Your attention is the new platinum, surpassing data which was once considered the gold standard. In an era dominated by data-driven economies, it is no surprise that even something as intangible as 'attention' has become a commodity. Likewise, 'inference data'—the insights generated by analysing and combining multiple data sources—has become a focal point of debate in privacy circles. But should these types of data be explicitly classified and protected under India's Digital Personal Data Protection Act (DPDPA) 2023? Let's explore this pressing question while drawing parallels with international data protection laws.
Understanding Attention and Inference Data
Before diving into legal interpretations, let us break down what these terms mean:
In today's data-driven landscape, understanding the nuances of "attention data" and "inference data" is crucial, especially from a legal and privacy standpoint. These terms describe distinct types of information with significant implications for user privacy, advertising practices and regulatory compliance (e.g., GDPR, CCPA).
1. Attention Data: Capturing User Engagement
Attention data encompasses the digital traces generated by user interactions that reveal their focus and interest. This data reflects user engagement and provides insights into user behaviour. Examples include:
- Time on page/ product: The duration a user spends viewing a specific webpage or product listing. SEO Keyword: Website Engagement Metrics.
Illustration: Imagine a user browsing an e-commerce website. If they spend three minutes on a specific product page but only 10 seconds on another, this indicates higher interest in the first product.
- Ad interactions: Actions taken on advertisements, such as pauses, clicks, or video completion rates. SEO Keywords: Digital Advertising Metrics, Ad Engagement.
Illustration: A user sees a video ad for a fitness app. If they pause and replay specific parts, it highlights interest in those segments.
- Clickstream data: A chronological record of a user's clicks and navigation patterns within a website or application. SEO Keywords: User Behavior Analytics, Clickstream Analysis.
- Illustration: Consider a user searching for vacation packages. Their clickstream might show a progression: Homepage → Destinations → Specific Packages → Booking Page. This journey reflects their decision-making process.
- Mouse tracking & eye tracking: Data capturing mouse movements, cursor positions and eye gaze patterns to understand user attention on specific elements. SEO Keywords: User Experience (UX) Analytics, Eye Tracking Technology
- Illustration: A user hovers their mouse over a 'Buy Now' button but doesn't click it. Eye tracking might reveal they were distracted by a pop-up.
- Scroll depth: How far a user scrolls down a webpage, indicating engagement with content. SEO Keywords: Content Engagement, Scroll Depth Analysis. On a blog about sustainable living, a user scrolling to 90% of the page suggests high interest, while a user stopping at 20% indicates disengagement.
Legal Implication: Attention data, while seemingly innocuous, can be used to create detailed user profiles and target advertising. Legal frameworks often require transparency and user consent for the collection and use of this data, especially when combined with other data points.
2. Inference data: Drawing Conclusions from User Data
Inference data represents the conclusions or predictions drawn by organisations based on collected data, including attention data. It involves using algorithms and analytical techniques to extrapolate insights beyond the explicitly provided information. Examples include:
- Lifestyle preferences: Inferring a user's lifestyle based on purchase history, browsing activity, and social media interactions. SEO Keywords: Consumer Profiling, Lifestyle Segmentation.
Illustration: A user frequently browses travel blogs, buys outdoor gear and shares hiking photos on social media.
Inference: The user likely has an adventurous lifestyle and enjoys outdoor activities.
- Political leanings/ beliefs: Deducing political affiliations or beliefs from social media posts, shared content and online group memberships. SEO Keywords: Political Targeting, Sentiment Analysis.
Illustration: A user shares articles supporting environmental policies and joins groups advocating climate change action.
Inference: The user likely supports progressive or green political ideologies.
- Health and wellness: Making inferences about a user's health status or interests based on search queries, app usage, and online activity. SEO Keywords: Health Data Analytics, Digital Health.
Illustration: A user regularly searches for 'low-carb recipes', logs steps in a fitness app, and subscribes to a keto newsletter.
Inference: The user is likely following a ketogenic diet and is health-conscious.
- Socio-economic status: Inferring a user's socio-economic background based on location data, purchasing patterns, and online behavior. SEO Keywords: Demographic Profiling, Socioeconomic Data.
Illustration: A user frequently visits luxury e-commerce sites, uses apps for private jet bookings, and posts from high-end resorts.
Inference: The user likely belongs to a high-income group.
Key Legal Considerations:
- Transparency and consent: Organisations must be transparent about the data they collect and how they use it, including the inferences they make. User consent is often required, especially for sensitive data.
- Data minimisation: Organisations should collect only the data necessary for the specified purpose and avoid making overly broad or speculative inferences.
- Data security: Robust security measures are essential to protect user data from unauthorised access, use, or disclosure.
"Privacy, once noble, now a meme,
A distant dream, or so it would seem.
For AI knows what you'll say or do,
Before you've even thought it through."
DPDPA 2023 and DPDP Rules 2025: Current Scope and Gaps
The DPDPA focuses on 'personal data' which it defines as any data about an individual that can identify them. It also emphasises the importance of consent, data fiduciary obligations and penalties for non-compliance.
However, the Act does not specifically address inference data or attention data as distinct categories. Why is this a potential issue?
- Lack of explicit protection: Attention and inference data often fall into grey areas because they are derived or abstracted from original data sources.
What's missing: The Act does not address data types generated indirectly, such as user behaviour (attention data) or derived insights (inference data).
Why it matters: Attention and inference data can reveal sensitive aspects of a user's life, such as habits, preferences, and vulnerabilities. For example, eye-tracking data (attention data) on a website could be used to predict a user's emotional state or intent.
- Consent challenges: Users rarely consent to their behavioural data being analysed to produce inferences. Yet, these inferences can have profound consequences, such as targeted advertising or discriminatory pricing.
What's missing: The consent framework under DPDPA does not address how consent applies to the generation of inferences or the analysis of behavioural data.
Why it matters: Users rarely consent explicitly to having their behaviour analysed to produce inferences, such as predicting socioeconomic status or political leanings. Yet, these inferences can have far-reaching impacts, such as targeted advertising, price discrimination, or even denial of services.
- Potential for misuse: Without clear regulation, companies may exploit these data types without accountability, risking user privacy and autonomy.
What's missing: The absence of clear guidelines leaves room for companies to exploit these data types without oversight.
Why it matters: Without regulation, attention and inference data can be used for manipulative practices.
What Do International Data Protection Laws Say?
India isn't alone in grappling with the challenges of regulating inference and attention data. The OECD Privacy Guidelines advocate for proportionality in data use, emphasising that processing must not infringe on user rights. Let's examine how some leading international frameworks approach the issue:
- GDPR (EU): Inference data is considered personal data if it can be linked back to an individual. GDPR's Article 22 addresses automated decision-making, indirectly governing the use of inference data. However, attention data is not explicitly classified.
- CCPA/CPRA (California): The CCPA and CPRA recognise profiling-related data. Attention data isn't named explicitly but could fall under behavioural data when linked to an individual.
- Canada's PIPEDA: Recognises inferred data as personal information if linked to an individual. Proposed updates aim to strengthen the regulation of AI-generated inferences.
- Australia's Privacy Act: Proposed reforms expand definitions of personal data to include inferences and metadata.
Should DPDPA Take a Cue?
Changes I would suggest,
India's DPDPA 2023 has room to evolve. Including attention and inference, data would address critical privacy challenges. By expanding its scope to explicitly address attention data and inference data, the DPDPA can bridge critical gaps and align with global best practices. Let's delve deeper into why this evolution is essential and how it can be implemented effectively. Here's why:
1. Ensuring Transparency: Users deserve to know- Transparency is the cornerstone of any robust privacy framework. Today, attention data (such as time spent on a webpage or ad interactions) and inference data (such as lifestyle predictions derived from purchase history) are often processed in the shadows, leaving users unaware of their digital footprint's extent and implications.
Proposed Enhancements for Transparency:
- Clear disclosure mechanisms: Mandate that organisations provide accessible, plain-language disclosures about how attention and inference data are collected, processed, and used. For instance, websites and apps could feature a 'Data Use Summary' detailing these practices.
- User-friendly data logs: Require companies to maintain and share logs of inferred insights, enabling users to verify, challenge, or erase inferences. This aligns with the GDPR's right to access and rectification.
- Regular audits: Implement mandatory data audits to verify that organisations uphold transparency standards, with findings published in annual privacy reports.
2. Strengthening consent: Empowering users with choice - Consent lies at the heart of privacy protection. While the DPDPA emphasises obtaining user consent, it does not explicitly address consent for behavioural analysis or the generation of inferences. Without explicit safeguards, users may unknowingly consent to far-reaching data uses.
Proposed enhancements for consent:
- Granular consent options: Implement multi-layered consent mechanisms, allowing users to consent to basic data collection but opt out of behavioural analysis or profiling.
- Informed consent requirements: Enforce strict guidelines requiring organisations to explain the potential outcomes of generating inferences, such as targeted advertising or price discrimination.
- Real-time consent updates: Develop tools to dynamically inform users when new inferences are drawn, enabling them to revoke or modify consent. For example, if a user's shopping patterns infer a lifestyle preference, they should be notified immediately.
3. Mitigating risks: Protecting individuals and promoting ethics - The unregulated use of attention and inference data poses significant risks, from discrimination to invasive profiling. Ensuring that organisations adhere to ethical data usage practices is critical for preserving individual autonomy and trust.
Proposed enhancements for risk mitigation:
- Algorithmic accountability: Require companies to assess the fairness and bias of algorithms used for generating inferences, similar to the EU's AI Act requirements.
- Data minimisation principles: Mandate that attention and inference data be processed only for necessary and proportional purposes, preventing overreach.
- Ethical guidelines for sensitive inferences: Prohibit the use of inference data to draw conclusions about sensitive topics, such as health conditions or political beliefs, without explicit user consent.
4. Aligning with global standards: Easing compliance and building trust - By harmonising with international frameworks, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), the DPDPA can position India as a global privacy leader while simplifying compliance for multinational organisations.
Proposed alignments with global standards:
- Adopting GDPR-like profiling rules: Incorporate restrictions on automated decision-making and profiling, ensuring users can contest decisions based solely on inferences.
- Cross-border data flow protections: Require heightened scrutiny for transferring attention and inference data internationally, similar to the GDPR's provisions on data export.
- Uniform definitions: Align definitions of personal data, attention data, and inference data with global standards to facilitate interoperability.
What Do I think?
The world is shifting from merely safeguarding raw data to addressing the ethical and legal challenges posed by derived data like attention and inferences. For India, the DPDPA 2023 and DPDP Rules 2025 are a step forward, but it needs to anticipate emerging issues to stay relevant. As individuals, understanding how our digital attention and inferred identities are monetised and manipulated is crucial. As businesses, respecting these data boundaries can build trust and long-term loyalty. So, shouldn't attention data and inference data get their due place under India's data protection framework? Absolutely! It's time we expanded the conversation—and the regulations—to truly protect the digital identities we're creating every second in this multiverse of multiverses.
References:
(This article first appeared on dpdpa.com, a site maintained by Adv Dr Mali)
(Advocate (Dr) Prashant Mali is an internationally renowned Cyber & Privacy Lawyer with a Master's in Computer Science and Law, and holds a Ph.D. in Cyberwarfare & International Cyberlaw. He is a sought-after expert who has represented Fortune 500 companies, celebrities, and governmental agencies. An author of six books and numerous research papers, one of his books serves as an official textbook in prestigious academic institutions. Beyond law, he is actively involved in charitable activities and cyber education initiatives to support underprivileged communities.)