Notes from the front of the privacy enforcement work.
DPDP enforcement observations, data-broker performance data, transparency narratives, and field notes from working against specific platforms. Updated when we have something specific to say.
What we learned from the first set of DPB orders.
Three patterns emerge from the Board's early decisions: mediation-first, narrow grounds for refusal, and a clear preference for hashed evidence.
IndiaMART removals: a quarter of data.
Average days to removal at IndiaMART moved from 38 to 24 between Q4 2025 and Q1 2026. What changed.
Why Telegram leak channels die, and why they come back.
We tracked 150 curated channels for nine months. About a third went dark in Q1 2026. Most reincarnated within six weeks.
Two years after the CoWIN bot, where the data went.
The June 2023 CoWIN exposure produced cold-calling outfits that are still active. Tracing a single exposed phone number through 22 months of misuse.
Transparency report, Q1 2026: narrative version.
The numbers are on /trust/transparency. What they mean is here.
Field notes: how Tofler responded to our first Section 12 batch.
Eighty Tofler removal requests on day one. The response taught us how to draft to a director-data aggregator.
Looking ahead: what changes on the DPDP timeline.
Significant Data Fiduciary designation, Consent Manager licensing, and cross-border transfer rules are all scheduled to land in 2026 and 2027.
Non-consensual intimate imagery: a working response protocol.
If your image appears on an adult, scam, or impersonation site, the legal route is not Section 12 alone. Here is the actual protocol.