02 May 2024
India has seen a significant spike in internet and technology penetration in the past decade as estimates[1] project at reaching a 900-million active user count by 2025. The massive influence of internet and technology in every facet of life is also witnessed by the rise of an accessible foray of applications, websites, and platforms in almost all sectors, including the ‘sunrise’ gaming industry. Gaming as an industry is also staged for exponential growth with some reports[2] indicating that the sector is expected to grow by 20% by FY25 to reach over INR 200 billion in revenue. The user base of online gamers in India contributes a major fraction worldwide, with mobile gaming being a major contributor of such user base.
While the regulation of online gaming, including protection of digital assets, payment methods, and protection against impersonation are well-discussed risks associated with online gaming, those associated with the processing of personal data by platforms, purposes of processing, and sharing of data merit deeper attention. The advent of the Digital Personal Data Protection Act, 2023 (‘DPDPA’) requires platforms, gaming developers, and gamers (or users) alike to draw attention towards the framework under which personal data may be processed, review notices, provide consents (where required) and exercise rights with regard to the processing of their personal data.
The obligations imposed on Data Fiduciaries have been drafted to provide a framework in which personal data may be processed without hampering the ability of such platforms to innovatively offer products and services. This is done so with the legislative intent of encouraging informed, specific consent and transparent processing, while also enabling Fiduciaries to innovate and develop new products and services, akin to the concepts of Privacy-by-design and default.
Gaming intermediaries and platforms that onboard users for providing gaming services and determine how and why user data is processed are likely to be considered ‘Data Fiduciaries’, while those that process user data under the control or instructions of the former (such as cloud gaming service providers, payment processors, analytics or support service providers) are more likely ‘Data Processors’ under the DPDPA.
It is important to recognize that the DPDPA is a sector-agnostic law that aims to govern the processing of personal data across sectors and industries. Its sectoral impact may be assessed considering the impact of obligations in light of the user journey and different activities undertaken throughout such journey specific to the sector.
(a) Informed Notice and Consent: Providing an appropriate notice (in English and other local languages) containing the datasets collected, purposes of processing, sharing with third parties and the rights of individuals, along with the right to file a complaint, is one of the key obligations under the DPDPA. In addition to the same, Fiduciaries must rely on consent or process user data on the basis of certain ‘legitimate uses’.
Apart from alignment of notices, the grounds of processing i.e., consent and ‘legitimate use’ (particularly voluntary submission) as grounds for processing would have to be specifically evaluated in the context of voluntary sign-ups on gaming platforms, processing personal data for safety and security of platforms and users, processing for providing targeted advertising, in-game communication, in-app purchases. Processing in each of these situations would have to be evaluated if legitimate use may be relied upon or consent would have to be obtained from users.
Where consent may have to be relied upon, gaming platforms may have to reimagine and embed the same as part of their user flows and journeys in accordance with the free, specific, informed, and unconditional consent threshold provided under the DPDPA. These obligations may also have to be considered in addition to the requirements under the Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 (‘Intermediary Guidelines’) as significant peer-to-peer exchange of information may also be facilitated by such gaming platforms.
(b) Technical and organizational measures: Online gaming data fiduciaries may be required to scale technical, organizational as well as security measures to protect user data. While the extent of such measures would only be clear upon the notification of the rules, some of these measures may include data encryption, alignment with information security standards (such as SOC2 or ISO/IEC/27001), periodic employee training and appointing designated personnel to address queries.
(c) Engagement of processors and other entities: Gaming intermediaries may engage a wide range of processors ranging from analytics providers, advertising partners, cloud service providers, and authentication providers many of which may process user data. All engagements with such processors must be codified in terms of a valid contract while also defining the scope and purposes of processing, subcontracting, and cross-border transfers, while also fortifying them with appropriate warranties, indemnities and other protections.
(d) Grievance redressal: Gaming intermediaries must establish grievance redressal mechanisms to enable users to exercise their rights and raise concerns regarding the processing of personal data. This may require them to provide appropriate internal policies and procedures and designation of personnel who would receive, enquire and redress such complaints and exercise of rights, as per timelines specified by law.
(e) Internal mechanisms: Compliance with the DPDPA also requires entities to carry out implementational changes such as introducing policies and procedures at the organizational and departmental levels for periodic audit and verification of Processor conduct, identification and removal of user data no longer necessary, procedures for facilitating rights, policies for conducting parental verification for personal data of children and persons with disabilities etc.
The requirements associated with processing children’s data remain one of the key considerations for entities in the gaming sector. The DPDPA provides for the ‘verifiable consent’ of parent or guardian prior to processing personal data of children (any person below eighteen years of age) and persons with disabilities. Additionally, children’s data may not be processed in any manner which may amount to tracking, behavioral monitoring, involve targeted advertising or otherwise cause detrimental effect on well-being.
(a) This requirement may call upon online gaming platforms to present users with notice and implement mechanisms for confirming the age of users before entering the website and incorporate measures for implementing ‘verifiable’ parental or guardian consent. The details around the threshold and manner of such verifiability (including verification documents to be sought and mechanisms to be implemented) are expected to be detailed in the rules to follow.
(b) Online gaming platforms may have to segregate users based on age, and limit targeted advertising and tracking activities to users who have attained the age of majority. Apart from the technical implementations required for such segregation, such measures may also require platforms to reconsider advertising strategies and choices, particularly targeted advertising, in each of these user bases. Some of these obligations must also be considered and evaluated by intermediaries hosting such gaming platforms.
While certain exemptions have been allowed for certain entities to comply with some of the above obligations, it remains likely that such exemptions are targeted towards educational, healthcare, and related institutions and their extension to online gaming platforms appears unlikely at the moment.
The advent of the DPDPA requires entities in the online gaming sector to realign and reimagine their data collection and handling practices. While some of the implementations such as privacy notices, consent mechanisms, and age verification may already be in place as a standard measure in many platforms, such measures may have to be assessed for adequacy to demonstrate compliance with the threshold provided under the DPDPA. Specific use case situations such as the extent of reliance on ‘legitimate use’, and data use concerns with in-app data collected must also be factored in, from time to time.
In other cases, entities may have to implement more elaborate measures, especially in the context of processing activities, advertising, and engagements to remain compliant. These measures are not only from the perspective of the DPDPA, but also under the Intermediaries Guidelines which regulate aspects beyond privacy and data protection such as content moderation. It is, however, important to consider that such privacy and technology measures have shifted beyond mere compliance activity and play a greater role today in instilling significant confidence among various stakeholders, users, employees, and investors alike in such entities.
[The authors are Executive Partner, Senior Associate and Associate, respectively, in TMT-Data Protection practice at Lakshmikumaran & Sridharan Attorneys]