Introduction
Earlier in the year, a tragic accident ensued in Rajasthan, after Google Maps allegedly led the driver of a van onto a closed bridge, which then led to the vehicle being swept away by the river, claiming death of three. A congruent fatal accident in Uttar Pradesh, due to misdirection of Google Maps, also made headlines back in November. Data inaccuracies by such tech giants have time and again affected innocent lives.. These fatal misdirections expose a broad accountability gap wherein inaccuracies of these apparently “free” services remain legally insulated.
This issue becomes even more fundamental when users “pay” with their personal data as consideration. In this regard, we argue “free” services are not truly free when users in exchange offer data and the Consumer Protection Act, of 2019 should recognise this to enforce liability. In this article, first, we examine how Online Service Providers (OSPs) currently escape liability through defences of contractual immunity, safe harbour of Section 79 IT Act, and the literal reading of “free” services under §2(42) of the CPA Secondly, we show how these defences collapse in today’s digital economy.. Thirdly, we explain a dire need to curate a justifiable system to balance the liability of the online mapping services with the actions of the third party. This is essential to accommodate the evolving digital market needs, where data is emerging as a new currency.
Status Quo of Liability Bearing
First, service providers require users to assent to a set of Terms and Conditions (T&Cs) before accessing their service(s). These T&Cs typically contain a variety of clauses that protect the terms and service provider from liability, particularly in cases where the service may lead to negative consequences for the user.
This has been the case with Google Maps’ T&Cs where Term 2, explicitly states that since the directions offered and the maps displayed may not be fully accurate or current, the OSPs will not be liable for any adverse consequences arising from the use of the information provided. Further, the T&Cs advise users to exercise independent judgment and verify critical details, particularly when navigating potential hazards such as road closures, traffic conditions, or other local disruptions, thereby shifting the responsibility for decision-making to the user.
Second, OSPs regularly operate large volumes of activities and data. This creates grounds for their second line of defence. Here, Google reasoned that since it operates maps worldwide and receives a humongous load of constant updates, it is not practically possible for it to be aware of every change occurring on the road.
Third, OSPs escape liability under the CPA since their users avail services without being charged for the same. Section 85 of CPA holds a service provider liable for any inadequacy in service, but the same is extended only to ‘paid’ services.
Primarily taking the aforementioned immunities, OSPs including Google Maps have time and again absolved themselves of liabilities. The author here attempts to subsequently analyse if these immunities are absolute, and how the existing provision can be interpreted and altered to ensure a just system.
Validity of Claimed Immunities
Terms and conditions
T&C clauses that protect OSPs require consumers to click an “I Agree” button to proceed. In practice, these T&Cs form unilateral online contracts, meaning consumers must accept them to use the services. These are referred to as ClickWrap Agreements, where consumer consent is obtained when they click on an “OK” button. Users have no option to bypass this step, making the agreement seem more like a necessity than a choice.
The courts have demonstrated a nuanced approach to such agreements. While clickwrap agreements in themselves have been considered valid, the Apex Court has emphasized the need for judicial intervention in contracts where there exists an apparent imbalance in bargaining powers. This is particularly relevant as T&Cs are often presented in long, complex formats, with legal jargon that is difficult for average consumers to understand. In Specht v. Netscape Communications Corp., the court rejected the enforcement of a click-wrap license where users are not required to take any affirmative steps in acknowledging their understanding of the agreement. Therefore, even when users have consented to the T&Cs, such consent is often not an informed choice of the consumer.
From the CPA’s perspective, such agreements do not create a blanket immunity for the service providers because the CPA has taken into account that consumers have very minimal bargaining powers in front of large business entities. Wherefore, to safeguard consumer interest, Section 49(2) and Section 59(2) were introduced as per which both the state, as well as the National Consumer Commission, have the powers to declare contractual terms that were unfair to consumers as null and void. This aimed to reduce predatory contractual clauses that favour service providers, promoting a more equitable consumer protection regime.
‘Free’ Services
As previously stated, OSPs escaped product liability under the CPA by claiming that they obtain no monetary consideration from the consumers. The literal interpretation of Section 2(42) of the CPA permits the exclusion of such ‘free services. However, the shift in principle from Caveat Emptor (buyer beware) to Caveat Venditor (seller beware) through the introduction of the 2019 Act promotes consumer protection when the provider has gained benefit through the transaction.
This creates a paradox in two-sided digital markets, often referred to as ‘zero-price’ markets. In these markets, consumers are offered services for “free” but, in reality, pay with their personal data, which is used for targeted advertising. This data, in essence, becomes the new currency in the digital economy.
In 2019 alone, Facebook and Google generated $230 billion—virtually all of it from the private data of their users. Specifically, Google earned more than 80% of its revenue from targeted advertising. This is made possible through Real-Time Bidding (RTB), a protocol that uses consumer data to evaluate and bid on digital ad space, allowing for highly personalized ads. In this context, the claim that service providers are not liable for product costs due to the lack of monetary exchange no longer holds. Consumers’ personal data is, in effect, the currency that keeps these companies profitable.
By-passing the Safe-Harbour
Another common defence taken by the OSPs is Section 79 of the Information Technology Act, which provides blanket immunity to an intermediary platform. However, employment of this defence in the context of navigation is a gross misapplication of the provision. Safe-harbour under Section 79 is granted to platforms which host third-party content i.e informational uploaded, generated or transmitted by users and only hosted by the intermediary. (Eg: a post on Instagram). Navigation on the other hand is digital cartography. They are first-party content generated by the mapping services itself. Google maps use algorithms to calculate routes, maintains geospatial data and profits from the accuracy of its output. Thus, when it directs a user to a wrong route it no third-party information rather its own directional product.
Need for Expansion In Consumer Protection Act
The CPA, 1986 was designed to prioritize the interests and needs of the consumers, provide a compensation-based solution to insulate the rights of consumers from exploitation and resolve their grievances through compensation-based solutions However, the Act would have lost its significance if it didn’t evolve to cater to the changing needs of the consumers. To bridge the existing gap in the CPA, it is essential to expand the interpretation of the statute through an evolutionary lens. To this extent, our focus narrows down to Sections 2(42), 85 and 8A. Section 2(42) of CPA, 2019: Why Data as Consideration Fits.
The present definition of ‘services’ under this section excludes those where no monetary consideration is paid. The critical phrase however is, “includes but not limited to” which is an inclusive clause and not an exhaustive list. In Indian Medical Association v. V.P Shanta, despite explicit exclusion of healthcare from 2019 Act’s list, Court included it based on the expansive language of the provision. The same interpretation applies to digital services with data exchange. In the digital economy, the quid pro quo in the user data which is extracted by the OSPs for real time bidding is that users receive access to services while their personal data is monetised. Thus, here the data transfer constitutes contractual consideration and does not fulfil the ‘free service’ criteria of the section which presumes zero benefit to the provider.B. Section 85: Liability Framework for Map Deficiency : This provision elucidates the conditions in which a product service provider can become liable for product liability. The grounds are namely deficient service, negligence, inadequate warnings and non-compliance with T&Cs. Each ground specifically activates liability when applied to mapping services:
S. 85(a)- Deficiency: Any OSP directing drivers to a route which is closed or collapsed should qualify as “deficient in quality” under any reasonable standard of accuracy for mapping services.
S. 85(b) – Negligence/Omission: The failure of an OSP to update its system for months after receiving a notification that a particular bridge has collapsed or the road no longer exists, constitutes an actionable omission.
S. 85 (c)- Inadequate Warnings: The online mapping services which do not alert users to unverified routes or reported route hazards, fail to meet the warning standards.
S. 85 (d)- Non-Compliance with T&Cs: While T&Cs may purport to shed liability, the CPA itself voids unfair contractual terms under S. 49(2) and S. 59(2) of the Act, Thus, the OSPs cannot use the adhesion unilateral contracts to escape liability for negligent breaches. C. Section 87: Limits on the Carve-outs: While Section 87 provides exceptions (such as when the user is under the influence or the product is misused), these should not apply to systemic mapping errors where the user followed the platform’s primary intended use. Thus, if a driver follows Google Maps’ direction to a closed bridge, the driver has not “misused” the map, rather the map is intrinsically deficient. This carve-out, hence, is not available when the deficiency stems from the OSP’s own negligence.
With OSPs covered under the Act and the liability framework under Section 85 being operative, it is essential to recognise that in zero-price digital markets, data must be treated at par with monetary payments to ensure consumer protection. This makes it imperative to interpret within the Act and not necessarily amend, the terms ‘consumer’ and ‘services’ to incorporate data transfers as valid considerations. This would align with the CPA’s principle that once a provider gains benefit from a transaction, liability automatically flows. This interpretation would help hold OSPs accountable even in the absence of monetary exchange, provided the data exchange is systematic and extracted as part of the service business model.
International Jurisprudence
Globally, Germany has led the way in expanding consumer protection, with Sections 312(1a) and 327 of the German Civil Code allowing consumer data as contract consideration, except when used for legal compliance solely. This legislative move directly recognises that in two-sided markets, data is the medium of exchange. Once data is accepted as consideration, the full weight of consumer protection law followss. India can adopt an interpretive approach within the existing §2(42) framework (using the “includes, but not limited to” doctrine) rather than requiring amendment. This is a breakthrough in recognising zero-price markets and granting rights to consumers where payment is not monetary but through data sharing..
The European Union (EU) introduced the Digital Content Directive (DCD) in 2019 and also amended Article 3 of their Consumer Rights Directive (CRD) to cater to contracts where consumers receive digital services and provide personal data as counter performance. Further, its 2022 Digital Service Act acknowledges that services in exchange of ‘data’ are not free and complements the formers Directives by establishing a three-tiered liability approach. It categorises liability depending upon the degree of user reach i.e. for all intermediaries, platforms with greater user rush and very large online platforms (VLOPS). The google mapping services with billions of user daily fall under VLOP and has highest liability.
In many countries like the U.S.A., Italy and Australia, the competition law body is the same as the consumer protection regulatory body. This unified approach allows for a more co-ordinated enforcement of consumer welfare standards across competition, consumer protection, and privacy domains. Thus, the introduction of zero-price markets in the former realm is directly proportional to increased consumer welfare in these countries.
Curating a Justifiable System
To ensure fairness, proposed changes to the CPA should balance the rights of both consumers and service providers. To this extent, the system must adopt a proportionate liability framework that balances the rights of consumers with the operations of OSPs along with the responsibility of the state. Here, we propose a four-fold test to determine liability:
Before imposing liability on anybody, the consumer must first prove that there existed a –
- Duty of care for verifiable information: The OSP had a duty of care to provide accurate navigation information for the information which is verifiable. This is codified in S. 85(a) of the CPA, wherein services are required to meet a standard of adequate quality in all manners required.
- Breach of standard for updating the system: The OSP breached their duty (eg; by failing to act on government notification or accurate satellite data update). We must examine if there was a failure on part of the OSP to notice and update their system for available information.
- Causation: The OSP’s failure was the sole reason for the injury and the consumer could not have possibly foreseen or prevented the danger.
- Actionable loss: Consumer must display physical or economic injury resulting from the OSP’s failure. In most cases, the misdirections cause fatal accidents, claiming lives which becomes an actionable loss.
Once it is established that the consumer does have a valid claim under the CPA, it is essential to identify whether the state or the OSP or an external third party was at a superior position as the cause of harm. We cannot completely ignore the contributory negligence on part of the users to flock reasonable safety measures like speeding limit, rash driving, etc. This is also coupled by gaps in government notice which fail to label and notify if any infrastructure is undergoing repair or is damaged. Thus, a balance needs to be struck to weight justly the liability of OSPs with the contributory negligence of the users and the governmental duties.
Conclusion
In recent times, where digital services have become an integral part of our lives, our consumer protection laws must also evolve accordingly to address the new challenges. The paradox of ‘free services’ but ‘costing data’ requires restructuring how we define ‘services’ and ‘payment’ under the CPA. By expanding CPA to recognize data as currency, India can join countries like Germany and the EU in creating a more equitable digital marketplace. This expansion would not only protect consumers but also establish clear liability frameworks for service providers and governments. A regulatory framework with government oversight should be established which can oversee the timely update of roads and infrastructure to the navigation service providers.
Thus, the way forward includes the careful consideration of all stakeholders, ranging from government authorities to tech companies, which in turn ensures that consumers don’t suffer at the hands of outdated legal definitions. It is time that India’s consumer protection framework acknowledges that in the modern economy, not all payments are made in rupees.
(This post has been authored by Kavya Mittal and R. Dayasakthi, third-year law students at Rajiv Gandhi National University of Law, Punjab.)
CITE AS: Kavya Mittal and R. Dayasakthi, ‘Mapping Data as Currency: New Routes in Consumer Protection’ (The Contemporary Law Forum, 22 February 2026) <https://tclf.in/2026/02/22/mapping-data-as-currency-new-routes-in-consumer-protection/> date of access.