Impact of India’s new data protection laws on gaming and gambling

Introduction

India’s perennial quest for an overarching personal data protection law ended on 11 August, 2023 when both Houses of the Parliament passed The Digital Personal Data Protection Act 2023 (the “DPDP Act”). The President gave her assent a few days later and the DPDP Act was notified in the official gazette days before India’s 76^th Independence Day. Although the DPDP Act is yet to come into force and granular rules are being framed as we pen this, it stands as a culmination of events that started in 2017 with the landmark judgement of the Supreme Court of India in Justice K.S. Puttaswamy v. Union of India.[i] In this case, privacy was held to be a fundamental right under the Indian Constitution, equivalent to the fundamental right to life and personal liberty itself.

Some key concepts reflect privacy legislation across the world, and key themes such as “Data Fiduciary” (data controller); “Data Principal” (data subject); “Data Controller” and “Personal Data” are present in the DPDP Act. However, as is true with any privacy legislation, the DPDP Act comes with its own unique set of requirements which may not be covered by other global privacy legislations applicable to an organisation. Hence, gaming operators will need to comply with the DPDP separately, even if they are already compliant with other global legislations like the GDPR.

As multiple industries prepare to align their practices as per the DPDP Act, this article attempts to assist gaming operators in assessing some of the key requirements. Considering that the DPDP Act is not currently in force and more clarity is expected once the rules are notified, the compliance requirements discussed here are not exhaustive and the suggestions herein are not a sure shot way to be compliant. However, this article seeks to provide guidance on where to start and how to move ahead.

Purpose limitation while collecting personal data of gamers

In the Indian market, it is usual for operators to adopt an all-inclusive approach when taking a gamer’s consent to their personal data being collected. Soon however, blanket consents with little to no specificity, may not be sufficient. Under the DPDP Act, gaming operators may process the personal data of a gamer either based on explicit consent or for certain legitimate uses (like the ‘legitimate interest’ concept under GDPR) only.^[ii]

Gaming operators typically gather data such as (i) personal information about the gamer: name, email address, gender, age, phone number, GPS location, demographic information; (ii) financial information: bank account details, debit or credit card details; and (iii) gameplay data (the games they play, frequency, duration, achievements, etc.). While some may arguably be non-personal data, most is likely to fall within the DPDP Act’s definition of “personal data”.[iii]

The DPDP Act requires that operators obtain consent from the gamer for processing their personal data and that such consent be free, specific, informed, unconditional and unambiguous with a clear affirmative action (collectively “Six Components”).^[iv] In some circumstances, the operator is permitted to process personal data of the gamer for certain legitimate uses.^[v] The DPDP Act details nine such “legitimate uses”, for instance, if the processing is required to comply with any court order or to fulfil any obligation under an existing law (such as collecting age data to ensure appropriate age-gating).

Points to consider: As a first step, gaming operators must identify and catalogue the types of data that they collect and bifurcate them into personal and non-personal data. It will be useful to identify separately whether any set of personal data is gathered from a publicly available source as this is exempt from the obligations under the DPDP Act. Cataloguing data will make it easier for platforms to identify the purpose of processing such data and give them better compliance oversight. Additionally, operators should revisit and re-work their privacy policies and articulate the rationale behind the processing of personal data in a clear and accessible manner. It is advisable to review and potentially discontinue the collection of such personal data that may not be essential to the provision of gaming services and was obtained for other unelated business or commercial reasons and which cannot be attributed to a specific reason or purpose.

Consent and notice requirements at various stages of the user journey

The DPDP Act requires operators to process personal data based on user consent and to ensure that such consent satisfies the Six Components.[vi]  In order to obtain consent, platforms must present the gamer with a comprehensive privacy notice (“Privacy Notice”) having the following details:

• The personal data to be collected.
• The specified purposes for which such personal data will be processed.
• The manner in which the gamer can exercise their right to (i) withdraw consent for processing; and (ii) have their grievances redressed.
• The manner in which the gamer may make a complaint to the Data Protection Board of India.

While the rules to be issued under the DPDP Act will clarify the manner and form in which consent needs to be obtained and the format of the Privacy Notice, it is likely that platforms may be required to make certain tweaks at different stages of a user’s journey on the platform. In addition, the gaming operator is required to give an option to the gamer to access the Privacy Notice in English or any language specified in the Eighth Schedule to the Constitution of India, as the gamer so decides.

Points to consider: Operators can consider starting off by identifying the relevant stages in their product flow where fresh or additional personal data is being collected from the gamer. Usually, stages where fresh personal data is collected rom a gamer are during: (a) sign-up; (b) profile creation; (c) during actual gameplay; (d) access to an in-app marketplace; (e) engagement and interaction with other users; and (f) during in-app purchases, among others. These stages may of course differ from product to product, but identifying these stages is crucial, since the DPDP Act may require operators to include necessary information tabs and build opt-in consents at these very stages. In addition, since there is a requirement to provide users with the ability to give consent and the Privacy Notice in English or any of the 22 languages under the Indian Constitution, operators may want to engage local translators or explore technological means to enable the same.

Cautious approach while dealing with child data

Given that existing Indian laws do not contain age-based differentiation for personal data, the DPDP Act brings about a paradigm shift by imposing special obligations while collecting and processing personal data of a “child”. A “child” is defined as an individual who is yet to attain the age of majority viz., 18 years. These special obligations become particularly crucial for formats such as e-sports and daily fantasy, where a significant user base comprises of children and teenagers.

There are three main restrictions that the DPDP Act has imposed when it comes to the processing of children data. First, operators must obtain the verifiable consent of a parent or guardian.^[vii] Second, no operator should undertake any processing that is likely to have a detrimental effect on the well-being of a child gamer.[viii] Third, operators should not engage in behavioral monitoring or send targeted advertisements to children.^[ix] There are of course ambiguities present in some of these restrictions, such as the meaning of “detrimental effect”, and the government is yet to provide clarity on how the “verifiable consent” of the parent or guardian will be obtained. Restriction on the behavioral tracking of children will also pose a business challenge for operators that specifically curate online games for educational, clinical, and diagnostic purposes for children.

However, the Central Government has the discretion and power to exempt certain Data Fiduciaries or class of Data Fiduciaries from the obligation to obtain verifiable parental consent and relax the prohibitions on tracking etc.^[x] The exact criteria through which such Data Fiduciaries will be identified and exempted is yet unclear, but we expect the government to take a practical approach and provide baseline criteria which Data Fiduciaries are expected to meet in order to qualify for the exemption.

Points to consider: Considering that the DPDP Act has stringent conditions for children’s data, operators may want to consider having a separate on-boarding and data collection process for child users. Obtaining the ‘verifiable consent’ of a parent or guardian will be crucial and it will be helpful to explore how other parallel industries verify child users in practise. Since the DPDP Act notes that the government may exempt certain Data Fiduciaries from these requirements if they are able to demonstrate their data processing activities are conducted in a safe manner, it will be useful to keep accurate logs of data and have transparent policies in place. Lastly, since gaming operators are also separately governed by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”)^[xi] where concepts like “user harm” are defined, one may want to take a purposive and co-joint reading of the DPDP Act and the IT Rules.

Honoring the rights of Data Principals

The rights of a Data Principal are the foundation on which the DPDP Act is based. The DPDP Act gives certain rights to the gamer which an operator needs to bear in mind and facilitate. These are:

Right to access information:^[xii] A gamer will have the right to seek information from the gaming platform about the level of personal data that the operator has and the purposes for which it will be used. The gamer also has the right to enquire about other entities with whom such data has been shared and seek a description of such shared data.

Right to withdraw consent for processing:^[xiii] A gamer may withdraw consent for processing her personal data. The DPDP Act requires that the process of withdrawing consent should be as easy as giving consent was. Upon such withdrawal of consent, the gaming platform will be required to cease processing of such gamer’s personal data within a reasonable time and cause its Data Processors to cease doing so.

Right to correction, updation and erasure:^[xiv] A gamer may require a gaming platform to correct, update, modify or erase their personal data even if they had previously given consent for the same.

Right to grievance redressal:^[xv] A gamer shall have the right to raise grievances against the gaming platform in relation to any of the latter’s obligations under the DPDP Act or the exercise of her rights. The timeline within which a gaming platform has to address and resolve such grievances is yet to be prescribed. The gamer can approach the Data Protection Board of India only after exhausting this avenue of grievance redressal.

Right to nominate:^[xvi] A gamer shall have the right to nominate an individual as their nominee to exercise their rights under the Act in case of death or incapacity.

Points to consider: In addition to ensuring that all these rights are easily accessible and available to a gamer, a gaming platform should think through its UI/UX design in a manner that these rights are accounted for. Platforms should chisel their UI carefully and evaluate the relevant junctures where they can enable the data principal to exercise their rights seamlessly and effectively. The DPDP Act expects that some of these rights are not kept hidden across the platform and a user is able to find and exercise these rights simply.

Managing relationship with the data processors 

Gaming platforms invariably engage and rely on multiple third-party service providers for various functions, be it payment processing, technology support, marketing activities, or lead generation. According to the DPDP Act, a “Data Processor”^[xvii] refers to any person who processes personal data on behalf of the Data Fiduciary; i.e., the gaming platform.

Unlike privacy legislations in some other countries, the DPDP Act has not put any direct obligations or compliance requirements on the Data Processor itself. The DPDP Act attributes responsibility solely to the Data Fiduciary, even though the processing may be carried out by third parties.^[xviii] Having said that, it is mandatory for Data Fiduciaries to undergo such delegation or outsourcing under a valid contract only.^[xix] Hence, Data Fiduciaries will need to exercise control and provide clear instructions to Data Processors on how to handle the personal data through their written contracts.

Data Fiduciaries may not be able to complete several obligations imposed under the DPDP Act without the cooperation and support of Data Processors. For instance, if a gamer requests the Data Fiduciary to delete their data or withdraws their consent for further processing, a Data Fiduciary may not be able to meet this request unless the relevant Data Processor agrees to such request.

Points to consider: Operators should identify and collate the list of all relevant Data Processors with whom they have shared or will share personal data of the gamer. The relevant contracts with each such Data Processor should then be examined to check if the Data Fiduciary has sufficient control and oversight over the Data Processor’s processing activities and whether such Data Processor is bound to comply with the relevant instructions of the Data Fiduciary with respect to personal data. Operators that have standard vendor contracts should revise the templates and build sufficient clauses in line with the DPDP Act. Lastly, operators should have internal standard operating procedures (SOPs) that explain the chain of command and communication while passing on requests to Data Processors.

Conclusion

The DPDP Act is a watershed moment in safeguarding personal data in India. This legislation was long overdue, given the number of internet users in India, the data generated by them, as well as the country’s role in cross-border trades and investments. Needless to say, the DPDP Act requires online gaming platforms to navigate the delicate equilibrium between delivering an engaging gaming experience and safeguarding gamers’ personal data. Despite the awaited regulatory specifics, swift implementation is advised to establish a preliminary foundation and then build on it as more clarity is provided through the rules and other market parallels.

[i] Writ Petition (Civil) No. 494 of 2012

[ii] Section 4 of the Act.

[iii] Section 2(t) of the Act: “personal data” means any data about an individual who is identifiable by or in relation to such data.

[iv] Section 6 of the Act.

[v] Section 7 of the Act.

[vi] The Act says that if a question on consent arises in any proceeding, the gaming platform will have to prove that consent was given by the gamer in accordance with the provisions of the Act and its rules.

[vii] Section 9(1) of the Act.

[viii] Sections 9(2) of the Act.

[ix] Sections 9(3) of the Act.

[x] Section 9(5) of the Act.

[xi] By this 2023 amendment, online gaming industry has been brought under the purview of the IT Rules.

[xii] Section 11 of the Act.

[xiii] Section 6(4) of the Act.

[xiv] Section 12 of the Act.

[xv] Section 13 of the Act.

[xvi] Section 14 of the Act.

[xvii] Section 1(2)(k) of the Act.

[xviii] Section 8(5) of the Act.

[xix] Section 8(2) of the Act.