Unilateral Contract Modification in SaaS and Platform Agreements: User Rights Against Dynamic Terms of Service

Introduction

The terms of service governing digital platforms and software-as-a-service products have become among the most read and least understood contractual instruments in contemporary commercial life. More significantly, they are among the most frequently modified. Platforms regularly update their terms, privacy policies, and acceptable use policies, often providing notice through methods as minimal as an email to the registered address or a banner notification within the product interface, and treating continued use of the service as acceptance of the modified terms. This practice of unilateral modification, conducted at the platform’s discretion and on the platform’s preferred terms, raises fundamental questions about the nature of contractual consent and the adequacy of the legal protections available to users under Indian law.

The question of whether a platform can unilaterally modify the terms governing an existing contractual relationship without fresh, affirmative consent from the user is not merely a doctrinal curiosity. It has practical consequences for the tens of millions of Indian users of services ranging from social media platforms to cloud-based productivity tools, e-commerce marketplaces, and payment applications. The WhatsApp privacy policy controversy of 2021, which triggered regulatory and judicial intervention across multiple jurisdictions and brought the question of unilateral modification into the mainstream of Indian public discourse, demonstrated both the practical significance of the issue and the inadequacy of the existing legal framework to address it.

This article examines the legality of unilateral ToS modification under the Indian Contract Act, the Consumer Protection Act, 2019, and the Digital Personal Data Protection Act, 2023, considers the judicial and regulatory responses to specific incidents of controversial modification, and proposes a framework for reform.

Legal Framework

The foundational principle of Indian contract law governing modification is Section 62 of the Indian Contract Act, 1872, which provides that if the parties to a contract agree to substitute a new contract for it, or to rescind or alter it, the original contract need not be performed. The critical word in Section 62 is “agree”: modification of a contract requires the mutual consent of both parties. A unilateral change to the terms of a contract, imposed by one party without the other’s consent, does not constitute a modification of the original contract; it is a new offer, which the other party may accept or reject.

Applied to platform ToS, the analysis would suggest that when a platform modifies its terms and notifies users that continued use constitutes acceptance, it is making a new offer. A user who continues to use the platform accepts the new offer, creating a fresh contract on the modified terms. A user who declines to accept the new terms must cease using the platform, effectively accepting termination of the existing contractual relationship. This analysis treats “continuing to use” as a form of conduct that constitutes acceptance under Section 8 of the Indian Contract Act, which provides that performance of conditions of a proposal, or the acceptance of any consideration for a reciprocal promise offered with the proposal, constitutes acceptance.

The analysis is facially plausible but produces troubling results in practice. The proposition that a user who does not affirmatively opt out of modified terms has by conduct accepted them treats passive inertia as contractual consent, which sits uncomfortably with the principle that acceptance must be communicated and that silence is not ordinarily acceptance. Where the practical alternative to “accepting” the modified terms is losing access to a service on which the user has become significantly dependent, whether through data lock-in, network effects, or the absence of realistic alternatives, the voluntariness of the “acceptance” is questionable.

The Consumer Protection Act, 2019, introduced a significant new dimension to this analysis through its provisions on unfair contracts. Section 46 of the Act empowers the Central Consumer Protection Authority to define unfair trade practices, and the Central Consumer Protection Authority Rules, 2021, specify that contracts that give the service provider the right to unilaterally modify their terms without adequate notice to the consumer may constitute unfair trade practices. The Act creates rights for consumers to challenge unfair contract terms before the consumer commissions and courts established under the Act, though the practical enforcement of these rights remains underdeveloped.

The Digital Personal Data Protection Act, 2023, adds a further layer of complexity in the specific context of ToS modifications that affect data processing practices. The Act requires that consent to the processing of personal data be free, specific, informed, unconditional, and unambiguous. Where a ToS modification alters the terms on which a platform processes a user’s personal data, the platform cannot rely on deemed acceptance through continued use to satisfy the DPDP Act’s consent requirements; it must obtain fresh, affirmative consent for the altered processing purposes.

Judicial Developments

The WhatsApp privacy policy controversy of 2021 is the most significant Indian episode in the unilateral ToS modification debate. In January 2021, WhatsApp notified its users of changes to its privacy policy that, among other things, altered the terms on which WhatsApp shared data with its parent company, Meta (then Facebook). Users were given until February 8, 2021, to accept the new policy or lose access to WhatsApp. The policy attracted widespread criticism, regulatory attention from the Competition Commission of India, and a case before the Delhi High Court.

The CCI’s investigation into WhatsApp’s privacy policy modification, initiated in March 2021, examined whether the take-it-or-leave-it terms of the modification, imposed by a platform with a dominant position in the market for over-the-top messaging services, constituted an abuse of dominance under the Competition Act, 2002. The investigation produced a finding in 2022 that WhatsApp had indeed abused its dominant position through the implementation of the 2021 privacy policy, and the CCI imposed a penalty of approximately Rs 213 crore on WhatsApp. The order also directed WhatsApp to provide users with the option to opt out of sharing data with Meta and to desist from requiring acceptance of the privacy policy as a condition of using WhatsApp’s core functionality.

The Delhi High Court proceedings, initiated by petitioners challenging the 2021 policy update, raised constitutional and statutory questions about the adequacy of notice, the genuineness of consent, and the interaction between the Information Technology Act’s data protection framework and the terms of service. The proceedings ultimately concluded without a definitive judgment on the substantive questions, following regulatory intervention and WhatsApp’s modifications to its implementation plan, but the litigation highlighted the absence of clear statutory standards for the notice and consent required for ToS modifications.

The Twitter or X platform’s changes to its terms of service following the Elon Musk acquisition in late 2022 presented a further set of issues for Indian users. The rapid and repeated modifications to Twitter’s terms, including changes to the conditions for account verification, the monetisation of previously free features, and the content moderation standards applicable to Indian content, raised questions about whether users who had contracted on the basis of the pre-acquisition terms retained any rights against the modified terms. The absence of Indian judicial proceedings on these specific issues reflects the practical difficulty of mounting individual challenges to platform ToS modifications, rather than any indication that the legal issues are uncontested.

Contemporary Issues and Analysis

The interaction between the DPDP Act, 2023, and platform ToS modification practices is the most significant current legal development in this area. The DPDP Act’s requirement of informed and specific consent for data processing means that a platform wishing to alter its data processing practices must not merely modify its privacy policy and notify users through standard channels; it must obtain affirmative, purpose-specific consent for each new or altered processing purpose.

The Act’s provisions on consent withdrawal are particularly significant for platforms that embed data processing terms within their broader ToS. Section 6 of the DPDP Act provides that a user may withdraw consent at any time, and that withdrawal of consent must not be made conditional on consequences that are as onerous as the original giving of consent. This provision creates a direct tension with the standard platform practice of making the withdrawal of consent for data processing equivalent to termination of the service relationship. The platform’s response, that it cannot provide the service without processing the relevant data, is commercially understandable but may not satisfy the Act’s requirements where the data processing in question goes beyond what is strictly necessary for service delivery.

The constructive versus actual notice question is central to the evaluation of whether users have been adequately informed of ToS modifications. Platforms typically provide notice of modifications through a combination of email notifications to registered addresses (which may be outdated or not regularly monitored), in-app banners or pop-ups (which users habitually dismiss without reading), and updated posted terms on the platform’s website (which virtually no user reads). The question of whether such constructive notice satisfies the legal standard for informed consent to a contractual modification is one that Indian law has not definitively addressed.

The practical constraint of account termination as the remedy for refusal to accept ToS modifications significantly limits the effectiveness of any right to refuse modifications. Where a platform has accumulated years of a user’s data, communications, and social connections, the cost of account termination is substantial and may not be practical. This lock-in effect transforms what is nominally a bilateral contractual relationship into something closer to a unilateral imposition of terms, which the user accepts not because they genuinely agree but because the alternative is unacceptably costly.

Comparative and International Perspective

The European Union’s approach to unilateral ToS modification is significantly more protective of user rights than the current Indian framework. The EU Directive on Consumer Rights (2011) and its implementation across member states require that contract terms must be brought clearly and individually to the consumer’s attention before the contract is concluded, and that the consumer must expressly consent to changes in the terms of ongoing service contracts. The Digital Markets Act (2022), applicable to designated “gatekeepers” (large platforms with significant market power), imposes additional requirements including the obligation to notify changes to terms in advance and to provide effective mechanisms for users to contest modifications.

The GDPR’s consent requirements for personal data processing, which have been the model for India’s DPDP Act, establish that consent must be unambiguous and freely given, that continuing to use a service cannot constitute consent to modified data processing terms, and that bundling consent for non-essential processing with consent for core service delivery is not permitted.

California’s privacy law framework, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act, similarly requires affirmative consent for changes to the purposes for which personal data is processed, and provides users with the right to opt out of certain categories of processing without losing access to the core service.

Practical and Policy Implications

The policy implications of the current regulatory gap are significant for India’s digital economy. Platforms operating in India operate under a lighter regime on ToS modification than they face in the European Union or, increasingly, in California. This creates both a competitive advantage for platforms that can impose unfavourable terms on Indian users and a disadvantage for Indian users who lack the protections available to their counterparts in other jurisdictions.

The Competition Commission of India’s WhatsApp order demonstrates that competition law provides some check on the most egregious abuses of platform power in ToS modification, particularly where a platform holds a dominant position. But competition law is an imprecise instrument for regulating the terms of ongoing contractual relationships; it is better suited to addressing extreme cases than to establishing a general framework for fair ToS modification practices.

The DPDP Act’s consent framework provides a more targeted tool for the data processing dimension of ToS modification, but the Act’s implementation regulations, which are still being developed by the Data Protection Board of India, will determine how effectively its consent requirements are enforced against platform modification practices. Early indications suggest that the Board will take a reasonably robust approach to the requirement of affirmative consent, but the enforcement infrastructure is not yet in place.

Suggestions and Reforms

A comprehensive framework for fair ToS modification should include the following elements. First, the Consumer Protection Act should be amended to specify that modification of the terms of an ongoing digital services agreement requires advance notice of not less than thirty days, provided through direct communication to the user’s registered contact information, in clear and plain language that specifically identifies the nature and effect of the proposed modification.

Second, the Consumer Protection Act should establish that a user’s right to refuse a modification and receive a pro-rata refund of any pre-paid fees, together with an export of their data in a standard machine-readable format, must be preserved as a condition of any modification that materially alters the rights and obligations of the parties. The practical difficulty of exercising this right, given network effects and data lock-in, should be addressed through requirements for data portability and interoperability in platform markets.

Third, the DPDP Act’s implementing regulations should clarify that modifications to a platform’s data processing practices require fresh, affirmative consent from existing users for each altered processing purpose, and that such consent may not be conditioned on the user’s acceptance of other modifications to the service terms that are unrelated to data processing.

Fourth, the Ministry of Electronics and Information Technology should develop safe harbour guidelines for ToS modification practices that clearly specify which categories of modification require affirmative consent, which may rely on notice and continued use, and which are entirely prohibited. Such guidelines would provide platforms with a clear compliance framework and users with a clear understanding of their rights.

Conclusion

The unilateral modification of terms of service is a practice that has evolved in the absence of an adequate legal framework, relying on user inertia, network lock-in, and the practical impossibility of individual challenge to sustain contractual arrangements that the Indian Contract Act’s fundamental consent requirements would not endorse. The combination of the DPDP Act’s consent framework, the Consumer Protection Act’s unfair contract provisions, and the CCI’s competition law oversight provides the regulatory tools for a more protective regime, but those tools require more precise calibration and more active enforcement than they have thus far received. The digital economy’s democratic legitimacy depends, in part, on users being genuine participants in the contractual relationships that govern their digital lives, rather than passive recipients of terms that platforms can alter at will.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these