The government of India is swiftly developing the necessary regulatory infrastructure to accelerate the growth of its thriving online gaming market. At the beginning of 2023, the Indian government released the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules which amongst other things mandated online gaming operators to maintain and enforce comprehensive customer identity authentication and verification processes before accepting deposits from customers.


Developing on this, in August 2023, the Indian government passed the Digital Personal Data Protection Act (DPDPA) which establishes anti-money laundering rules and provides detailed guidance on the usage of a customer’s personal information.


Protections for Customers

Under the DPDPA, customers have the right to access and make necessary changes to their personal data. They can also seek redressal of any grievance relating to the handling of their personal information nominate a representative to exercise their rights under the DPDPA in case of death or incapacity. These new protections are developing a foundation that will allow customers to participate in the Indian gaming industry with confidence.


Regulations for Gaming Companies

The DPDPA now considers gaming companies to be “data fiduciaries” and accordingly, establishes stringent criteria that they are obligated to adhere to. Notably, companies are now required to erase personal data if it is no longer needed or if a customer withdraws their consent for the company to use the data. Gaming companies must also have security safeguards in place to prevent personal data breaches, regardless of if they are storing the data or if the data is stored with a third-party data processor. In order to address questions about these obligations, gaming companies must appoint a Data Protection Officer and publish their contact information.


The Data Protection Board

The DPDPA also provides for the establishment of a Data Protection Board (DPB) that will be responsible for upholding the provisions of the DPDPA. The DPB will look into data breaches and customer complaints, and they will have the authority to impose financial penalties on offenders. Companies will be required to inform the DPB and affected users of a data breach. Failure to do so will result in penalties of up to INR 250 crore (USD 30 million). In cases where a data fiduciary has repeatedly violated DPDPA provisions, the DPA may advise the government to block the data fiduciary’s website or app. Appeals against DPB decisions will be heard by the Telecom Disputes Settlement and Appellate Tribunal.


The Big Picture

The penalties under the DPDPA emphasize the importance of protecting customer privacy and will act as deterrents for potential violators. Gaming companies will need to have robust policies and procedures in place to safeguard customers’ data and ensure compliance with the new privacy legislation.

The DPDPA has the potential to create a solid foundation for the growing Indian gaming industry, and this is an opportune time for stakeholders to enter the Indian gaming market. In doing so, gaming companies must consider the DPDPA provisions carefully and consult professionals in the field to ensure compliance.


If you have questions about India’s Digital Personal Data Protection Act or would like to discuss how these changes may impact your business, our Gaming and Gambling team would love to hear from you. Please do not hesitate to contact Manav Bhargava, our Head of India Desk at 1-800-604-1312 or https://segev.ca/contact-us/.


Disclaimer

***The above blog post is provided for informational purposes only and has not been tailored to your specific circumstances. This blog post does not constitute legal advice or other professional advice and may not be relied upon as such.**