DPDP Act & QR Codes: India Data Privacy Compliance Made Simple

India's Digital Personal Data Protection (DPDP) Act 2023 is the country's first comprehensive data privacy law. Every QR code campaign that collects user data — location, email, phone number — must now comply. SMLLR is built for Indian businesses: our platform uses privacy-preserving analytics by default, never stores full IP addresses, and gives you the consent management tools required under the Act. This guide walks through exactly what you need to know.

The Digital Personal Data Protection (DPDP) Act 2023 governs how Indian businesses collect, process, and store personal data of Indian citizens. Violations can result in fines up to ₹250 crore. For QR marketers, this means:

• You cannot collect personal data without informed, unambiguous consent
• Data must be used only for the purpose stated at time of collection
• Users have the right to withdraw consent and have their data erased
• Critical personal data must be stored on servers within India

This isn't just a legal checkbox — it's a competitive advantage. Indian consumers increasingly choose brands they trust with their data.

There is a critical distinction regulators care about. Scan Metadata (non-personal) includes device type, time of scan, and city-level geolocation derived from IP address. This is generally permitted for internal analytics without explicit consent. Personal Data includes names, email addresses, phone numbers, and precise GPS coordinates. Collecting this through a QR-linked form requires clear opt-in consent.

If your QR code leads to a lead-generation form, the form must have a clear opt-in checkbox explaining what the data will be used for and a visible link to your privacy policy. For regulated industries (healthcare, finance, education), SMLLR recommends a Double Opt-in Landing Page — the user scans, sees a consent screen, confirms, and only then reaches the destination. This creates an audit trail of consent you can show regulators.

Under the DPDP Act, precise geolocation is classified as sensitive personal data. SMLLR's scan analytics record city-level location derived from IP address — which falls outside the sensitive data classification. For precise GPS location (available on Premium plans for heatmap analytics), SMLLR requests explicit browser permission and discloses the purpose before collecting coordinates, keeping you compliant without sacrificing campaign insights.

The DPDP Act requires that certain categories of data be stored on servers within Indian territory. SMLLR's infrastructure runs on AWS ap-south-1 (Mumbai), meaning all scan data, user records, and analytics generated by Indian campaigns are processed and stored within India. For enterprise clients, we provide data processing agreements (DPAs) that document this compliance for your legal team.

Under DPDP, Indian users have the right to request that their personal data be erased. SMLLR provides scan-level audit logs for every campaign and allows account owners to permanently delete scan records for specific users on request. All deletions are logged with timestamps, giving your compliance team a defensible audit trail.