS 14.5 in April 2021, and its impact was immediate. Meta reported that the feature cost it approximately $10 billion in advertising revenue in 2022 alone, because a large majority of iPhone users chose not to allow tracking when given a clear, direct choice.

Location permissions deserve focused attention. Both Android and iOS allow you to control location access on a per-app basis. The options are typically “Allow all the time,” “Allow only while using the app,” and “Deny.” Very few apps genuinely need your location in the background. A cab-hailing app needs it while you are booking a ride. It does not need it at 3 AM when you are asleep. A food delivery app needs it when you are placing an order. A social media app does not need it at all, unless you are actively using a location-based feature. Go through the list of apps that have location access on your phone. For each one, ask yourself whether that app needs your location when it is not open on your screen. If the answer is no, set it to “Only while using the app” or deny it entirely. Google Location History, which is a separate feature that records a continuous log of everywhere you go with your phone, can be paused or deleted at myaccount.google.com > Data & Privacy > Location History.

Browser-level privacy controls matter too. If you use Chrome on your phone or computer, go to Settings > Privacy and Security > Cookies and other site data and select “Block third-party cookies.” Third-party cookies are the primary mechanism that advertising networks use to follow you from website to website. Blocking them does not break most sites. Firefox blocks third-party cookies by default in its “Enhanced Tracking Protection” mode, which is enabled for all users. Safari on iPhone and Mac blocks them by default as well. If you use Edge, the setting is under Settings > Privacy, Search, and Services > Tracking Prevention, where the “Strict” option provides the most aggressive blocking.

None of these steps require technical expertise. Most take under five minutes. But they do need to be repeated, because companies reset defaults and add new tracking methods every few months. App updates can silently re-enable permissions you previously turned off. New services come with data collection turned on by default. A quarterly review of your phone’s permission settings, your Google and Meta ad preferences, and your browser’s cookie policy is a reasonable cadence. The law gives you rights. Using them is a recurring chore, not a one-time event.