An app asked for my location and contacts — is that legal, and can I refuse?
At a glance
An app can ask for a permission only where it genuinely needs it for something you’re doing — and you can refuse the rest. Under India’s DPDP Act, consent must be free, specific and unconditional, and collection limited to what the purpose needs, so an app can’t force access to your contacts, location or photos as the price of a feature that doesn’t require them. A maps app needs location; a photo-editor demanding your contacts does not — and refusing that shouldn’t cost you the core service.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to app permissions; it is not formal legal advice.
On this page
- When an app can legitimately ask
- The rule that protects you: consent must be unconditional
- Contacts and photos: why these deserve extra caution
- What you can do about it
- FAQ
The situation
You install a simple app — a torch, a photo filter, a game — and it immediately demands access to your location, your contacts, and your photos. It feels intrusive, and it’s not obvious whether it’s even allowed, or whether saying no will break the app. Usually you can say no, and usually the app should still work for what you came for.
When an app can legitimately ask
A permission is fair game only when the feature you’re using genuinely needs it — not just because the app would like the data. Under the DPDP Act, collection is tied to purpose: an app can collect what a stated, specific purpose actually requires (Section 6), and no more. So the honest test is whether the permission maps to something you’re doing:
- Genuinely needed — a ride app or maps app needing location to find you; a camera app needing the camera; a calling app needing the microphone.
- Usually not — a flashlight or wallpaper app wanting your contacts; a game demanding your precise location; a basic utility asking for your photo library. When the permission has no bearing on the feature, that’s over-collection.
This applies even to apps built abroad — the DPDP Act covers any company collecting the data of people in India, wherever it’s based. Big developers usually comply to protect their business; with a small or overseas developer you may have less practical recourse, which is exactly why your strongest protection is the permission prompt itself — refuse what the feature doesn’t need, whoever made the app.
The rule that protects you: consent must be unconditional
An app can’t make an unnecessary permission the condition of giving you the service. This is the load-bearing part. The DPDP Act requires consent to be free and unconditional — you can’t be pressured into handing over data a service doesn’t need by making it a take-it-or-leave-it demand. An app may require the data a feature genuinely depends on, but it can’t hold the whole app hostage to an unrelated permission. Where an app blocks you entirely unless you grant access it plainly doesn’t need, that runs against the “free and unconditional” standard.
Contacts and photos: why these deserve extra caution
Granting contacts access hands over other people’s data too, not just your own — so it’s worth guarding closely. Your contact list contains the names and numbers of people who never agreed to be shared with that app. Handing it over exposes them, not only you, and it’s one of the most commonly over-requested and misused permissions — often feeding marketing, “friend suggestions,” or worse. Photo and file access is similar: it can expose far more than the one image the app needs. Treat these two as the ones to refuse by default unless the feature clearly and currently needs them.
What you can do about it
You can refuse, grant narrowly, or withdraw later — the controls are on your side.
- Deny at the prompt. Say no to permissions the feature doesn’t need; most apps carry on for their core function.
- Grant the narrow version. Modern phones let you allow location “only while using” or “approximate,” and give one-time or limited access — prefer these over “always.”
- Review and revoke later. Your phone’s Settings → Privacy / Permissions lets you see what each app has and switch off what it shouldn’t hold.
- Walk away from the worst offenders. An app that won’t function unless you surrender unrelated data is one to reconsider — there’s usually an alternative that asks for less.
FAQ
Can an app force me to share my contacts to use it? Not where the feature doesn’t need them. Consent has to be free and unconditional, so an app can’t make an unrelated permission the price of the service. A feature that genuinely relies on contacts is different — but a flashlight or wallpaper app isn’t.
Is it legal for an app to ask for my location? Asking is fine where the purpose needs it — maps, ride-hailing, delivery. Demanding precise location for something unrelated, or as a condition of a feature that doesn’t use it, is over-collection you can refuse.
Will the app stop working if I deny a permission? Only the parts that genuinely need it. Denying contacts access to a photo editor, say, shouldn’t stop you editing photos. If an app blocks its core function over an unrelated permission, that’s a red flag.
Why is sharing my contacts a bigger deal? Because it exposes other people’s personal data, not just yours — names and numbers of people who never agreed to be handed to that app. That’s why it’s worth refusing unless a feature clearly needs it.
Related Articles
Reviewed by Confidential Dispatch Editorial Team
Last updated 15 July 2026
Not legal advice.