A real estate aggregator has 15 million users. When a user expresses interest in a property, the platform shares the lead (name, mobile, email, income bracket, property preferences) with the developer and with partnered home loan banks. The platform also uses browsing history for retargeted digital advertising. Platform terms say "we may share your data with relevant service providers."

"We may share your data with relevant service providers."

• Not specific — doesn't name recipients
• Not informed — no purpose description
• Bundled into ToS acceptance
• Pre-ticked or implied consent

"By clicking Connect with Developer, you consent to sharing your name, mobile, and stated budget with [Developer Name] for pricing info. ☐ I agree."

• Shown at the exact click-moment
• Names the developer explicitly
• Lists specific data fields
• Affirmative checkbox only

"We may share with relevant service providers" — valid DPDP consent for passing leads?

Not valid. §6(1) requires consent to be "free, specific, informed, unconditional, and unambiguous." A general clause is not specific, not informed, and is conditional on using the platform. The platform must redesign its consent architecture so that at the exact moment a user clicks "Get Price," they see the developer's name, the home loan banks they will be connected with, the specific data fields to be shared, and the purpose. Affirmative consent required — not pre-selected.

Can the platform use browsing data for retargeting ads without specific consent?

Behavioural retargeting requires explicit consent. The user's reasonable expectation when browsing property listings does not include having their browsing patterns used to follow them across the internet with ads. The platform should implement a cookie/tracking consent mechanism (separate from account registration consent) covering: behavioural data collection for ad retargeting, which advertising platforms receive this data, and the right to withdraw. Combining income bracket, property budget, and location browsing for retargeting constitutes financial profiling warranting higher scrutiny.

A lead sold to a home loan bank results in two years of marketing calls. Who is responsible?

The bank is independently responsible as a Fiduciary that made independent processing decisions. If it added the person to a general marketing database without independent consent for that purpose, the bank violated §7 (purpose limitation). However, the platform also bears responsibility if its consent mechanism didn't clearly delineate the purpose as "initial inquiry response" only. The platform's Data Sharing Agreement with the bank must contractually restrict use, mandate deletion after engagement completes, and require the bank to indemnify the platform for data misuse claims.