Author: Himani Jethwani
College: Jai Narain Vyas University, Jodhpur, Rajasthan
Abstract
Every interaction with a digital device a search query, a location ping, a swipe on a shopping app leaves behind a trace that is collected, stored, analysed, and often monetised by entities the user never directly encounters. This article examines the phenomenon of the “digital footprint”: what it is, how it is generated through both active and passive means, and the scale at which contemporary data ecosystems compile, cross-reference and profile individual users. It surveys the Indian legal response to this phenomenon, from the constitutional recognition of privacy as a fundamental right to the specific statutory obligations imposed by the Information Technology Act, 2000 and the newly enacted Digital Personal Data Protection Act, 2023. The article further considers comparative developments such as the European “right to be forgotten,” evaluates the adequacy of current safeguards against pervasive commercial and governmental surveillance, and concludes with an assessment of the gap between formal legal protection and the practical reality of a person’s exposure online.
To the Point
A digital footprint is the trail of data that a person leaves behind while using the internet and connected devices. It is conventionally divided into two categories. An active digital footprint consists of information a person deliberately shares a social media post, an online purchase, a form filled out to register for a service, an email sent, a comment posted under a news article. A passive digital footprint, by contrast, is collected without any conscious act of disclosure: the IP address recorded by every website visited, the device fingerprint compiled from browser settings and screen resolution, the cookies that track browsing behaviour across sessions, the metadata attached to a photograph revealing the location and time it was taken, and the continuous stream of location data generated by a smartphone even when no app is in active use.
The scale of this collection is difficult for an ordinary user to appreciate because it is largely invisible. A single visit to a news website can trigger dozens of third-party trackers operated by advertising networks, analytics firms and data brokers, none of which the visitor consciously chose to engage. Search engines log queries against user accounts and IP addresses; e-commerce platforms record not only purchases but abandoned carts, dwell time on product pages and the sequence in which items were viewed; and voice assistants and smart home devices generate audio and behavioural data that is transmitted to servers for processing and, in many cases, retained indefinitely.
What renders the digital footprint legally significant is not any single data point but the process of aggregation. Individually, a browsing history entry or a location ping may appear innocuous. Combined across dozens of sources by data brokers and analytics companies, these fragments can be assembled into a remarkably precise profile revealing a person’s health conditions, political affiliations, sexual orientation, financial standing and daily movements — often with greater accuracy than the person could articulate about themselves. This aggregated profile is then used for targeted advertising, credit scoring, insurance underwriting, employment screening and, in some jurisdictions, law enforcement surveillance, raising the core legal question this article addresses: does the individual retain meaningful control over information generated about them, or has that control migrated silently to the platforms that collect it?
Use of Legal Jargon
Right to Privacy as the Constitutional Anchor: The Indian legal response to digital data collection begins with the recognition of privacy as a fundamental right under Article 21 of the Constitution. Prior to 2017, the constitutional status of privacy was uncertain, resting on a fragmented line of precedent. A nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 resolved this uncertainty, holding that the right to privacy is intrinsic to the right to life and personal liberty and extends to informational privacy an individual’s interest in controlling the dissemination of personal data about themselves. This judgment supplies the doctrinal foundation on which every subsequent statutory development concerning data protection in India rests.
The Information Technology Act, 2000 and Reasonable Security Practices: Before the enactment of dedicated data protection legislation, the primary statutory framework governing digital data was the Information Technology Act, 2000. Section 43A imposes liability on a body corporate that is negligent in implementing and maintaining “reasonable security practices and procedures” while handling sensitive personal data, rendering it liable to compensate any person who suffers wrongful loss as a result. Section 72A criminalises the disclosure of personal information obtained under a lawful contract without the consent of the person concerned, and Section 66 addresses computer-related offences more broadly, including unauthorised access to data. These provisions, supplemented by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, formed the operative if limited regime for over two decades.
The Digital Personal Data Protection Act, 2023: The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) marks the most significant development in Indian data protection law. The Act establishes a comprehensive framework built around the concepts of “data principal” (the individual to whom personal data relates), “data fiduciary” (the entity determining the purpose and means of processing) and “consent” as the primary lawful basis for processing personal data. It codifies obligations of purpose limitation, data minimisation and notice, requires data fiduciaries to implement reasonable security safeguards, and creates a Data Protection Board of India empowered to adjudicate complaints and impose financial penalties for non-compliance. The Act also recognises specific rights for data principals, including the right to access information about processing, the right to correction and erasure of personal data, and the right to grievance redressal provisions that, taken together, represent India’s first codified attempt to give individuals enforceable control over their digital footprint.
Consent, Cookies and the Doctrine of Informed Choice: A recurring difficulty in digital privacy law is the gap between formal consent and meaningful choice. Cookie banners and lengthy privacy policies technically satisfy a notice-and-consent model, yet empirical research consistently shows that users rarely read such disclosures before accepting them. The DPDPA responds to this concern by requiring that consent be “free, specific, informed, unconditional and unambiguous,” a standard that, if strictly enforced, would require data fiduciaries to move beyond boilerplate consent mechanisms toward genuinely comprehensible disclosures.
The Right to Be Forgotten: A comparative development of considerable relevance is the “right to be forgotten,” first articulated by the Court of Justice of the European Union and subsequently embedded in Article 17 of the General Data Protection Regulation. This right permits an individual to require a search engine or data controller to delist or erase personal information that is no longer necessary, relevant or accurate, subject to countervailing public interest. Indian courts have engaged with an analogous concept in a handful of cases even before the DPDPA’s enactment, and the Act itself incorporates a limited right to erasure, signalling a gradual convergence with international standards, albeit without the more developed jurisprudential architecture that the European framework has built over a decade.
The Proof
Empirical evidence of the scale of digital data collection is substantial. Studies of website tracking consistently find that the average news or e-commerce website embeds trackers from dozens of third-party advertising and analytics companies, most operating without the visitor’s explicit awareness. Data broker industry reports indicate that individual profiles compiled from purchase histories, browsing behaviour, public records and social media activity are bought and sold at scale, often containing thousands of discrete data points per person. Regulatory investigations into major technology platforms in multiple jurisdictions have documented the retention of location histories, search queries and voice recordings well beyond what users reasonably expect, prompting regulatory fines and mandated changes to default privacy settings.
In India specifically, complaints and enforcement actions under the IT Act and its rules, though historically limited in number relative to the scale of the problem, have grown as awareness of statutory remedies has increased. The Computer Emergency Response Team (CERT-In) has recorded a steady rise in reported data breaches and cyber-security incidents affecting Indian users over the past decade, reflecting both the expansion of India’s internet user base — now among the largest in the world and the corresponding growth in the volume of personal data generated and stored by domestic and international platforms.
At the same time, public understanding of digital footprints remains uneven. Surveys of internet users repeatedly find that a majority underestimate the extent to which their online activity is tracked, and a significant proportion have never adjusted default privacy settings on their devices or accounts. This gap between actual data practices and user perception is itself a matter of legal concern, because it undermines the premise of informed consent on which much of data protection law is built. The practical reality is that most individuals interact daily with dozens of data fiduciaries whose combined processing activities generate a composite digital profile far more detailed than any single interaction would suggest, and few users possess either the technical means or the legal literacy to fully audit, correct or erase that profile.
Case Laws
Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
This nine-judge bench decision is the foundational case for digital privacy law in India. The Supreme Court unanimously held that privacy, including informational privacy, is a fundamental right protected under Article 21. The judgment established that any State action interfering with informational privacy must satisfy the tests of legality, necessity and proportionality, a framework that has since informed judicial and legislative approaches to data collection, surveillance and digital identity programmes.
Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295
Although decided decades before the digital era, this case remains significant as an early articulation of the tension between State surveillance and personal liberty. The Supreme Court held that domiciliary visits and surveillance without statutory backing violated the right to personal liberty, laying early groundwork for the constitutional concerns later extended to digital surveillance and data collection.
Shreya Singhal v. Union of India (2015) 5 SCC 1
While primarily concerned with the constitutionality of Section 66A of the Information Technology Act on free speech grounds, this judgment is relevant to digital footprint jurisprudence because it reinforced the principle that State power over online conduct must be exercised within clearly defined, non-arbitrary statutory limits a principle equally applicable to State access to personal data generated through online activity.
Conclusion
The digital footprint has become an unavoidable by-product of participation in contemporary economic and social life. Every search, purchase, message and location ping contributes to a composite profile that platforms, advertisers and, in some circumstances, State agencies can access, analyse and act upon often with a degree of granularity that individual users neither anticipate nor consent to in any meaningful sense. Indian law has moved, over the past decade, from a position of near-total legal invisibility on this question to a framework grounded in the constitutional recognition of informational privacy in Puttaswamy and given statutory shape through the Digital Personal Data Protection Act, 2023.
Yet the existence of a legal framework does not, by itself, close the gap between formal rights and lived exposure. Effective protection of the digital footprint depends on robust enforcement by the Data Protection Board, genuine rather than nominal consent architecture, continued judicial willingness to extend constitutional privacy principles to new forms of data collection, and a level of public digital literacy that current surveys suggest has not yet been reached. The comparative experience of the European Union, where the right to be forgotten and the broader GDPR framework have been tested through more than a decade of enforcement and litigation, offers a useful, though not directly transposable, reference point for how Indian regulators and courts might approach emerging questions around data aggregation, algorithmic profiling and cross-border data transfer.
As internet penetration in India continues to expand and an increasing share of daily life commerce, communication, entertainment, governance moves online, the question of who controls the resulting digital footprint will only grow in significance. The legal task ahead is not merely to enact rules on paper but to ensure that data principals can, in practice, know what is collected about them, correct what is inaccurate, and withdraw what they no longer wish to share restoring to the individual a measure of the control that the architecture of the modern internet has quietly assumed for itself.
FAQs
Q1. What is a digital footprint?
A digital footprint is the total trail of data a person leaves behind through online activity, comprising both actively shared information, such as social media posts, and passively collected information, such as browsing history, cookies and location data.
Q2. Is data privacy a fundamental right in India?
Yes. The Supreme Court held in Justice K.S. Puttaswamy v. Union of India (2017) that privacy, including informational privacy, is a fundamental right protected under Article 21 of the Constitution of India.
Q3. What does the Digital Personal Data Protection Act, 2023 provide?
The DPDPA establishes obligations for entities that process personal data, requires free and informed consent as the primary basis for processing, and grants individuals rights to access, correction and erasure of their personal data, enforceable through the Data Protection Board of India.
Q4. Can a person ask a company to delete their personal data in India?
Under the DPDPA, a data principal may request correction or erasure of personal data held by a data fiduciary, subject to the fiduciary’s legal obligations to retain certain information for specified purposes.
Q5. What is the “right to be forgotten”?
It is a legal principle, developed most prominently under European Union law, allowing an individual to require that certain personal information be delisted or erased from search results or databases when it is no longer necessary or relevant, subject to competing public interest considerations.
References (Optional)
1. Constitution of India, 1950, Article 21.
2. Information Technology Act, 2000, Sections 43A, 66 and 72A.
3. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
4. Digital Personal Data Protection Act, 2023.
5. Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
6. Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295.
7. Shreya Singhal v. Union of India (2015) 5 SCC 1.
8. General Data Protection Regulation (EU) 2016/679, Article 17.


