As Formula 1 (F1) expands its digital reach through various platforms, the high-octane world of motorsport takes on a new track: compliance with India’s DPDP Act, 2023. Passed in August 2023, this legislation establishes the foundation for processing digital personal data, focusing on user-centricity, purpose limitation, and transparency. This article examines F1’s Privacy Policy in terms of compliance, comparing it to essential compliance requirements under the DPDP Act. It determines whether F1 is moving forward or facing a data protection penalty.

Start Your Engines: Legal Applicability and Data Fiduciary Recognition

F1’s Privacy Policy identifies QuintEvents LLC, a US-based entity, as the controller of F1experiences.com. The DPDP Act, 2023, applies to any processing of personal data outside India that involves offering goods or services to individuals within India (Section 3(b)). While the policy makes broad claims about worldwide applicability, it does not name a data fiduciary in India or select a local representative. Section 13 requires data fiduciaries to develop adequate grievance redressal methods. Moreover, Section 10 allows the central government to mandate the appointment of a data protection officer (DPO) for specific businesses, including significant data fiduciaries.

Given F1’s global scale and profile and its commercial focus on customers worldwide, this omission is non-trivial. Hence, the privacy appears non-compliant prima facie.

The Consent Pitstop: User Consent Compliance

Per the DPDPA, consent must be free, specific, informed, unconditional, and withdrawable (Section 6(4)). The Act mandates clear wording for notifications (Section 5) and purpose-specific consent (Section 6(2)). F1’s Privacy Policy claims it acquires user data through digital interactions such as registrations and marketing opt-ins. However, consent appears to be bundled and generic, with no purpose-specific opt-ins. The option to withdraw consent, while acknowledged, lacks a dedicated, frictionless procedure as required by Section 6(2).

Another issue requiring attention is the age limit required for consent. The DPDPA requires parental approval for individuals under 18, as per Section 9. F1 allows users under 16 with email-based parental consent. Does this mechanism fulfil the standard prescribed in the DPDPA? If not, it can result in serious legal repercussions.

Driver’s Rights: Ensuring Data Principal Rights

The DPDPA provides for the following enforceable rights for Data Principals, including:

• Right to access information about processing (Section 11)
• Right to correction and erasure of personal data (Section 12)
• Right to grievance redressal (Section 13)
• Right to nominate (Section 14)

F1’s policy offers general information on rights given to its users, such as access and deletion. However, it lacks clarity on the procedure, such as redressal method, or appeal to the Data Protection Board as required by the DPDPA. Moreover, the policy is silent on the timelines. It also does not address posthumous data management, which can lead to regulatory shortcomings for long-term user data held in ticketing or loyalty programmes. Most notably, F1 does not identify any India-based grievance officer, leaving Indian users without a local remedy, a direct violation of Sections 10 and 13.

Cross-Border Data Transfers and the Localisation Conundrum

Section 16 of the DPDPA governs cross-border data transfers. It empowers the Central Government to restrict the transfer of personal data to certain countries. While the law takes a libertarian reading when read with previous drafts, a well-defined framework from the Central Government can be used as a safety net to ensure that personal data is being stored with the same duty of care as it would have been subject to if stored in India.

F1’s policy states that it stores and processes data in the United States, relying on the outdated EU-US Privacy Shield. It does not mention any standard contractual clauses (SCCs), nor does it help with regulatory compliance under the DPDPA.

Safety Car Deployment: Security Standards and Data Breach Notification

Section 8(5) of the DPDPA requires a data fiduciary to establish adequate security procedures to minimise the chances of data breaches. If a breach occurs, Section 8(6) requires notifications to the Data Protection Board and impacted data principals. F1’s policy acknowledges implementing appropriate technical and organisational safeguards. However, it does not mention particular breach notification timetables or procedures for its users.

Telemetry and Transparency: Are Notices and Legal Bases Adequate?

Section 5 requires a data fiduciary to give a clear and explicit notice to data principals before data collection, outlining the objective, categories of data collected, duration of processing, and contact details of the data fiduciary. F1 delivers some of this information, but in a dense, generic manner unsuitable for Indian users. Furthermore, Sections 4(1) and 8(7) mandate processing of personal data for authorised reasons and for as long as necessary. F1 does not include specific information on data retention timelines or review process for data minimisation.

 Underage Drivers: Personal Data of Children

Section 9 prohibits processing personal data of children without verifiable parental consent, and restricts behaviour profiling and targeted advertising towards minors. F1’s policy allows users under 16 to participate with parental consent obtained through email verification. This compliance strategy may fail to meet the high threshold of verifiability expected by Indian law. The policy also fails to indicate any methods deployed to protect minors from being profiled, which could eventually violate Section 9(3).

Final Lap: Key Fixes to Secure Compliance

Achieving compliance with India’s DPDPA requires F1 to make determined key adjustments. This includes appointing a data protection officer and grievance redressal mechanisms as mandated by Sections 10 and 13. The consent framework should be itemised, purpose-specific, and allow for withdrawable consent, consistent with Section 6. Users ‘ rights under Sections 11 to 14 need to be explicitly specified in an accessible format. Additionally, data breach response must be aligned with Section 8(6), with India-specific Data Protection Board disclosures and timelines for breach notification. Finally, the policy needs to specify the purpose of processing personal data and the retention period, and discuss data minimisation efforts for Sections 4 and 8. These requirements are more than technicalities; they are critical to India’s data protection framework transitioning from high-risk uncertainty to pole-position compliance.

Checkered Flag: Where F1 Stands in the DPDPA Grid

F1’s Privacy Policy reflects strong international hygiene, but does not sufficiently account for India’s unique statutory landscape under the DPDPA. With the Act expected to be enforced imminently, the margin for non-compliance is shrinking fast. In a jurisdiction with increasingly active digital regulators, global brands like F1 must do more than comply broadly; they must localise precisely. That means aligning their policies, appointing India-based representatives, and offering user-friendly grievance redressal and consent management tailored to Indian law. The choice is clear: adapt and accelerate, or stall at the compliance barrier.

Author’s Note: This analysis is based on the DPDPA as enacted in 2023; subsequent delegated regulations may have an even greater impact on compliance.

Varunavi Jalan, an undergraduate student at Jindal Global Law School, has contributed this article to the blog.