Personal data must only be processed for the specific, stated purpose for which consent was originally obtained.
Purpose limitation is a foundational principle requiring that personal data collected for one stated purpose cannot be used for a different purpose without obtaining fresh consent. Under DPDPA Section 6, consent is only valid for the specific purpose described in the notice. If a company wants to use existing customer data for a new purpose (e.g., using transaction data for credit scoring), it must obtain new, specific consent for that purpose.
You cannot repurpose customer data without fresh consent. If you collected emails for order confirmations, you cannot use them for marketing without separate consent — violating purpose limitation exposes you to penalties per affected record.
A Chennai ride-sharing startup collected GPS data for trip navigation. It later wants to sell aggregated movement patterns to urban planners. Even aggregated, if any individual could be re-identified, fresh consent is needed for this new purpose.
Having broad language like "improving our services" in your consent notice does not give unlimited purpose scope. The DPB will interpret purposes narrowly and specifically.
DPDPA Shield automates Consent Management. See how →