A Project by Meridian Bridge Strategy
Book Consultation
E-commerce (Mother & Baby Care)

FirstCry (Brainbees Solutions Ltd.)

Ready Score 48/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 19 Mar 2026

Executive Summary

FirstCry's privacy framework is significantly misaligned with the DPDP Act 2023. As a platform primarily serving parents and children, its reliance on 'implicit' parental consent and the use of children's data (DOB/gender) for behavioral targeting and profiling creates severe regulatory risk. The policy requires a total overhaul to implement verifiable parental consent and unbundled consent mechanisms to avoid the Act's highest tier of penalties.

⚠️ Compliance Gaps

  • Outdated legal framework — policy remains anchored in the IT Act 2000 and SPDI Rules 2011
  • Lack of Verifiable Parental Consent (VPC) — no robust mechanism to verify age or parental identity per Section 9
  • Prohibited processing of children's data — site profiles children's ages for 'relevant offers,' violating Section 9(3) ban on tracking/behavioral monitoring
  • Bundled consent — privacy acceptance is integrated into account creation with no granular opt-ins for marketing or third-party sharing
  • Absence of Data Principal Rights — no mention of the Right to Nominate (Section 14) or specific Right to Erasure
  • Grievance redressal lacks DPB escalation — fails to identify the Data Protection Board of India as the statutory authority for complaints

✅ Strengths

  • Detailed transparency on data categories — clearly lists the types of personal and sensitive data collected
  • Defined security protocols — mentions SSL encryption and adherence to 'reasonable security practices' for data protection
  • Named Grievance Officer — contact information is publicly available for dispute resolution
  • Explicit Children’s Privacy Section — recognizes the need for additional security for minor-related data, though under-compliant with new DPDP standards

Overview

FirstCry (Brainbees Solutions Ltd.) is India’s leading e-commerce platform for baby and kids’ products, handling data for millions of parents and children. Because its core business model involves processing the data of minors — categorized as a vulnerable group under the DPDP Act — the company faces an exceptionally high compliance threshold.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

FirstCry uses a “browse-wrap” or “sign-up wrap” consent model. The policy states: “By using our Website, you are agreeing to the collection and use of your Information.”

DPDP Requirement: Consent must be a “clear affirmative action” that is free, specific, informed, unconditional, and unambiguous.

Gap: Consent is currently bundled with the Terms of Use. Users cannot choose to share data for delivery while opting out of “marketing and promotional efforts.” This fails the unconditional requirement of Section 6.

Section 9 — Processing of Personal Data of Children 🔴

Critical Risk Area. This is the most significant point of failure for FirstCry.

What the policy says: “Minors under the age of 18 are not supposed to use the Website… if you are under 18… you may use FirstCry only with the involvement of a parent or guardian.” It also admits to using a child’s date of birth and gender to “send you the best offers relevant for your child.”

DPDP Requirement (Section 9):

  1. Verifiable Parental Consent (VPC): Fiduciaries must obtain consent from a parent in a manner that is “verifiable.” FirstCry’s current “involvement” standard does not meet this.
  2. No Behavioral Tracking: Processing that involves tracking, behavioral monitoring, or targeted advertising directed at children is strictly prohibited.

Gap: FirstCry explicitly uses children’s data for profiling and “relevant offers.” Under DPDP, this is a per se violation that carries penalties of up to ₹200 crore.

Section 8 — Obligations of Data Fiduciary ✅

The policy mentions that FirstCry adopts “reasonable security practices and procedures” and uses SSL technology for sensitive data.

Strength: The company demonstrates awareness of data security, which aligns with Section 8(5). However, it lacks a formal “Data Breach Notification” procedure in its public policy, which is now mandatory under Section 8(6).

Section 9 — Data Retention ⚠️

Gap: FirstCry’s retention clause is vague: “We will not remove content or information that we may be required to retain under applicable laws.”

DPDP Requirement: Section 12 (and Section 8) mandates that a Data Fiduciary must erase personal data as soon as the purpose for which it was collected is no longer served, or when consent is withdrawn. FirstCry does not provide a clear “Right to Erasure” workflow for users.

Section 11-14 — Rights of Data Principal 🔴

The policy provides for the “ability to access and edit” information, but it is missing the specific DPDP rights framework:

  • Right to Nominate (Section 14): No provision for users to nominate a representative in case of death or incapacity.
  • Right to Erasure: Not explicitly granted; the policy suggests data is retained at the company’s discretion for legal compliance without providing a deletion request mechanism.

Section 12 — Right of Grievance Redressal ⚠️

While a Grievance Officer is appointed (Brainbees Solutions Ltd., Pune), the policy fails to mention:

  • The timeframe for resolution (the Act and Rules suggest a 15-30 day window).
  • The escalation path to the Data Protection Board of India (DPB) if the user is unsatisfied.

Risk Assessment

CategoryRisk LevelDPDP SectionPrimary Concern
Children’s DataHighSection 9Behavioral profiling and lack of verifiable parental consent.
ConsentMediumSection 6Bundled consent and lack of granular opt-outs.
Data RightsMediumSections 11-14No right to nominate or clear erasure request process.
RegulatoryHighSection 15/16Reliance on IT Act 2000 terminology (SPDI) instead of DPDP 2023.

Recommendations for Compliance:

  1. Implement VPC: Deploy a “Parental Gateway” with ID verification or payment-based verification to confirm parental identity.
  2. Cease Child Profiling: Stop using children’s DOB/gender for targeted push notifications unless the Central Government provides a specific exemption.
  3. Update Privacy Notice: Issue a “Notice” in plain language (and multiple Indian languages as per Section 5) explaining what data is collected and for what specific purpose.
  4. Consent Manager: Integrate with a Consent Manager to allow users to withdraw consent as easily as it was given.

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation