Crypto & Web3 Platforms
Liability Check
Crypto exchanges, NFT marketplaces, and DeFi protocols often deal with pseudonymous wallet data, private keys, and transaction histories that, despite decentralization, fall under DPDP's ambit when linked to Indian users.
Why Crypto & Web3 Platforms is at Risk
The very nature of Web3, with its focus on **decentralization** and **pseudonymity**, presents unique challenges under DPDP. While blockchain data is immutable, platforms acting as intermediaries (exchanges, on-ramps, dApps with user accounts) are still **Data Fiduciaries** for user KYC, private keys, and off-chain data. Even if data resides on a decentralized ledger, if an Indian user's identity can be inferred, the platform is liable. **Loss of private keys** or **unauthorised access to wallets** could be seen as a data breach, triggering significant reporting obligations.
Common Violations
- 1.Storing KYC documents (Aadhaar, PAN) on centralized servers without robust encryption or clear consent for their purpose beyond initial verification.
- 2.Failing to provide Data Principals with a clear mechanism to request deletion of their associated PII (e.g., email, phone number) from off-chain databases.
- 3.Collecting IP addresses and device fingerprints linked to wallet activity without informing users or providing clear opt-out options for data analytics.
The Immediate Fix
Map out all identifiable user data you collect, both on-chain and off-chain (e.g., KYC details, email addresses, IP logs). Implement explicit consent mechanisms for any data that links a user to their wallet or transaction history, especially for marketing or analytics purposes.
Projected Compliance Deadline: Immediate