DATA PROTECTION
separately, even if they are already compliant with other global legislations like the GDPR. As multiple industries prepare to align their practices as per the DPDP Act, this article attempts to assist gaming operators in assessing some of the key requirements. Considering that the DPDP Act is not currently in force and more clarity is expected once the rules are notified, the compliance requirements discussed here are not exhaustive and the suggestions herein are not a sure shot way to be compliant. However, this article seeks to provide guidance on where to start and how to move ahead. Pupose limitation while collection personal data of gamers In the Indian market, it is usual for operators to adopt an all- inclusive approach when taking a gamer’s consent to their personal data being collected. Soon however, blanket consents with little to no specificity, may not be sufficient. Under the DPDP Act, gaming operators may process the personal data of a gamer either based on explicit consent or for certain legitimate uses (like the ‘legitimate interest’ concept under GDPR) only. 2 Gaming operators typically gather data such as (i) personal information about the gamer: name, email address, gender, age, phone number, GPS location, demographic information; (ii) financial information: bank account details, debit or credit card details; and (iii) gameplay data (the games they play, frequency, duration, achievements, etc.). While some may arguably be non-personal data, most is likely to fall within the DPDP Act’s definition of “personal data”. 3 The DPDP Act requires that operators obtain consent from the gamer for processing their personal data and that such consent be free, specific, informed, unconditional and unambiguous with a clear affirmative action (collectively “ Six Components ”). 4 In some circumstances, the operator is permitted to process personal data of the gamer for certain legitimate uses. 5 The DPDP Act details nine such “legitimate uses”, for instance, if the processing is required to comply with any court order or to fulfil
any obligation under an existing law (such as collecting age data to ensure appropriate age-gating). Points to consider: As a first step, gaming operators must identify and catalogue the types of data that they collect and bifurcate them into personal and non-personal data. It will be useful to identify separately whether any set of personal data is gathered from a publicly available source as this is exempt from the obligations under the DPDP Act. Cataloguing data will make it easier for platforms to identify the purpose of processing such data and give them better compliance oversight. Additionally, operators should revisit and re-work their privacy policies and articulate the rationale behind the processing of personal data in a clear and accessible manner. It is advisable to review and potentially discontinue the collection of such personal data that may not be essential to the provision of gaming services and was obtained for other unelated business or commercial reasons and which cannot be attributed to a specific reason or purpose. Consent and notice requirements at various stages of the user journey The DPDP Act requires operators to process personal data based on user consent and to ensure that such consent satisfies the Six Components. 6 In order to obtain consent, platforms must present the gamer with a comprehensive privacy notice (“ Privacy Notice ”) having the following details: • The personal data to be collected. • The specified purposes for which such personal data will be processed. • The manner in which the gamer can exercise their right to (i) withdraw consent for processing; and (ii) have their grievances redressed. • The manner in which the gamer may make a complaint to the Data Protection Board of India. While the rules to be issued under the DPDP Act will clarify the manner and form in which consent needs to be obtained and the
2 Section 4 of the Act. 3 Section 2(t) of the Act: “personal data” means any data about an individual who is identifiable by or in relation to such data 4 Section 6 of the Act 5 Section 7 of the Act 6 The Act says that if a question on consent arises in any proceeding, the gaming platform will have to prove that consent was given by the gamer in accordance with the provisions of the Act and its rules
PAGE 27
IMGL MAGAZINE | JANUARY 2024
Made with FlippingBook flipbook maker