DPDP Compliance for Cab Aggregators
From rider locations to driver Aadhaar cards, cab aggregators handle massive amounts of personal data. Learn how to navigate the DPDP Act 2023 without breaking the bank.
DPDP Compliance for Cab Aggregators
If you run a cab aggregator business in India, you aren’t just moving people from point A to point B; you are essentially a data company on wheels. Every time a customer opens your app, you’re collecting their live location, their home address, their phone number, and their payment habits.
Under the Digital Personal Data Protection (DPDP) Act, 2023, your business is what the law calls a Data Fiduciary. Think of this as a “Data Trustee.” You are the one deciding why and how personal data is collected, and the law expects you to guard it like a bank guards gold. The people providing the data—your riders and your drivers—are called Data Principals.
The stakes are high. If you fail to protect this data or use it in ways you didn’t clear with your users, the government can slap a penalty of up to ₹250 Crore. That is enough to shut down even a well-funded startup. Let’s break down how to keep your business safe while keeping your cabs moving.
Data Types in Cab Aggregator Workflows
Before you can comply, you need to know what you’re holding. A cab aggregator handles data for two very different groups: riders and drivers.
| Category | Data Processed | DPDP Risk Level |
|---|---|---|
| Rider Profile | Name, Phone, Email, Saved Addresses | Medium |
| Real-time Location | GPS coordinates of rider and driver | Very High |
| Driver KYC | Aadhaar, DL, PAN, Criminal Record Checks | Very High |
| Payment Info | UPI IDs, Card tokens, Transaction history | High |
| Safety Data | SOS triggers, In-app recordings, Support chats | High |
| Behavioral Data | Search history, Cancellation patterns | Medium |
1. Mastering Consent Requirements
In the old days, you could bury a “we will use your data for marketing” clause on page 40 of a Terms & Conditions document. Those days are gone. Under DPDP, Consent must be “free, specific, informed, unconditional, and unambiguous.”
Imagine you run a mid-sized cab fleet in Bangalore. When a new rider signs up, you must show them a Notice—in plain English (and potentially regional languages)—explaining exactly what you are collecting. If you want their location to find a cab, ask for it. If you want to send them “50% off” SMS alerts for a nearby restaurant, you need a separate “yes” for that. You cannot say, “You can only use our app if you agree to receive marketing spam.”
For a deeper dive into how this affects tech stacks, see our comprehensive DPDP analysis of the digital economy.
2. Tightening Data Access Controls
Not every employee in your office needs to see where a female rider went at 11:00 PM last night. Data Access Controls are about ensuring that only the people who absolutely need data to do their jobs can see it.
For example, your Customer Support team might need to see a trip route to resolve a billing dispute, but they shouldn’t be able to see the rider’s full permanent address or their stored payment methods. Your Marketing Team needs to know which areas have high demand, but they don’t need to know the names of the individuals living there.
Practical Step: Implement “Role-Based Access Control” (RBAC). If a driver finishes a trip, their app should stop showing the rider’s exact phone number or house number immediately. Use “Number Masking” so drivers and riders can call each other through a proxy without seeing private digits. This isn’t just good privacy; it’s good safety.
3. Managing Third-Party Data Sharing
Your cab app doesn’t exist in a vacuum. You likely use Google Maps for navigation, Razorpay for payments, and maybe an AWS or Azure server to store everything. Each of these is a Data Processor—someone who processes data on your behalf.
The DPDP Act says that if your “Data Processor” leaks data, you (the Data Fiduciary) are still responsible.
For example, when a customer pays for a ride, you pass their details to a payment gateway. You must have a legal contract (a Data Processing Agreement or DPA) with that gateway. This contract should state that they will only use the data for processing that specific payment and nothing else. If you share driver data with a background-verification agency, you must ensure they delete that data once the check is done. Check out our guide for startups to see how to draft these agreements.
4. Smart Data Retention Policies
One of the biggest changes with DPDP is the “Right to Erasure.” This means you cannot keep data forever just because “storage is cheap.” You are required by law to delete personal data as soon as the purpose for collecting it is over.
How does this work for a cab company?
- Trip Data: You might need to keep trip logs for 6 months to handle potential police inquiries or insurance claims. After that, can you anonymize it? (e.g., Change “Ramesh went from Home to Office” to “A trip happened from Zone A to Zone B”).
- Deleted Accounts: If a rider deletes their account, you shouldn’t keep their phone number in your database “just in case.” You must purge it unless another law (like tax or criminal law) requires you to keep it.
Scenario: A rider stops using your app for three years. Under the DPDP Act, if there’s no ongoing “business purpose,” you should proactively delete their sensitive info. For more on industry-specific retention, read our logistics industry guide.
5. Protecting the Driver’s Privacy
We often focus on the rider, but drivers are Data Principals too. You collect their Aadhaar, their live location 12 hours a day, and even their selfie for “face-match” logins.
Under DPDP, you must treat driver data with the same respect as rider data. You cannot sell a list of your top-rated drivers to a personal loan company without the drivers giving you explicit, separate consent for that specific purpose. If a driver leaves your platform, you are obligated to delete their sensitive documents once the cooling-off period (for legal disputes) ends.
Quick Actions for Cab Aggregators
Don’t panic—you don’t have to fix everything by tomorrow morning. Start with these five steps this week:
- Map Your Data: Draw a map of every piece of data you collect. Where does it come from (App, Website, KYC)? Where does it go (Cloud, Maps, Payment Gateway)?
- Audit Your App Permissions: Check if your app asks for permissions it doesn’t use (like “Access to Contacts” or “Microphone”) and remove them.
- Update the “Notice”: Rewrite your privacy notice. Make it short, use bullet points, and explain it like you’re talking to a friend over chai.
- Implement Number Masking: If your drivers can still see rider phone numbers in their call logs, talk to your tech team about a masking service immediately.
- Create a Deletion Protocol: Decide on a “shelf life” for your data. How long do you really need to keep a GPS trace of a ride from 2021?
- Designate a Point Person: Even if you aren’t a “Significant Data Fiduciary,” appoint someone in your office to be the “Privacy Hero” who handles data access requests from users.
Remember, DPDP compliance isn’t a one-time checkbox; it’s about building a culture where you treat your customers’ data as carefully as you treat their physical safety during a midnight ride. For more specialized advice, check our full guide on DPDP implementation.