As the world increasingly shifts its activities online, India finds itself at the crossroads of data privacy and security challenges. In the absence of a dedicated data protection law, the need for one in India was increasingly becoming apparent than ever. Notification of DPDPA represents a significant milestone in this endeavour, bringing about crucial changes in the way every online intermediary collects, processes, shares and stores digital personal data.
The DPDPA would also impact India’s fledging ecosystem of online gaming intermediaries (OGIs), which has shown tremendous growth and potential in recent years. Online gaming in India has seen remarkable growth, evolving from simple single-player games in the early 1990s into a thriving $2.9 billion industry in 2022. It’s being regarded as a promising sector by policymakers and strategists, with projections suggesting it could exceed $8.6 billion by 2027, with an impressive CAGR of 28 per cent. This article delves into the far-reaching impact of the DPDPA on the dynamic world of online gaming.
Online gaming platforms and their tryst with personal data
To comprehensively assess the potential implications of the DPDPA, it is essential to examine the extensive array of personal data routinely gathered by online gaming applications, officially known as online gaming intermediaries. Some of this data is indispensable for the application’s functionality, while certain pieces are mandated by regulatory requirements. Let’s delve into some of the most crucial data fields that OGIs collect from the users of these gaming applications.
Key categories of personal data typically collected by OGIs:
- Personal information (PI) data of gaming user: Name, age, gender, picture, mobile number and email address.
- Know your customer (KYC) data: Bank account number, Permanent Account Number (PAN) (image), AADHAAR number (image) and unified payments interface (UPI) virtual payment address (VPA).
- Technical/device data: User’s global positioning system (GPS) location, internet protocol (IP) address, device/mobile’s international mobile equipment identity (IMEI) and media access control (MAC) address.
- Financial and transaction data: Funds’ debit/credit, withdrawal of winnings and in-game purchases.
- Gaming behavioural data: Games played, duration, play frequency and user competency (wins and losses).
- Communication data: In-game chat messages, voice or video chat recordings, messaging history, friends and contacts lists, etc.
Four principles for OGIs to adhere to
Data minimisation: This principle requires OGIs to collect and store data that is strictly necessary for gaming purposes and reduce the risk of misuse or unauthorised access. OGIs need to:
- Assess and identify the specific purpose for collecting each data field.
- Review and possibly discontinue the collection of optional personal data that may not be essential for their services.
- Illustration for the gaming sector: It may not be necessary to collect gender information (which has no bearing on the outcome of the game). Thus, OGIs may stop collecting the user’s gender information.
Data retention/deletion: This principle requires OGIs to retain personal data only for the period necessary to fulfil the purpose for which it was collected or processed. On the other hand, the need for data deletion requires OGIs to execute requests for data deletion if data principals choose to do so.
Illustration for the gaming sector: OGIs would need to implement a process to enable the data principal to request for permanent deletion of their account, which would entail permanent deletion of all personal data, data logs and private keys related to the data principal.
Granular data consent from users: This principle requires OGIs to obtain explicit consent from users before collecting, processing, storing or sharing their personal data and can no longer rely on a blanket or one-time consent. They must:
- Serve notice to the data principal before or during obtaining the consent explaining the purpose for which data is being collected. Seek separate consent for each category or element of personal data.
- Maintain a clear and auditable record of users’ consent.
- Provide users with the option to refuse consent for specific data categories.
Illustration for the gaming sector: 1. OGIs will be required to obtain granular and explicit consent for each of the digital personal data either collected and/or generated by the OGIs. For example, users may choose to disclose their location but not their gender, in which case, the OGIs must have the functionality to let users selectively provide consent.
2. In cases where the data principal (gamer) is a minor, OGIs would need to implement processes to obtain a second layer of consent from the parent/guardian of the minor.
Data security: The DPDPA imposes stringent security measures to safeguard personal data against breaches and cyberattacks. While many OGIs may already have data security measures in place, they may need to consider the following:
Third-party involvement: If OGIs choose to appoint a third-party ‘Data Processor’ or ‘Consent Manager’ to handle the consent framework, they need to ensure these entities also adhere to robust security protocols to prevent vulnerabilities in the data-handling process.
Financial penalties: The Act introduces significant financial penalties for intermediaries in case of data breaches due to inadequate security measures. Therefore, OGIs should regularly assess and enhance their cybersecurity policies and practices to avoid potential financial liabilities.
Illustration for the gaming sector: OGIs will be required to ensure that in case any data point is shared with any third party to design the game engine, game processor or game developer, then all such entities will be required to adhere to the DPDPA guidelines.
Cross-border data processing and sharing: For OGIs, this is a crucial aspect of compliance. Many online gaming platforms use data centres and cloud services, and the data they handle may be stored in locations inside or outside India. Under the DPDPA:
- Cross-border sharing of personal data is subject to government notifications, limiting data transfers to certain countries.
- OGIs need to ensure that there is no unintentional or unauthorised movement of data within the cloud infrastructure. This requires careful data management and monitoring.
- The disaster recovery (DR) site used by OGIs should not be physically located in any jurisdictions blacklisted under the Act, as this could pose a significant compliance risk.
Illustration for the gaming sector: For example, if an OGI is using the services of a could service provider whose physical location of servers lies within the jurisdiction of a blacklisted country, the OGI may need to reconsider its data hosting and storage strategy to comply with the provisions of the Act.
The DPDPA represents a pivotal moment in the protection of personal data in the digital age. It has had a profound impact on online gaming platforms, with the industry now striving to strike a balance between providing an immersive gaming experience and protecting users’ sensitive information. While compliance has brought about certain challenges and costs, it will also foster greater transparency and trust between gamers and their preferred platforms. As online gaming continues to evolve, so will the measures in place to safeguard our data, thanks to the DPDPA and similar legislation worldwide.
(Dharmender Jhamb is partner-business consulting, and Arindam Das is director-business consulting at Grant Thornton Bharat)