In 1964, the US Surgeon General declared that smoking causes cancer. The tobacco industry knew it before the report was published. They knew the risk. They calculated the cost. They chose to tolerate it.
Indian boardrooms are doing the same thing with data privacy. They know the DPDPA is law. They know their consent mechanisms are inadequate. They know their vendor agreements do not include Data Processing Agreements. They know their breach response protocol has never been tested.
They know. And they are tolerating it.
Smoking Privacy defined
Smoking Privacy is the known risk of data misuse that an organisation consciously tolerates — either because the penalty feels distant, because the cost of compliance feels present, or because the institutional culture has normalised the gap between what the law requires and what the organisation does.
It is not ignorance. Ignorance ended the day the DPDPA received Presidential assent. Smoking Privacy is awareness without action. It is the spreadsheet with customer Aadhaar numbers that everyone knows should not exist. It is the vendor processing payroll data without a signed DPA that nobody has escalated. It is the consent banner that marketing deployed without legal review.
Why organisations tolerate it
Three forces keep Smoking Privacy alive in Indian organisations:
- Regulatory distance: "The Board has not sent us a notice yet." True. But the Board is operational. The first notice does not arrive with a warning. It arrives with a show cause.
- Compliance fatigue: organisations already managing GST, RBI, SEBI, and labour code compliance treat DPDPA as one more regulatory burden. The difference: DPDPA carries a maximum penalty of up to ₹250 Crores depending upon the nature of breach. No other Indian regulatory penalty comes close for a single data event.
- Cultural normalisation: "Everyone processes data this way." That is not a defence. It is a description of industry wide exposure. When the Board makes its first major enforcement action, the entire industry's normalised practices become the evidence base.
"DPDPA did not create new obligations. It documented the ones you were already ignoring."
— Anandaday Misshra
Do this now
Walk through your office. Ask five people what personal data means under DPDPA. If none of them can answer in one sentence, the awareness gap is your first Smoking Privacy symptom. The second symptom is in your vendor register. Count the vendors processing personal data without a signed DPA. That number is your exposure count.