The Digital Personal Data Protection Act, 2023, (DPDP) is India’s first comprehensive data protection legislation. Under the DPDP, data fiduciaries can process data principal’s personal data under either ground of consent or legitimate use. The ground of legitimate use on voluntarily providing data is previously unknown and has been less explored in the Indian context where the implementation of the DPDP is awaited. Legitimate use allows data processing when the data principal voluntarily provides data for a specified purpose and does not indicate non consent. The paper proposes how to legally interpret legitimate use for strong data protection in India. The paper finds that ‘specified purpose’ should be interpreted as a ‘specific’ purpose, and not all purposes envisaged in the privacy policy. A data principal’s voluntariness to data processing must be assumed to the extent that a reasonable person would expect their data to be processed when explicitly requesting a service. When relying on legitimate use, the data fiduciaries must always provide the data principal with an option to opt-out.